[Bro] File Extraction Question

[Mike Sconzo]

No parsing error was generated, broctl check && broctl install &&
broctl restart completed successfully.


I was/am a bit lost as well. You gave me another thing to check. Got
rid of everything and only did the following:

redef HTTP::extract_file_types += /.*\/.*/;

Extracts all files, except for the windows exes that were MD5'd

----- then ----

redef HTTP::extract_file_types += /.*\/.*/;
redef HTTP::generate_md5 = /NO_FILE_TYPE_EVER/;

Extracts all files (including all windows exes) and none are MD5'd

Looking forward to the change in 2.2.

On Thu, Oct 11, 2012 at 9:27 PM, Seth Hall <seth at icir.org> wrote:
>
> On Oct 11, 2012, at 8:38 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
>
>> Played with it a bit more and
>>
>> redef HTTP::generate_md5 = /NO_FILE_TYPE_EVER/;
>>
>> added to a .bro file fixes the problem. I no longer get md5 sums, but
>> all executables are successfully extracted into the extraction
>> directory.
>>
>> Is this anticipated behavior? Or should I get my cake and eat it too? :)
>
>
> I have no clue why this happening.  Also, you shouldn't need that whole list you defined in your earlier email.  You should be to get away with only defining /application\/x-dosexec/
>
> If I had to guess, it could be something to do with the first line you defined…
>  redef HTTP::extract_file_types = /application\/x-dosexec/ &redef;
>
> Adding the attribute there doesn't even make sense and honestly that should be a parse-time error since using the &redef attribute in that situation would never make sense.  I'll file a ticket.
>
> File extraction should work like you want with this line:
>  redef HTTP::extract_file_types += /application\/x-dosexec/;
>
> All of this will be changing for 2.2 also and will become much more flexible.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>



-- 
cat ~/.bash_history > documentation.txt