[Bro] saving the binary information at pcap

Seth Hall seth at icir.org
Sat May 19 21:35:15 PDT 2012


On May 17, 2012, at 1:53 AM, Oguz Yarimtepe wrote:

> Is there a way to tell Bro that ok don't save this response as a single file, but save the images here, js files here, etc. Or can i use Brocolli Python binding for it?


You are looking at the wrong extraction. :)

This will extract windows executables from HTTP traffic:
redef HTTP::extract_file_types += /application\/x-dosexec/;

If you have different criteria for extracting files, it's possible to do your own thing by setting a boolean value in the c$http record.  You just need to make sure that you set it before any data has begun to transfer.  In your case, you might want to do this...

event http_header(c: connection, is_orig: bool, name: string, value: string)
	{
	if ( name == "HOST" && value == "www.milliyet.com.tr" )
		c$http$extract_file = T;
	}

The above code will make Bro extract all files from the site you mentioned in your previous email.  This will all be changing when we get the file analysis framework released though, but should be easier and more generic for all protocols.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list