[Bro] Extract complete files
albert.zaharovits at gmail.com
Wed May 13 08:12:24 PDT 2015
Perhaps I didn’t explain myself properly. I meant extracting only complete files (or removing incomplete ones). There might be file gaps because of improper taping…
I attached the Files::ANALYZER_EXTRACT and Files::ANALYZER_SHA256 in the file_sniff event. The event_hash triggers only for complete files, but the file gets extracted anyway.
> On 13 May 2015, at 17:46, Frank Meier <franky.meier.1 at gmx.de> wrote:
> Hi Albert,
> it's hard to help without any context, so just some hints: It took me some time to find the -C switch to ignore wrong checksums in bro. Without it the traffic did not reach the extraction layer. Also it's always a good idea to compare bro with other tools. Make sure wireshark does show the complete http session.
> On Di, Mai 12, 2015 at 7:12 , Albert Zaharovits <albert.zaharovits at gmail.com> wrote:
>> I am experimenting with the Files framework in bro 2.4 beta. I would like to extract HTTP files, *without* missing_bytes.
>> Can anyone please help me on this?
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro