[Bro] loading modules and automatically using custom scripts (clautos)

clautos sebclaut at gmail.com
Fri Sep 9 03:49:15 PDT 2016

Ok so I tried something. I downloaded audacity, notepad++, 7zip (in HTTP
from filehippo not from the official sites to make sure it's HTTP download).
I captured the downlaod with wireshark, and I found the PE in the pcap,
even with bro -r extract_file.
When I just load the extract_file plugin and download my exe files, the
extracted files are incomplete (they are much smaller than the real ones).
In addition to that, I suspected that it might have been caused by the -C
option but even without this option, my bro -r pcapfile.pcap extract_file
module could extract the whole executable.
In interactive mode though, I don't extract the whole executable.

tldr: The live capture doesn't extract the whole file but the bro -r
pcapfile.pcap path/extract_file does work

2016-09-08 16:05 GMT+02:00 Seth Hall <seth at icir.org>:

> > On Sep 8, 2016, at 5:49 AM, clautos <sebclaut at gmail.com> wrote:
> >
> > When I download audacity (.exe) through HTTP, I get an inccorect .exe
> file. The original file has a size of 26.5 MB and what I collect in my
> "extract_files" folder has a size of 1.4 kB. Obviously the md5sums mismatch.
> It's very possible that you encountered packet loss.  You can either look
> at the "missed_bytes" field in conn.log or the "missing_bytes" field in the
> files.log.  If either of those aren't zero, then you probably dropped
> packets.
> Damn, now that I look at those field names, we ended up naming them
> unfortunately different.
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/c5d476df/attachment.html 

More information about the Bro mailing list