[Bro] An assist with file extraction

James Lay jlay at slave-tothe-box.net
Fri Apr 17 10:40:30 PDT 2015


 

On 2015-04-16 05:55 AM, James Lay wrote: 

> Hey all,
> 
> The topic
pretty much says it...I've done a fair amount of reading trying to
determine the best way to extract file attachments in smtp traffic. Most
of the information I've found is related to older versions of bro. Can
someone point me to a current resource that will work with the current
version of bro? Thank you.
> 
> James

Well here's what I have: 

global
ext_map: table[string] of string = {
 ["application/x-dosexec"] =
"exe",
 ["application/zip"] = "zip",
 ["application/msword"] =
"xls",
};

event file_new(f: fa_file)
 {
 if ( f$source != "SMTP" )

return;

 if ( ! f?$mime_type || f$mime_type !in ext_map )
 return;


local ext = "";

 if ( f?$mime_type )
 ext = ext_map[f$mime_type];


local fname = fmt("%s-%s.%s", f$source, f$id, ext);

Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}

This appears to function ok....Office doc
XML format end up as zips, which is fine by me. Can anyone see anything
glaringly wrong with this? Also...I have bro log files zipped and
rotated at midnight..is there a way to include the extract_files
directory in that rotation, or, even better, have the extracted files go
into a directory name with say something like
/mnt/backup/extract_files/04-16-16 and change per day? Thank you.


James 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150417/8a17fe52/attachment.html 


More information about the Bro mailing list