[Bro] File Extraction

Seth Hall seth at icir.org
Thu Dec 4 05:48:29 PST 2014

> On Dec 3, 2014, at 8:58 PM, Jonathon Wright <jonathon.s.wright at gmail.com> wrote:
> 1. I've configured Bro appropriately to extract "exe" mime types from the HTTP protocol. It works great. However, the "files.log" only contains MD5 and SHA1 entries for some of the files, not all of them. How do I fix this so that all of the extracted files have the MD5 and SHA1 entries?

Hm.  Could you show a line from files.log where a file was extracted but you did get hashes?  I suspect this is because the file ended up having trouble being transferred which will cause the hash analyzers to stop hashing (could be due to a packet drop even).

>  2. I have analysts that need access to the files (/var/data/bro/extracted), but I've noticed that bro creates the files with random permissions, either 644 or 600... so they can only access the ones with 644. How do I ensure bro extracts the file with the 644 permission set on all of them? (see below example)

This is weird.  I haven’t seen Bro creating extracted files with different permissions before.  Are these all dropped directly into the location by Bro or copied there later?  All files from the same Bro process or from multiple Bro processes?

> 3. Is there a way to tell bro to run as a different user / group other than root? I didn't see any options for it in the bro --help. I would assume I would have to give broctl and bro binaries / modules the ownership and executable rights by another user, then have bro start up as that new user, but wanted to see if there was an easier way. Otherwise I'd have to change the default install configuration each time I upgrade.

Unfortunately, this is an area that hasn’t seen much attention for too long.  We’ve been meaning to spend some time adding privilege dropping to Bro but it hasn’t happened yet.  This would make Bro similar to many other tools that are run by root, but then drop their privileges to another user account at runtime, and in our case this would happen after Bro opens any interfaces that it needs to sniff on.

Is there anyone out there in Bro-land that is interested in digging into the core enough to add privilege dropping? :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list