[Bro] File extraction filters
jsiwek at illinois.edu
Tue Jul 29 09:37:33 PDT 2014
On Jul 29, 2014, at 10:38 AM, Mike Kolkebeck <mkolkebeck at gmail.com> wrote:
> Does "file_over_new_connection" fire at the same time as "file_new" when there is a new file? More specifically, will I ever lose any bytes by using this event over "file_new"?
“file_new” is immediately followed by at least one “file_over_new_connection” (if you’re dealing w/ only files extracted from the network), so there’s not a difference in terms of what bytes have been seen yet. But you may have to think about that event being raised more than once per file and possibly not at the start of a file after the first time, whereas “file_new” is guaranteed to be once at the start of a file. Not sure which will end up better/simpler for the code you’re writing, but hope that helps explain the differences.
More information about the Bro