[Bro] Create different file size from original one in HTTP File-extract
JH YANG
joonysky at yahoo.com
Mon Jul 22 14:24:26 PDT 2013
Hey guys,
I'm working on BRO and extracting certain type of files on file systems. My question is Bro often has different file size from original one. So I performed some test with a vanilla BRO only configured like below.
redef HTTP::extract_file_types = /application\/.*/;
redef HTTP::extraction_prefix= "/usr/local/bro/logs/http-entity/"
After then I compared with a file from original one while capturing packets.
I found below :
Downloaded file(Bamf.zip) :
Original file size: 96396 bytes
From Bro: 94119 bytes
Pcap: 96396 bytes
Pcap hasn't any missed parts but the file from Bro created uncompleted file which doesn't have last parts of file(2277bytes)
I would appreciate if you provide me any clue or thought for solving it
Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/d2857000/attachment.html
More information about the Bro
mailing list