[Bro] File extraction after checking hash.

Seth Hall seth at icir.org
Tue Oct 4 07:21:20 PDT 2016


> On Oct 4, 2016, at 8:47 AM, erik clark <philosnef at gmail.com> wrote:
> 
> Can't you simply write a script that calls file extract at a later date? I would think to hook it into file intel which runs after the file analysis (its comparing hashes) and extract at that point, not before...

I've been thinking about some potential directions we could go that might open the door to doing this in some cases for the next release, but for now imagine that your file is 10G.  We can't keep that much data in memory but you don't know the file hash until you've seen every byte of that file.  You can't choose to extract the file at the end because all of the content for that file is already gone.  You'd have to extract it up front and make the decision to keep it or delete it after the fact.

  .Seth


--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list