[Bro] Bro 2.2 File Extraction (RHEL 6.5)

Jonathon Wright jonathon.s.wright at gmail.com
Wed Aug 6 19:27:52 PDT 2014 

Very Very interesting.

No worries about specifics, I usually ask if I'm still unsure, but thanks
for the clarification!
Historically, the standard bro "communication.log, wierd.log, etc." logs
that are created under dated directories are what we currently use. We are
now adding the HTTP / exe file carving to our requirements and my thought
was how to know what the original .exe filename was since we keep a db of
md5's of known exe's from the OS that are used for comparisons. The problem
is, I won't know what file/md5_value to compare it too since I wont know
the original filename. Hope that makes sense.

For example, if a user downloads something.exe (via http), bro will create
a HTTP-blahblah file name. My problem at that point, is how do I know what
the user tried to download, was it "notepad.exe" or "maliciousIntent.exe"?
I will only have a directory full of HTTP-blahblah names, correct? That was
where I was trying to go. Perhaps I misunderstood your response and you
already answered me? If so, apolgies, but I still seem to be missing the
connection of the bro created file name when its carved and the actual
filename of the exe that the user attempted to download.



On Wed, Aug 6, 2014 at 3:49 PM, Seth Hall <seth at icir.org> wrote:

>
> On Aug 6, 2014, at 8:58 PM, Jonathon Wright <jonathon.s.wright at gmail.com>
> wrote:
>
> > That's great information. When you say " you can set it to something
> system-wide though like this"
> > What file do I edit, or is that entry something I put at the top of my
> "whatever.bro" ?
>
> You could add that directly to local.bro or add it to your whatever.bro
> script and load that script in local.bro.
>
> I guess my comment about "system-wide" was far too non-specific. :)
>
> What I meant is that if you're running a number of worker (traffic
> sniffing) processes on a single host they will each have their own spool
> directory which will cause them all to write files to separate
> subdirectories of their spool/ directory.  If you set the prefix to be an
> absolute path it will cause all of the processes to write their files to
> that same directory but I don't know what your deployment looks like so I
> may be giving unhelpful advice.
>
> >  No problem about writing a script. We are a big perl/php/shell shop, I
> guess my question is, what files would I need to parse / correlate to
> determine the correct / original name of the exe?
>
> Ah!  That's complicated.  You can refer to the "filename" field in the
> files log.  For any files that were extracted, you should be able to find
> the name of the file that was written to disk in the "extracted" field in
> the files.log.  So, take the filename you have on disk, search for that in
> the files.log, then look at the "filename" field.
>
> One gotcha here though.  We have taken a somewhat tough line on what we
> consider a "filename".  The basic gist is that in order to be a filename it
> must be something explicitly declared as a filename.  In other words, we
> don't yank path components from HTTP requests to assign as file names.  If
> we did, you'd very likely extract a bunch of files named index.asp and
> others like that.  HTTP actually declares a header field where filenames
> can be explicitly passed through.  Those are extracted and given as
> filenames in files.log.  Other protocols provide file names in various ways
> as well.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/dea3854e/attachment.html

More information about the Bro mailing list