[Bro] An assist with file extraction

James Lay jlay at slave-tothe-box.net
Fri Apr 17 10:26:52 PDT 2015


On 2015-04-16 07:04 AM, Hosom, Stephen M wrote: 

> For 2.3.2
(current release) you'll want to use the event file_new. 
> Note that
in 2.3.2 if you are extracting based on mime_type (most people do) you
will want to verify that the field exists before you actually use it. 

> For master, which is what you are likely referring to… you'll want
the event file_mime_type. 
> FROM: bro-bounces at bro.org
[mailto:bro-bounces at bro.org] ON BEHALF OF James Lay
> SENT: Thursday,
April 16, 2015 7:56 AM
> TO: Bro-IDS
> SUBJECT: [Bro] An assist with
file extraction 
> Hey all,
> The topic pretty much says it...I've
done a fair amount of reading trying to determine the best way to
extract file attachments in smtp traffic. Most of the information I've
found is related to older versions of bro. Can someone point me to a
current resource that will work with the current version of bro? Thank
> James

Thank you Stephen...I really appreciate the advice.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150417/f59e2042/attachment.html 

More information about the Bro mailing list