[Bro] Problem extracting files
David Dorsey
trogdorsey at gmail.com
Wed Nov 16 08:47:46 PST 2011
Ah, apparently I have two left feet, since I didn't do the check and
install part of the dance.
And thanks for the tip on the HTTP extraction bug, that explains why every
pdf is only 1500 bytes. :o) I'll grab the update from the GIT repo.
David
On Wed, Nov 16, 2011 at 9:38 AM, Seth Hall <seth at icir.org> wrote:
>
> On Nov 16, 2011, at 10:54 AM, David Dorsey wrote:
>
> > [BroControl] > print HTTP::extract_file_types
> > bro HTTP::extract_file_types = /^?(NO_DEFAULT)$?/
> > [BroControl] >
> >
> > Is there another variable I need to set?
>
> After you added the redef, did you do the check, install, restart dance in
> broctl? Brocontrol uses cached copies of the scripts so that the running
> scripts are only updated when you are ready with the "install" command.
>
> Variables that you redef can also be modified at runtime with the "update"
> command so instead you could do check, install, update. If you use the
> print command before and after you should see the change reflected. There
> is a bug in the HTTP file extraction in the beta too where it only extracts
> an initial chunk of the file, it's fixed in the git repository already
> though.
>
> Files will also be extracted to the spool/bro directory too (assuming you
> haven't changed your node.cfg) and I don't know how they will be handled
> upon file rotation. We haven't had time to put a lot of thought to live
> traffic file extraction on clusters or with BroControl so behavior is a
> little unknown currently.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111116/9967b41d/attachment.html
More information about the Bro
mailing list