[Bro] File extraction after checking hash.
seth at icir.org
Mon Oct 3 19:36:30 PDT 2016
> On Oct 3, 2016, at 2:49 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> Hence wanted to ask is it possible to add Files::ANALYZER_EXTRACT AFTER Files::ANALYZER_MD5 analyzer so that I can get the hash first to compare against the set before making a decision to extract the file?
Unfortunately not. Since we don't know the hash of the file when we see the beginning we can't yet determine that we don't want to extract the file. Sort of a chicken and egg problem. :)
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro