[Bro] Trying to extract HTTP payload

Abhishek Chanda abhishek.lists at gmail.com
Tue Sep 18 10:08:51 PDT 2012


Hi,

Thanks for the reply.
This is bro 2.1. Now, I ran this:

sudo ./bro -i eth0 "HTTP::extract_file_types=/.jpg/"

But no file gets saved in the current directory. The entry appears in
http.log though with a 200 OK

1347988043.663837	SWYFHjGx0x6	192.168.10.185	58146	74.200.247.186	80	0	-	-	-	-	-	0	7240	200	OK	-	-	-	(empty)	-	-	-	image/jpeg	-	-
1347988052.178112	BVcSiCSyzA4	192.168.10.185	46424	54.240.160.141	80	0	-	-	-	-	-	0	31225	200	OK	-	-	-	(empty)	-	-	-	image/jpeg	-	-
#close	2012-09-18-10-07-40

Is there something else I need to do?

Thanks

On Mon, Sep 17, 2012 at 7:12 PM, Seth Hall <seth at icir.org> wrote:
>
> On Sep 17, 2012, at 10:04 PM, Abhishek Chanda <abhishek.lists at gmail.com> wrote:
>
>> achanda at achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 http-reply
>> error in ./site, line 1: read failed with "Is a directory"
>> achanda at achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 contents
>> error in ./site, line 1: read failed with "Is a directory"
>> achanda at achanda-OptiPlex-780:~/bro/scripts$
>
>
> What version of Bro are you running?  There is not http-reply script anymore (it was removed in 2.0).
>
> 2.0 and 2.1 can extract payloads in several ways.  There is currently only one mechanism builtin for doing it though by matching the sniffed mime type of the response body.
>
> This will do it if you are just interested in running from the command line...
>         bro -r somepackets.pcap "HTTP::extract_file_types=/.*/"
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>



More information about the Bro mailing list