[Bro] Calling external scripts on extracted files

Vikram Basu vikrambasu059 at gmail.com
Wed Oct 4 06:41:07 PDT 2017


Awesome. Thanks, I'll check it out.

On 04-Oct-2017 6:54 PM, "Hosom, Stephen M" <hosom at battelle.org> wrote:

> Vikram,
>
>
> I'm the author of the package that you're using. Happy to help!
>
>
> I don't know why it is precisely that your script is not working, however,
> I have good examples of how to do this type of activity within the plugin.
>
>
> Check out the file store-files-by-md5.bro withing the plugins directory.
>
>
> This script uses the mv command to move files and rename them based on
> their hash once Bro finishes extracting them and is a good example of how
> to perform an action on a file once it has been extracted "the right way".
>
>
> Please let me know if you have any issues... You may find that I am more
> responsive to the issues page for the project on GitHub.
>
>
> Thanks,
>
>
> Stephen
>
> ________________________________
> From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Vikram Basu <
> vikrambasu059 at gmail.com>
> Sent: Wednesday, October 4, 2017 8:54:59 AM
> To: bro at bro.org
> Subject: [Bro] Calling external scripts on extracted files
>
> Message received from outside the Battelle network. Carefully examine it
> before you open any links or attachments.
>
> Hi,
>
> I am using the bro file-extraction script from the bro-pkg manager and
> want to run a python script as soon as the file is completely extracted.
>
> Currently I am calling the script using the Bro Exec::run command after
> modifying the script but often times the script is running before the file
> has finished extracted and is failing as a result.
>
> How can I make it so that Bro calls the script after file has already been
> extracted?
>
> I thought maybe using file_state_remove would help but even in that case I
> am getting
> /Input::READER_RAW: Child process exited with non-zero return code 127
> which I am assuming means the script was run before the file as truly
> extracted?
>
> Any advice would be much appreciated.
>
> Regards
>
> Vikram
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171004/c4c47558/attachment-0001.html 


More information about the Bro mailing list