[Bro] surgical file extraction

Brandon Glaze bglaze at gmail.com
Mon Nov 30 16:14:07 PST 2015


Josh,
That worked great. Thanks a ton for the help. Any idea why when I load my
new file extraction script, that I verified works great on standalone
packet captures, I get the below error:

error in /usr/local/bro/share/bro/policy/frameworks/control/controllee.bro,
line 15: syntax error, at or near "module"

I validated that if I comment out my @load line for the new file extraction
script this error goes away in a "broctl check" check.

=====================
Brandon Glaze
bglaze at gmail.com

"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr


On Mon, Nov 30, 2015 at 10:12 AM, Josh Liburdi <liburdi.joshua at gmail.com>
wrote:

> You’re close! The field rx_hosts doesn’t exist in the meta record. If you
> want to get the destination IP, then you can do something similar to the
> first example on this page:
> https://www.bro.org/sphinx-git/frameworks/file-analysis.html
>
> In your event, you’d do something like this …
>
> for ( cid in f$conns )
>         {
>         if ( f$conns[cid]$id$resp_h == 123.123.123.123 )
> {
> print "found IP 123.123.123.123";
> }
>         }
>
> This should get you started: http://try.bro.org/#/trybro/saved/27817
>
> Josh
>
> On Nov 30, 2015, at 12:50 PM, Brandon Glaze <bglaze at gmail.com> wrote:
>
> Good day all,
>
> I am new to creating custom bro scripts, so please bear with me.
>
>
> I am looking to perform file extraction only on HTTP conversations to
> either a specific URL or destination IP address. I have some command and
> control traffic POST traffic that I want to capture with bro, as opposed to
> what I am using now. I am currently having to run TCPDumps on my sensors
> for traffic destined to a specific IP, then manually cut out the POST
> requests, redo the pcap, then run it through bro… tedious.
>
>
> Here is what I have, but cant get it to work (mainly due to a lack of bro
> script knowledge):
>
>
> global mime_to_ext: table[string] of string = {
>
>         ["text/plain"] = "txt",
>
>         ["text/html"] = "html",
>
> };
>
>
> Event file_sniff(f: fa_file, meta: fa_metadata)
>
>        {
>
>         if ( f$source != "HTTP" )
>
>                 return;
>
>
>         if ( meta$rx_hosts != "123.123.123.123" )
>
>                 return;
>
>
>         if ( ! meta?$mime_type )
>
>                 return;
>
>
>         if ( meta$mime_type !in mime_to_ext )
>
>                 return;
>
>
>         local fname = fmt("%s-%s.%s", f$source, f$id,
> mime_to_ext[meta$mime_type]);
>
>         print fmt("Extracting file %s", fname);
>
>         Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
> [$extract_filename=fname]);
>
>         }
>
>
> I get the warning that the meta$rx_hosts isn’t valid. I have tried a
> “redef record” statement, but it made it much worse. Am I even in the
> ballpark here? I wasnt sure if I needed to use some other means to identify
> the URL, then start file extraction.
>
>
> Appreciate any help.
> =====================
> Brandon Glaze
> bglaze at gmail.com
>
> "Lead me, follow me, or get the hell out of my way."
> - General George Patton Jr
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151130/6f99e1ed/attachment.html 


More information about the Bro mailing list