[Bro] Bro 2.2 File Extraction (RHEL 6.5)

Jonathon Wright jonathon.s.wright at gmail.com
Wed Aug 6 17:58:41 PDT 2014 

That's great information. When you say " you can set it to something
system-wide though like this"
What file do I edit, or is that entry something I put at the top of my
"whatever.bro" ?

No problem about writing a script. We are a big perl/php/shell shop, I
guess my question is, what files would I need to parse / correlate to
determine the correct / original name of the exe?

Thanks again for your help!


On Wed, Aug 6, 2014 at 11:09 AM, Seth Hall <seth at icir.org> wrote:

>
> On Aug 6, 2014, at 4:41 PM, Jonathon Wright <jonathon.s.wright at gmail.com>
> wrote:
>
> > Too easy, that worked! It created the extracted files in the 'pwd'. I
> checked the md5 they matched from the wireshark pcap file.
>
> Great!
>
> > 1. Can I safely assume, based on these test results, that broctl will
> perform the same way as bro?
>
> Generally yes.  Broctl is just a control harness for Bro that runs it in a
> certain way.
>
> > 2. If so, where will broctl place the 'extracted_files' directory?
>
> Unfortunately that will in the <prefix>/spool/{node-name} directory.  You
> can set it to something system-wide though like this...
>
> redef FilesExtract::prefix = "/extract/here/";
>
> That directory will just need to exist and multiple Bro processes will
> write extracted files there.
>
> > 3. Lastly, whats the best way to investigate these files (I'm capturing
> all exe downloads on HTTP)? For example, the directory 'extracted_files'
> will be full of HTTP-blahblah names. How would I correlate those file names
> to its actual file name? Is that information stored in the conn.log,
> files.log, http.log, packet_filter.log,  & weird.log?
>
> Unfortunately again, that's something where you may want to write a script
> that can take the file names and inspect the logs.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/cb545e23/attachment.html

More information about the Bro mailing list