[Bro] Bro 2.2 File Extraction (RHEL 6.5)

Seth Hall seth at icir.org
Wed Aug 6 18:49:59 PDT 2014

On Aug 6, 2014, at 8:58 PM, Jonathon Wright <jonathon.s.wright at gmail.com> wrote:

> That's great information. When you say " you can set it to something system-wide though like this"
> What file do I edit, or is that entry something I put at the top of my "whatever.bro" ?

You could add that directly to local.bro or add it to your whatever.bro script and load that script in local.bro.  

I guess my comment about "system-wide" was far too non-specific. :)

What I meant is that if you're running a number of worker (traffic sniffing) processes on a single host they will each have their own spool directory which will cause them all to write files to separate subdirectories of their spool/ directory.  If you set the prefix to be an absolute path it will cause all of the processes to write their files to that same directory but I don't know what your deployment looks like so I may be giving unhelpful advice.

>  No problem about writing a script. We are a big perl/php/shell shop, I guess my question is, what files would I need to parse / correlate to determine the correct / original name of the exe?

Ah!  That's complicated.  You can refer to the "filename" field in the files log.  For any files that were extracted, you should be able to find the name of the file that was written to disk in the "extracted" field in the files.log.  So, take the filename you have on disk, search for that in the files.log, then look at the "filename" field.

One gotcha here though.  We have taken a somewhat tough line on what we consider a "filename".  The basic gist is that in order to be a filename it must be something explicitly declared as a filename.  In other words, we don't yank path components from HTTP requests to assign as file names.  If we did, you'd very likely extract a bunch of files named index.asp and others like that.  HTTP actually declares a header field where filenames can be explicitly passed through.  Those are extracted and given as filenames in files.log.  Other protocols provide file names in various ways as well.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/d90aa098/attachment.bin 

More information about the Bro mailing list