[Bro] extract jar files from HTTP stream

Seth Hall seth at icir.org
Thu Jan 2 08:22:29 PST 2014

On Jan 2, 2014, at 10:02 AM, Michael Logoyda <logoyda at gmail.com> wrote:

> Is there a way to name the extracted files based on what IP or domain name they originated from? In the event file_new(f: fa_file) section, I'm not able to access anything from f$conns to use for such naming. That would make the extracted files much more useful. 

What do you mean that you aren't able to access anything from f$conns?

Generally, giving extracted files names like that is complicated because the file handling in Bro is separated from everything else.  There are some strategic points where they tie together, but generally you have to be careful.

Since the best way is probably through concrete examples, I'll give one and we'll see if it sticks.  If you want to name extracted files like HTTP_1.2.3.4:12345- you can do this…


This will only extract files over HTTP with these special file names.  You can modify that script if you want it to behave differently.  One thing people ask a lot is if you can extract files and name them by their SHA1 or MD5 hash.  Generally this is possible but it's something that would need to be done when the file is completely extracted because you don't know the file hash at the beginning of the file but you need to give a filename to start writing the file into.  In the normal case you would extract the file and then move it into it's new filename (hopefully on the same file system).

Actually, I'll do one more small modification to the script to show you how to add the domain…


One final thing to notice is that I've made both of these scripts only use the "special" filename for cases where a file is being received over HTTP.  If the client sends data over HTTP or another protocol things will revert to the default filename.

There are also some small considerations being ignored in this example like single files transferred over multiple connections (which is possible in Bro).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140102/082edf41/attachment.bin 

More information about the Bro mailing list