[Bro] File extraction after checking hash.

fatema bannatwala fatema.bannatwala at gmail.com
Mon Oct 3 11:49:38 PDT 2016


I was reading about the Files framework of Bro, and know that there are
file analyzers available that can be attached to files that Bro sees on the
network connection.
I am currently extracting all the 'application/x-dosexec' files from http
connections, and realized that
there are lot of files that are just duplicates (i.e with same hashes).

Hence was thinking to write some bro script that would use Files analysis
FW and checkes the hash of the file first against a set of hashes already
seen (extracted) by Bro and will skip the extraction of that file if it's
present in the set of hashes.

I tried adding the files::add_analyzer(f, Files::ANALYZER_EXTRACT,...) in
file_new event, file_sniff event and file_state_removed event(except it
didn't work here), but turns out that file_hash event triggers later than
all these events and hashes get calculated after the file extraction
analyzer has run.

Hence wanted to ask is it possible to add Files::ANALYZER_EXTRACT AFTER
Files::ANALYZER_MD5 analyzer so that I can get the hash first to compare
against the set before making a decision to extract the file?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161003/ac0a334c/attachment.html 

More information about the Bro mailing list