[Bro] extract jar files from HTTP stream

Doug Burks doug.burks at gmail.com
Wed Jan 1 06:16:08 PST 2014


Hi drum,

Start off with the following:

- edit /opt/bro/share/bro/file-extraction/extract.bro

- change the following line:
    if ( ! f?$mime_type || f$mime_type != "application/x-dosexec" )
to:
    if ( ! f?$mime_type || f$mime_type != "application/jar" )

- run the following:
sudo broctl install
sudo broctl restart

Bro should now be extracting jar files to /nsm/bro/extracted/.

Once you have that working, then you should be able to add in Shane's
match_file_mime to the same script to allow you to extract multiple
file types.

On Wed, Jan 1, 2014 at 7:39 AM, drum <drummachina at tdhack.com> wrote:
> Thanks Shane, could you please write step-by-step instruction where should I
> put your code. I have no idea how to port it into my installation. Let's
> assume I use 'plain' bro (no security onion) installed in /opt/bro. What is
> the next step? BTW - I have these both files (extract.bro and main.bro):
>
> root at onion:~# ls -al /opt/bro/share/bro/base/files/extract/main.bro
> /opt/bro/share/bro/file-extraction/extract.bro
> -rw-r--r-- 1 root root 2126 Nov  7 18:27
> /opt/bro/share/bro/base/files/extract/main.bro
> -rw-r--r-- 1 root root  572 Jan  1 12:26
> /opt/bro/share/bro/file-extraction/extract.bro
>
>
>
> Pozdrawiam,
> drumm
>
>
> 2013/12/30 Shane Filus <filus at psc.edu>
>>
>> On 12/29/13 2:25 PM, drum wrote:
>> > Hello,
>> >
>> >
>> > Is there a tutorial for version 2.2 of BRO? I'd like to understand how
>> > can I write my own scripts to support extraction of verious files,
>> > like jar. So far I tried adding "application/jar" (it was logged to
>> > /nsm/bro/logs/current/files.
>> > log) as mime type to /opt/bro/share/bro/file-extraction/extract.bro
>> > file but it seems I have to do something else too as this change is
>> > not capturing files to /nsm/bro/extracted/ directory.
>> Hello,
>>
>>
>> Check the second example under 'Adding Analysis'  for a start in file
>> extraction.
>> http://www.bro.org/sphinx/frameworks/file-analysis.html#adding-analysis
>>
>> Also, not sure how it maps to Sec Onion, but there is
>> $PREFX/share/bro/base/files/extract/main.bro from a source install.
>> Might be your 'extract.bro'? I don't that file name in either 2.1 or 2.2
>> source trees.
>>
>> Used the code below to do something similar. There's probably a more
>> elegant, or efficient solution, but it seems to working as expected,
>> given the limited testing I've done.
>>
>>
>> # define file extraction filters
>> const match_file_source = /HTTP/ |
>>               /IRC/ |
>>               /IRC_DATA/ |
>>               /FTP/ |
>>               /FTP_DATA/ &redef;
>>
>> const match_file_mime =   /text\/x-perl/ |
>>               /text\/x-msdos-batch/ |
>>               /text\/x-java/ |
>>               /application\/x-gzip/ |
>>               /application\/x-bzip2/ |
>>               /application\/x-dosexec/ |
>>               /application\/zip/ |
>>               /application\/jar/ |
>>               /application\/x-tar/ |
>>               /application\/x-archive/ |
>>               /application\/mac-binhex40/ |
>>               /application\/x-java-keystore/ |
>>               /application\/x-java-jce-keystore/ |
>>               /application\/x-executable/ |
>>               /application\/javascript/ &redef;
>>
>> # add analyer to file_new event
>> event file_new(f: fa_file)
>>     {
>>     if ( f?$mime_type &&
>>         match_file_source in f$source &&
>>         match_file_mime in f$mime_type )
>>             Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
>>        }
>>
>>
>> Thanks,
>>
>>
>> Shane
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Doug Burks



More information about the Bro mailing list