[Bro] Renaming carved files
macochran0 at gmail.com
Wed Mar 2 07:15:44 PST 2016
So the problem I'm running into with this extraction script is here (I've
already got a script that handles the extracted metadata mime types):
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
I don't need f$source or f$id in the filename. What I'm searching for is
being generated here in main.bro. I just need a way to grab this
information and add it to the extract.bro script to rename extracted file.
A filename for the file if one is available from the source for the file.
These will frequently come from “Content-Disposition” headers in network
The logic (forgive my terrible syntax) should be along the lines of
if f$filename is not empty,
local fname = fmt(outputdir, f$filename, ext);
local fname = fmt("outputdir", f$source, f$id, ext);
On Tue, Mar 1, 2016 at 2:18 PM, Daniel Guerra <daniel.guerra69 at gmail.com>
> On 01 Mar 2016, at 18:35, Michael Cochran <macochran0 at gmail.com> wrote:
> I'm trying to find a simple way to rename a carved file back to it's
> original file name using bro-script rather than having bash try to rip it
> out of the files.log file. I have seen the mime type analyzers on git that
> re-add the extension based on known mime types, but I'd rather be able to
> immediately identify the original file name as it came across the wire. I
> don't need the unique session identifier because by the time I'm using bro
> file analysis I already have the individual session pcap isolated.
> I'm guessing there should be a way to capture the files.log table data in
> broscript, match the unique file identifier then rename the file with that
> filename string from files.log.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro