[Bro] Trying to extract HTTP payload
Abhishek Chanda
abhishek.lists at gmail.com
Tue Sep 18 10:08:51 PDT 2012
Hi,
Thanks for the reply.
This is bro 2.1. Now, I ran this:
sudo ./bro -i eth0 "HTTP::extract_file_types=/.jpg/"
But no file gets saved in the current directory. The entry appears in
http.log though with a 200 OK
1347988043.663837 SWYFHjGx0x6 192.168.10.185 58146 74.200.247.186 80 0 - - - - - 0 7240 200 OK - - - (empty) - - - image/jpeg - -
1347988052.178112 BVcSiCSyzA4 192.168.10.185 46424 54.240.160.141 80 0 - - - - - 0 31225 200 OK - - - (empty) - - - image/jpeg - -
#close 2012-09-18-10-07-40
Is there something else I need to do?
Thanks
On Mon, Sep 17, 2012 at 7:12 PM, Seth Hall <seth at icir.org> wrote:
>
> On Sep 17, 2012, at 10:04 PM, Abhishek Chanda <abhishek.lists at gmail.com> wrote:
>
>> achanda at achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 http-reply
>> error in ./site, line 1: read failed with "Is a directory"
>> achanda at achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 contents
>> error in ./site, line 1: read failed with "Is a directory"
>> achanda at achanda-OptiPlex-780:~/bro/scripts$
>
>
> What version of Bro are you running? There is not http-reply script anymore (it was removed in 2.0).
>
> 2.0 and 2.1 can extract payloads in several ways. There is currently only one mechanism builtin for doing it though by matching the sniffed mime type of the response body.
>
> This will do it if you are just interested in running from the command line...
> bro -r somepackets.pcap "HTTP::extract_file_types=/.*/"
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
More information about the Bro
mailing list