[Bro] File extraction exclude local sites
Marius Portaas Haugen
mariusph at ifi.uio.no
Sun Feb 2 05:26:23 PST 2014
Hi Mike,
I have planned to do something similar myself, and I'm planning on
using the
local_orig variable and test for something like
if(f$info?$local_org) return;
but I haven't tried it out yet.
From the documentation
(http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::Info):
local_orig: bool &log &optional
If the source of this file is a network connection, this field
indicates if the data originated from the local network or not as
determined by the configured Site::local_nets.
Maybe this could work?
Best regards,
Marius P. Haugen
On 2014-02-01 23:53, Mike Kolkebeck wrote:
> Does anyone have a solution to exclude extracting files transmitted
> from internal hosts?
>
> I modified the script below from the bro exchange exercise, but I
> continue to get executable files from internal hosts. I am using
> broctl and networks.cfg is populated. I haven't tried using the
> file_over_new_connection event yet, but I would prefer to use file_new
> event, if I can. Any ideas on what I'm doing wrong?
>
> Thanks!
> Mike
>
> global ext_map: table[string] of string = {
> ["application/x-dosexec"] = "exe",
> } &default ="";
>
> event file_new(f: fa_file)
> {
> if ( ! f?$mime_type || f$mime_type != "application/x-dosexec" )
> return;
>
> if ( ! f?$info || ! f$info?$tx_hosts )
> return;
>
> for ( txhost in f$info$tx_hosts )
> {
> if ( Site::is_local_addr(txhost) )
> return;
> }
>
> local ext = "";
>
> if ( f?$mime_type )
> ext = ext_map[f$mime_type];
>
> local fname = fmt("%s-%s.%s", f$source, f$id, ext);
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
> [$extract_filename=fname]);
> }
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list