[Bro] Extract complete files

Albert Zaharovits albert.zaharovits at gmail.com
Wed May 13 08:24:27 PDT 2015


Hi Stephen,

Your rename-after-hash example is a life saviour!

Thanks a bunch,
Albert

> On 13 May 2015, at 18:17, Hosom, Stephen M <hosom at battelle.org> wrote:
> 
> Albert, 
> 
> You have a chicken and egg problem. Specifically, you're not going to be certain of how many bytes are missing at the time you have to determine whether or not you'll be extracting the file. Instead, you'll have to extract all files and then later remove the files that aren't the ones that you want. This is similar to how the issue of 'how do I name the file after the hash' is solved. 
> 
> I have some examples of that here in the plugins directory: https://github.com/hosom/bro-file-extraction/
> 
> While it isn't precisely what you want... you'll be able to piece together the hashing examples into removing files from the filesystem that show as having missing bytes.
> 
> If you're seeing a large number of missing bytes in files consistently, there are likely other problems occurring. 
> 
> Thanks, 
> 
> Stephen
> 
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Albert Zaharovits
> Sent: Tuesday, May 12, 2015 1:13 PM
> To: bro at bro.org
> Subject: [Bro] Extract complete files
> 
> Hello,
> 
> I am experimenting with the Files framework in bro 2.4 beta. I would like to extract HTTP files, *without* missing_bytes.
> Can anyone please help me on this?
> 
> Thanks,
> Albert
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list