[Bro] File Extraction
Jonathon Wright
jonathon.s.wright at gmail.com
Wed Dec 3 17:58:02 PST 2014
Hey Bro members,
Some questions about File Extraction for Bro on my Red Hat 6.5 server.
File Extraction
1. I've configured Bro appropriately to extract "exe" mime types from the
HTTP protocol. It works great. However, the "files.log" only contains MD5
and SHA1 entries for some of the files, not all of them. How do I fix this
so that all of the extracted files have the MD5 and SHA1 entries?
2. I have analysts that need access to the files (/var/data/bro/extracted),
but I've noticed that bro creates the files with random permissions, either
644 or 600... so they can only access the ones with 644. How do I ensure
bro extracts the file with the 644 permission set on all of them? (see
below example)
-rw-r--r--. 1 root root 703736 Nov 7 04:29
HTTP-FzedfU1k233I0Kiwn8.exe.dead
-rw-------. 1 root root 358799 Nov 5 04:07
HTTP-FzFPDF3EF77DEUSjdf.exe.dead
-rw-------. 1 root root 26121658 Nov 6 03:17
HTTP-FzhwqG33dNtUHZraZ4.exe.dead
-rw-------. 1 root root 249856 Nov 5 00:00
HTTP-FZi4XxyXiaoBquRu.exe.dead
-rw-r--r--. 1 root root 332536 Nov 28 14:21
HTTP-FZikQY3r8a7gXtLlee.exe.dead
-rw-r--r--. 1 root root 24306 Nov 12 05:02
HTTP-FzjIxe2MR9Uj8S8j27.exe.dead
-rw-------. 1 root root 94568 Nov 6 04:00
HTTP-FzJjxg23F3HPqtRbC2.exe.dead
3. Is there a way to tell bro to run as a different user / group other than
root? I didn't see any options for it in the bro --help. I would assume I
would have to give broctl and bro binaries / modules the ownership and
executable rights by another user, then have bro start up as that new user,
but wanted to see if there was an easier way. Otherwise I'd have to change
the default install configuration each time I upgrade.
Thanks!
JW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141203/43b19606/attachment.html
More information about the Bro
mailing list