[Bro] Bro 2.2 File Extraction (RHEL 6.5)

Seth Hall seth at icir.org
Wed Aug 6 14:09:13 PDT 2014


On Aug 6, 2014, at 4:41 PM, Jonathon Wright <jonathon.s.wright at gmail.com> wrote:

> Too easy, that worked! It created the extracted files in the 'pwd'. I checked the md5 they matched from the wireshark pcap file.

Great!

> 1. Can I safely assume, based on these test results, that broctl will perform the same way as bro?

Generally yes.  Broctl is just a control harness for Bro that runs it in a certain way.

> 2. If so, where will broctl place the 'extracted_files' directory?

Unfortunately that will in the <prefix>/spool/{node-name} directory.  You can set it to something system-wide though like this...

redef FilesExtract::prefix = "/extract/here/";

That directory will just need to exist and multiple Bro processes will write extracted files there.

> 3. Lastly, whats the best way to investigate these files (I'm capturing all exe downloads on HTTP)? For example, the directory 'extracted_files' will be full of HTTP-blahblah names. How would I correlate those file names to its actual file name? Is that information stored in the conn.log, files.log, http.log, packet_filter.log,  & weird.log?

Unfortunately again, that's something where you may want to write a script that can take the file names and inspect the logs.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/09562a64/attachment.bin 


More information about the Bro mailing list