[Bro] extract jar files from HTTP stream
Shane Filus
filus at psc.edu
Mon Dec 30 05:34:44 PST 2013
On 12/29/13 2:25 PM, drum wrote:
> Hello,
>
>
> Is there a tutorial for version 2.2 of BRO? I'd like to understand how
> can I write my own scripts to support extraction of verious files,
> like jar. So far I tried adding "application/jar" (it was logged to
> /nsm/bro/logs/current/files.
> log) as mime type to /opt/bro/share/bro/file-extraction/extract.bro
> file but it seems I have to do something else too as this change is
> not capturing files to /nsm/bro/extracted/ directory.
Hello,
Check the second example under 'Adding Analysis' for a start in file
extraction.
http://www.bro.org/sphinx/frameworks/file-analysis.html#adding-analysis
Also, not sure how it maps to Sec Onion, but there is
$PREFX/share/bro/base/files/extract/main.bro from a source install.
Might be your 'extract.bro'? I don't that file name in either 2.1 or 2.2
source trees.
Used the code below to do something similar. There's probably a more
elegant, or efficient solution, but it seems to working as expected,
given the limited testing I've done.
# define file extraction filters
const match_file_source = /HTTP/ |
/IRC/ |
/IRC_DATA/ |
/FTP/ |
/FTP_DATA/ &redef;
const match_file_mime = /text\/x-perl/ |
/text\/x-msdos-batch/ |
/text\/x-java/ |
/application\/x-gzip/ |
/application\/x-bzip2/ |
/application\/x-dosexec/ |
/application\/zip/ |
/application\/jar/ |
/application\/x-tar/ |
/application\/x-archive/ |
/application\/mac-binhex40/ |
/application\/x-java-keystore/ |
/application\/x-java-jce-keystore/ |
/application\/x-executable/ |
/application\/javascript/ &redef;
# add analyer to file_new event
event file_new(f: fa_file)
{
if ( f?$mime_type &&
match_file_source in f$source &&
match_file_mime in f$mime_type )
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
}
Thanks,
Shane
More information about the Bro
mailing list