[Bro] Renaming carved files
macochran0 at gmail.com
Tue Mar 1 11:11:07 PST 2016
I'm not expecting there to be a filename associated with every file, but if
the filename was in the pcap, for SMTP attachments, FTP file transfers, or
HTTP sessions this shouldn't be a complicated thing to do. I'm looking at
this from a network analyst point of view in making it more efficient for
them to quickly disseminate information. Maybe the fact that there is no
filename for the extracted data makes it more/less interesting depending on
the situation. I'm not looking for bro to try to make up a filename based
on URI, but rather just get the information from the HTTP header if the
filename is present (which I think is how bro gets the filename in
files.log for HTTP sessions). In which case just ripping it out of
files.log would be the right thing to do. I guess the real question is, is
it possible to do that in bro-script? Or is it just more realistic to do
that using python/shell?
On Tue, Mar 1, 2016 at 1:48 PM, anthony kasza <anthony.kasza at gmail.com>
> This is a tricky thing to do regardless of how you do it. What happens
> when the file was transfered over something besides protocols with URLs?
> Or, what if the file is a PE and includes an original name in its manifest
> but resides at a different URL?
> On Mar 1, 2016 9:51 AM, "Michael Cochran" <macochran0 at gmail.com> wrote:
>> I'm trying to find a simple way to rename a carved file back to it's
>> original file name using bro-script rather than having bash try to rip it
>> out of the files.log file. I have seen the mime type analyzers on git that
>> re-add the extension based on known mime types, but I'd rather be able to
>> immediately identify the original file name as it came across the wire. I
>> don't need the unique session identifier because by the time I'm using bro
>> file analysis I already have the individual session pcap isolated.
>> I'm guessing there should be a way to capture the files.log table data in
>> broscript, match the unique file identifier then rename the file with that
>> filename string from files.log.
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro