[Bro] File Extraction Question
Mike Sconzo
sconzo at visiblerisk.com
Thu Oct 11 20:47:35 PDT 2012
No parsing error was generated, broctl check && broctl install &&
broctl restart completed successfully.
I was/am a bit lost as well. You gave me another thing to check. Got
rid of everything and only did the following:
redef HTTP::extract_file_types += /.*\/.*/;
Extracts all files, except for the windows exes that were MD5'd
----- then ----
redef HTTP::extract_file_types += /.*\/.*/;
redef HTTP::generate_md5 = /NO_FILE_TYPE_EVER/;
Extracts all files (including all windows exes) and none are MD5'd
Looking forward to the change in 2.2.
On Thu, Oct 11, 2012 at 9:27 PM, Seth Hall <seth at icir.org> wrote:
>
> On Oct 11, 2012, at 8:38 PM, Mike Sconzo <sconzo at visiblerisk.com> wrote:
>
>> Played with it a bit more and
>>
>> redef HTTP::generate_md5 = /NO_FILE_TYPE_EVER/;
>>
>> added to a .bro file fixes the problem. I no longer get md5 sums, but
>> all executables are successfully extracted into the extraction
>> directory.
>>
>> Is this anticipated behavior? Or should I get my cake and eat it too? :)
>
>
> I have no clue why this happening. Also, you shouldn't need that whole list you defined in your earlier email. You should be to get away with only defining /application\/x-dosexec/
>
> If I had to guess, it could be something to do with the first line you defined…
> redef HTTP::extract_file_types = /application\/x-dosexec/ &redef;
>
> Adding the attribute there doesn't even make sense and honestly that should be a parse-time error since using the &redef attribute in that situation would never make sense. I'll file a ticket.
>
> File extraction should work like you want with this line:
> redef HTTP::extract_file_types += /application\/x-dosexec/;
>
> All of this will be changing for 2.2 also and will become much more flexible.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
--
cat ~/.bash_history > documentation.txt
More information about the Bro
mailing list