[Bro] surgical file extraction

Brandon Glaze bglaze at gmail.com
Mon Nov 30 09:50:27 PST 2015

Good day all,

I am new to creating custom bro scripts, so please bear with me.

I am looking to perform file extraction only on HTTP conversations to
either a specific URL or destination IP address. I have some command and
control traffic POST traffic that I want to capture with bro, as opposed to
what I am using now. I am currently having to run TCPDumps on my sensors
for traffic destined to a specific IP, then manually cut out the POST
requests, redo the pcap, then run it through bro… tedious.

Here is what I have, but cant get it to work (mainly due to a lack of bro
script knowledge):

global mime_to_ext: table[string] of string = {

        ["text/plain"] = "txt",

        ["text/html"] = "html",


Event file_sniff(f: fa_file, meta: fa_metadata)


        if ( f$source != "HTTP" )


        if ( meta$rx_hosts != "" )


        if ( ! meta?$mime_type )


        if ( meta$mime_type !in mime_to_ext )


        local fname = fmt("%s-%s.%s", f$source, f$id,

        print fmt("Extracting file %s", fname);

        Files::add_analyzer(f, Files::ANALYZER_EXTRACT,


I get the warning that the meta$rx_hosts isn’t valid. I have tried a “redef
record” statement, but it made it much worse. Am I even in the ballpark
here? I wasnt sure if I needed to use some other means to identify the URL,
then start file extraction.

Appreciate any help.
Brandon Glaze
bglaze at gmail.com

"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151130/636da68a/attachment.html 

More information about the Bro mailing list