[Bro] File Extraction
John Donnelly
jdonnelly at dyn.com
Thu Dec 4 05:28:51 PST 2014
I doubt.
Bro needs to run as root because it captures network traffic using libpcap.
On Wed, Dec 3, 2014 at 7:58 PM, Jonathon Wright <jonathon.s.wright at gmail.com
> wrote:
> Hey Bro members,
>
> Some questions about File Extraction for Bro on my Red Hat 6.5 server.
>
> File Extraction
> 1. I've configured Bro appropriately to extract "exe" mime types from the
> HTTP protocol. It works great. However, the "files.log" only contains MD5
> and SHA1 entries for some of the files, not all of them. How do I fix this
> so that all of the extracted files have the MD5 and SHA1 entries?
>
> 2. I have analysts that need access to the files
> (/var/data/bro/extracted), but I've noticed that bro creates the files with
> random permissions, either 644 or 600... so they can only access the ones
> with 644. How do I ensure bro extracts the file with the 644 permission set
> on all of them? (see below example)
>
> -rw-r--r--. 1 root root 703736 Nov 7 04:29
> HTTP-FzedfU1k233I0Kiwn8.exe.dead
> -rw-------. 1 root root 358799 Nov 5 04:07
> HTTP-FzFPDF3EF77DEUSjdf.exe.dead
> -rw-------. 1 root root 26121658 Nov 6 03:17
> HTTP-FzhwqG33dNtUHZraZ4.exe.dead
> -rw-------. 1 root root 249856 Nov 5 00:00
> HTTP-FZi4XxyXiaoBquRu.exe.dead
> -rw-r--r--. 1 root root 332536 Nov 28 14:21
> HTTP-FZikQY3r8a7gXtLlee.exe.dead
> -rw-r--r--. 1 root root 24306 Nov 12 05:02
> HTTP-FzjIxe2MR9Uj8S8j27.exe.dead
> -rw-------. 1 root root 94568 Nov 6 04:00
> HTTP-FzJjxg23F3HPqtRbC2.exe.dead
> 3. Is there a way to tell bro to run as a different user / group other
> than root? I didn't see any options for it in the bro --help. I would
> assume I would have to give broctl and bro binaries / modules the ownership
> and executable rights by another user, then have bro start up as that new
> user, but wanted to see if there was an easier way. Otherwise I'd have to
> change the default install configuration each time I upgrade.
>
> Thanks!
> JW
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141204/1e494bdd/attachment.html
More information about the Bro
mailing list