[Bro] File extraction exclude local sites
Mike Kolkebeck
mkolkebeck at gmail.com
Sat Feb 1 14:53:50 PST 2014
Does anyone have a solution to exclude extracting files transmitted from
internal hosts?
I modified the script below from the bro exchange exercise, but I continue
to get executable files from internal hosts. I am using broctl and
networks.cfg is populated. I haven't tried using the
file_over_new_connection event yet, but I would prefer to use file_new
event, if I can. Any ideas on what I'm doing wrong?
Thanks!
Mike
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
} &default ="";
event file_new(f: fa_file)
{
if ( ! f?$mime_type || f$mime_type != "application/x-dosexec" )
return;
if ( ! f?$info || ! f$info?$tx_hosts )
return;
for ( txhost in f$info$tx_hosts )
{
if ( Site::is_local_addr(txhost) )
return;
}
local ext = "";
if ( f?$mime_type )
ext = ext_map[f$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140201/c3226448/attachment.html
More information about the Bro
mailing list