[Bro] Bro 2.2 File Extraction (RHEL 6.5)
Jonathon Wright
jonathon.s.wright at gmail.com
Wed Aug 6 12:53:16 PDT 2014
Hey Bro List,
I'm trying to setup the File Extraction using Bro 2.2 on a RHEL 6.5
system and its not functioning properly (no files are being extracted
from the pcap).
Here is what I've tried:
I put whatever.bro into the directory:
/opt/bro/share/bro/site
I edited "local.bro" and told it to "load whatever.bro"
I verified all configuration syntax: broctl check
I addressed any errors (none)
I install the script: broctl install
Then bounced bro: broctl restart
To test the bro file extraction capabilities, my "whatever.bro" scrip
contains the following:
-----------START
#This produces logs only, no extracted files
event file_new(f: fa_file)
{
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
}
-----------END
My (produced from tcpdump) pcap contains a five minute section of
traffic where I downloaded a few hp printer drivers to test. Wireshark
was able to extract the files, so we know the pcap file integrity is good.
I ran this on command line to have Bro extract the hp printer driver
files from same pcap file:
bro -C -r my_pcap_file
Logs are produced in the pwd, but no extracted files.
Any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/679e5c02/attachment.html
More information about the Bro
mailing list