[Bro] Realtime File Extracting problem

josh summitt ascetik at gmail.com
Mon Sep 14 23:27:30 PDT 2015

Hey i'm new to bro but have been attempting to use the file extracting
features. I can generally get it to work but a lot of the time its just
wrong when i attempt it in real time.

For instance i'm downloading putty.exe and trying to extract it off the
wire i get the below response when downloading it 5 times. It only
successfully extracted and hashed it once:
file_hash, FZKBS62fkHvKf36GTd, sha1,

The other times it completely misses it. If i attempt from a pcap file on
the same machine it grabs it every time. Is there a threshold or something
i need to set in bro for real time captures.

/tmp$ sudo /usr/local/bro/bin/bro -i eth0 -C

listening on eth0, capture length 8192 bytes

new file, FB4np7nWhWIo8sOg5

file_hash, FB4np7nWhWIo8sOg5, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68

new file, FxPYHc1et6sMSMY2jf   <----- missed the file

new file, FsONwVnUBjs2Fq0i5

file_hash, FsONwVnUBjs2Fq0i5, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68

new file, FZKBS62fkHvKf36GTd <----- Yes it got  the file

file_hash, FZKBS62fkHvKf36GTd, sha1,

new file, Fp04jH3KL23Zx75OVf

file_hash, Fp04jH3KL23Zx75OVf, sha1,

new file, FK2LoX14jpBSyfpy67 <----- missed the file

new file, FnJ7Mg1ymupibnvSW1

file_hash, FnJ7Mg1ymupibnvSW1, sha1,

new file, FXriBu1tLEBhRVWTG3 <----- missed the file

new file, FwByiJ30INM9Mk6DO9

file_hash, FwByiJ30INM9Mk6DO9, sha1,

new file, Fn5DEA1WWvsykOA2Lh  <----- missed the file

^C1442296477.139167 received termination signal

1442296477.139167 2260 packets received on interface eth0, 0 dropped

