[Bro] loading modules and automatically using custom scripts (clautos)

clautos sebclaut at gmail.com
Thu Sep 8 02:49:54 PDT 2016

Ok thanks for the update.
I have tested the two following modules to extract files (the pathes are
the ones I have with SecurityOnion) :
- /opt/bro/share/bro/file-extraction/extract.bro that gives me files in the
/nsm/bro/extracted folder
- /opt/bro/share/bro/policy/frameworks/files/extract-all-files.bro (and the
md5sum is generated in my files.log) that saves me files in the
/nsm/bro/spool/test-seconion-eth0-1/extract_files folder.

I encounter a very problematic issue:
When I download the winrar installer (.exe) I get it correctly extracted
(md5sums match) in both output folders (via HTTP)
When I download Firefox installer (.exe) I get nothing (it's via HTTPS so I
suppose it's the reason why)
When I download audacity (.exe) through HTTP, I get an inccorect .exe file.
The original file has a size of 26.5 MB and what I collect in my
"extract_files" folder has a size of 1.4 kB. Obviously the md5sums mismatch.

For the moment I can't trust what I get with Bro since the md5 mismatch, if
I download a malware how can I be sure that I'll get it and be able to
submit it to VT for an accurate analysis ?
ps: I'll try the scripts you sent me and hope the files will be extracted

2016-09-08 3:00 GMT+02:00 김희철 <hckim at narusec.com>:

> 1) how to load custom scripts in the core of Bro ?
> custom script are saved in   ~prefix-DIR/share/bro/site
> if you upgrading a bro, it won't be deleted
> https://www.bro.org/sphinx/quickstart/#deployment-customization
> 2) is the extract files script different because it's not in the "policy"
> folder ?
> for file extraction I used
> https://github.com/hosom/bro-file-extraction
> --
> ------------------------------------------------------
> Hichul Kim 김희철 선임 연구원
> Naru Security  (주)나루씨큐리티
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160908/859eaeb8/attachment-0001.html 

More information about the Bro mailing list