[Bro] File Extraction: doc/xls=ok, docx/xlsx=ko
seth at icir.org
Fri Feb 19 06:17:35 PST 2016
> On Feb 19, 2016, at 3:05 AM, puntogtg at tiscali.it wrote:
> Of course the user has rights to write in that folder and the folder exist, in fact with previous conf everything is ok, apart the name of the files..
Ugh, I just realized the problem...
if ( f?$mime_type )
ext = ext_map[f$mime_type];
That code can't work in the file_new event. In Bro 2.4, there is a new event named file_sniff. It's at the point where some content from the file has been seen and Bro has had a chance to look at it and take a guess about the file type. You aren't seeing any file extraction because you have a return statement that's returning if there is no known file extension (which there isn't at that point!).
event file_sniff(f: fa_file, meta: fa_metadata)
if ( meta?$mime_type )
# put your code here...
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro