[Bro] File Extraction

Johanna Amann johanna at icir.org
Wed Aug 3 12:47:32 PDT 2016


Hi Al,

> I'm new to Bro and using version 2.3.2 and want to extract all the exe's
> seen on the network. In bro-file-extract we are using the file-extract.bro
> script to try to parse for the exe's (partial of script):

First - is there any reason for you to still use 2.3.2? File handling (and
a lot of other things) have become more robust in 2.4.

In any case...

> global ext_map:table[string] of string = {
> ["application/x/dosexec"] = "exe",

you probably want application/x-dosexec here, not x/dosexec. That might
already be enough to fix this.

> redef FileExtract::prefix="/var/log/netlogs/bro/file-extracts.bro";

This line seems superfluous and wrong, especially since it is redef-ed
again two lines later.

> redef FileExtract::default_limit = 314572800;
> redef FileExtract::prefix = "/var/log/netlogs/bro/file-extracts/";
> 
> We also have the file-extract-http-local.bro set to extract on our network:
> 
> global http_extract_file_ignore: set [subnet] = {
>                  10.0.0.0/8,
> };
> 

The following seems to talk about files that you modified locally and that
do not ship with the Bro distribution. As such, it is really hard to give
feedback about it.

> We think the problem is that _load_.bro has the file extract commented out
> under bro-icmp:
> #@load ./file-extract-http-local.bro
> #@load ./file-extract-types.bro
> @load ./bro-file-extract
> When I tried to enable these Bro failed the scripts check with errors like:
> internal warning in
> /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line
> 6: Discarded extraneous Broxygen comment: Modified from base scripts to
> extract only from external hosts
> fatal error in
> /usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line
> 7:can't find base/protocols/http/file-ident
> I continued to receive these errors and had to back out of removing the
> comments
> 
> Under bro-file-extract _load_.bro looks correct:
> @load ./file-extract
> 
> What I'm getting in /var/log/netlogs/bro/file-extracts are entries like:
> HTTP-F7K52nSzN3h7GNM31.exe
> These files occur occasionally I'm not sure what they are.

I hope this helps,
 Johanna


More information about the Bro mailing list