[Bro-Dev] file analysis extraction analyzer
Seth Hall
seth at icir.org
Wed Jun 26 06:39:45 PDT 2013
On Jun 25, 2013, at 1:35 PM, "Siwek, Jonathan Luke" <jsiwek at illinois.edu> wrote:
> Generally sounds fine, but why is the tag needed? Unless there's plans to be different kinds of file extraction analyzers that re-use those events, won't it always be the same tag? Similarly, do you need the full args since the only relevant part of it is the file/path name?
After talking yesterday we both came to the conclusion that we should just add a single event that looks like this…
event file_extract_end(f: fa_file, filename: string)
This way we'll be able to spool currently downloading files into a temporary location and move them to their final location when the extraction is finished (and perhaps most importantly, do it all at script land).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the bro-dev
mailing list