[Bro] File Extraction Related Scripting Questions

Jason Batchelor jxbatchelor at gmail.com
Thu Sep 18 09:00:10 PDT 2014


I would like for a quick way to simply get the directory size of the
extract_files directory. If it meets a certain threshold I don't want to
extract the file. I tried looking for a builtin function that did this but
could not locate one. I then attempted to do the following system command:

local somevar = system(fmt("du -b %s | cut -f1", FileExtract::prefix))

However, I am unable to capture the output (since it goes directly to
stdout). Does anyone have any advice on how to tackle this?

Additionally, I was wondering if Bro is able to identify MIME types of
modern Office docuements down to the type of application they support
(Excel, Powerpoint, etc)... From my testing, it seems that the only thing
one gets is 'application/zip' for the MIME type for a modern office
document, this is technically correct, but I was hoping for a way to zone
in on this a little more by being able to specify
(if I wanted pptx files). Does Bro MIME detection support this in any way?

Many thanks,
