[Bro] using bro for file extraction
Hosom, Stephen M
hosom at battelle.org
Tue Sep 1 07:17:31 PDT 2015
I have examples of this at:
The plugins directory has examples of running external scripts on the extracted files. Check out the ones that store files by their hash names.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Jason Batchelor
Sent: Tuesday, September 01, 2015 9:40 AM
To: Earl Eiland; bro at bro.org
Subject: Re: [Bro] using bro for file extraction
Are you attempting to do post processing on the file after it is fully extracted with Bro via a third party script? If so, you may want to tap into the file_state_remove event. I have an example of what this looks like here if you scroll to the bottom.
Hope that helps,
On Mon, Aug 31, 2015 at 2:17 PM, Earl Eiland <earl.eiland at root9b.com<mailto:earl.eiland at root9b.com>> wrote:
I want to use bro to extract files for external analysis. Bro::FileDataEvent appears to be the proper approach. However, I’m not finding the event to write a script for, nor do I know how to write to anything other than a log file.
Sr. Cyber Security Engineer,
Emerging Technologies, root9B,
San Antonio, Texas
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro