[Bro] File carving
Seth Hall
seth at icir.org
Thu Sep 5 09:14:57 PDT 2013
On Sep 5, 2013, at 11:38 AM, Antonio Nappa <jeppojeps at gmail.com> wrote:
> to carve jar files from pcaps, the problem is that if I manually carve a file from wireshark the size and the hash of this file are different from the ones that I get if I use bro. What is funny is that in the http.log I get the right md5 of the jar file, but then if I use the md5sum utility on the file extracted with bro they don't match
There is some problem with doing file extraction in 2.1 that pops up from time to time. I don't think there is anyone that is totally clear what the problem is and we've completely revamped file handling for 2.2. The video where I discuss file handling in the upcoming 2.2 release was just released today and there are some exercises available too.
Video: http://security.ncsa.illinois.edu/BroExchange2013/Hall-File_Analysis-NCSA%20DSS%20H264%201.25Mbps.mp4
Exercises: http://bro.org/bro-exchange-2013/exercises/faf.html
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130905/6762e333/attachment.bin
More information about the Bro
mailing list