[Bro] Trying to extract HTTP payload
Seth Hall
seth at icir.org
Mon Sep 17 19:12:53 PDT 2012
On Sep 17, 2012, at 10:04 PM, Abhishek Chanda <abhishek.lists at gmail.com> wrote:
> achanda at achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 http-reply
> error in ./site, line 1: read failed with "Is a directory"
> achanda at achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 contents
> error in ./site, line 1: read failed with "Is a directory"
> achanda at achanda-OptiPlex-780:~/bro/scripts$
What version of Bro are you running? There is not http-reply script anymore (it was removed in 2.0).
2.0 and 2.1 can extract payloads in several ways. There is currently only one mechanism builtin for doing it though by matching the sniffed mime type of the response body.
This will do it if you are just interested in running from the command line...
bro -r somepackets.pcap "HTTP::extract_file_types=/.*/"
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list