[Bro] 2.1 file analysis logging in 2.2

Mike Hamilton mhamilton at 21ct.com
Fri Feb 21 09:06:34 PST 2014



On 2/21/14 10:10 AM, "Seth Hall" <seth at icir.org> wrote:

>
>On Feb 21, 2014, at 9:43 AM, Mike Hamilton <mhamilton at 21ct.com> wrote:
>
>> I believe in 2.2, the file analysis engine was modified such that the
>>HTTP, SMTP,etc. file analysis logs were merged into a single files.log
>>file.
>
>Yep, sort of.  There is still some information about the files pulled
>back into the protocol logs too. (and you could write scripts that pull
>more back).
>
>> Some of the guys around the office thought they remembered a
>>presentation back in August on being able to configure Bro to still
>>report files in the 2.1 mode.
>
>I think you're going to need to describe what is missing that you want
>back.

So in 2.1, the http.log format had field/column values for 'mime_type' and
'md5', both simple strings.  That appears to have been expanded
significantly in 2.2 such that there are now 4 columns:
'orig_fuids','orig_mime_types', 'resp_fuids', 'resp_mime_types', which are
vectors of strings that reference the fuid's in files.log(if my
understanding is correct).

Is there a simple way to add back those two old columns to the http.log
file?  Understanding that the new mime_types fields are vectors instead of
straight strings, do either of the new mime_type fields correspond to the
old mime_type column?




>
>  .Seth
>
>--
>Seth Hall
>International Computer Science Institute
>(Bro) because everyone has a network
>http://www.bro.org/
>





More information about the Bro mailing list