[Bro] File Extraction Question
Seth Hall
seth at icir.org
Thu Oct 11 19:27:16 PDT 2012
On Oct 11, 2012, at 8:38 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
> Played with it a bit more and
>
> redef HTTP::generate_md5 = /NO_FILE_TYPE_EVER/;
>
> added to a .bro file fixes the problem. I no longer get md5 sums, but
> all executables are successfully extracted into the extraction
> directory.
>
> Is this anticipated behavior? Or should I get my cake and eat it too? :)
I have no clue why this happening. Also, you shouldn't need that whole list you defined in your earlier email. You should be to get away with only defining /application\/x-dosexec/
If I had to guess, it could be something to do with the first line you defined…
redef HTTP::extract_file_types = /application\/x-dosexec/ &redef;
Adding the attribute there doesn't even make sense and honestly that should be a parse-time error since using the &redef attribute in that situation would never make sense. I'll file a ticket.
File extraction should work like you want with this line:
redef HTTP::extract_file_types += /application\/x-dosexec/;
All of this will be changing for 2.2 also and will become much more flexible.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list