[Bro] Broker - File Extraction
jsiwek at illinois.edu
Wed Aug 12 06:18:15 PDT 2015
> On Aug 11, 2015, at 11:13 PM, anthony kasza <anthony.kasza at gmail.com> wrote:
> I was doing some reading on broker and came across the remote logging section of the documentation. This seems very useful.
> Is there a mechanism for remote file extraction?
There’s not a direct/built-in mechanism for that like there is w/ remote logging.
> I think it would be useful to be able to extract files to a remote system instead of a local directory. Is this possible with broker?
Yes, it should be possible, in a couple different ways. Using the Broker library directly and implementing it in Bro core (similar to remote logging) would be an option. Or using Bro’s scripting interface to the Broker library in combination w/ the scripting interface for file analysis should also work — e.g. ask for access to the contents of a file via events then send it to a remote peer via Broker.
More information about the Bro