[Bro] surgical file extraction

McMahon, Kevin J kmcmahon at mitre.org
Wed Dec 2 07:29:34 PST 2015


It may be the extraneous "," at the end of your mime_to_ext table.


From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Brandon Glaze <bglaze at gmail.com>
Sent: Wednesday, December 2, 2015 10:06 AM
To: bro at bro.org
Subject: Re: [Bro] surgical file extraction

Thanks, but I have pulled up quite a few other examples and dont see where I am missing a semi-colon. I am wondering if its because I am running 32+ worker nodes and the script isnt built correctly to utilize the clustering (shot in the dark). Here is my script as I have it now. I was thinking I may want to move it to use a URL instead of the IP, especially if I start finding CnC comms to load balancer sites:

global mime_to_ext: table[string] of string = {
        ["text/plain"] = "txt",
        ["text/html"] = "html",
event file_sniff(f: fa_file, meta: fa_metadata)
for ( cid in f$conns )
        if ( f$conns[cid]$id$resp_h != )

        if ( f$source != "HTTP" )

        if ( ! meta?$mime_type )

        if ( meta$mime_type !in mime_to_ext )

        local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
        print fmt("Extracting file %s", fname);
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);

Brandon Glaze
bglaze at gmail.com<mailto:bglaze at gmail.com>

"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr

On Tue, Dec 1, 2015 at 9:28 PM, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

> On Nov 30, 2015, at 7:14 PM, Brandon Glaze <bglaze at gmail.com<mailto:bglaze at gmail.com>> wrote:
> I validated that if I comment out my @load line for the new file extraction script this error goes away in a "broctl check" check.

You may be missing a semi-colon somewhere near the end of your script.  Bro's error reporting will accidentally report the problem on the first line of the next script in this case on accident.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151202/5b80cdd2/attachment.html 

More information about the Bro mailing list