[Bro] extract jar files from HTTP stream
drum
drummachina at tdhack.com
Wed Jan 1 04:39:16 PST 2014
Thanks Shane, could you please write step-by-step instruction where should
I put your code. I have no idea how to port it into my installation. Let's
assume I use 'plain' bro (no security onion) installed in /opt/bro. What is
the next step? BTW - I have these both files (extract.bro and main.bro):
root at onion:~# ls -al /opt/bro/share/bro/base/files/extract/main.bro
/opt/bro/share/bro/file-extraction/extract.bro
-rw-r--r-- 1 root root 2126 Nov 7 18:27
/opt/bro/share/bro/base/files/extract/main.bro
-rw-r--r-- 1 root root 572 Jan 1 12:26
/opt/bro/share/bro/file-extraction/extract.bro
Pozdrawiam,
drumm
2013/12/30 Shane Filus <filus at psc.edu>
> On 12/29/13 2:25 PM, drum wrote:
> > Hello,
> >
> >
> > Is there a tutorial for version 2.2 of BRO? I'd like to understand how
> > can I write my own scripts to support extraction of verious files,
> > like jar. So far I tried adding "application/jar" (it was logged to
> > /nsm/bro/logs/current/files.
> > log) as mime type to /opt/bro/share/bro/file-extraction/extract.bro
> > file but it seems I have to do something else too as this change is
> > not capturing files to /nsm/bro/extracted/ directory.
> Hello,
>
>
> Check the second example under 'Adding Analysis' for a start in file
> extraction.
> http://www.bro.org/sphinx/frameworks/file-analysis.html#adding-analysis
>
> Also, not sure how it maps to Sec Onion, but there is
> $PREFX/share/bro/base/files/extract/main.bro from a source install.
> Might be your 'extract.bro'? I don't that file name in either 2.1 or 2.2
> source trees.
>
> Used the code below to do something similar. There's probably a more
> elegant, or efficient solution, but it seems to working as expected,
> given the limited testing I've done.
>
>
> # define file extraction filters
> const match_file_source = /HTTP/ |
> /IRC/ |
> /IRC_DATA/ |
> /FTP/ |
> /FTP_DATA/ &redef;
>
> const match_file_mime = /text\/x-perl/ |
> /text\/x-msdos-batch/ |
> /text\/x-java/ |
> /application\/x-gzip/ |
> /application\/x-bzip2/ |
> /application\/x-dosexec/ |
> /application\/zip/ |
> /application\/jar/ |
> /application\/x-tar/ |
> /application\/x-archive/ |
> /application\/mac-binhex40/ |
> /application\/x-java-keystore/ |
> /application\/x-java-jce-keystore/ |
> /application\/x-executable/ |
> /application\/javascript/ &redef;
>
> # add analyer to file_new event
> event file_new(f: fa_file)
> {
> if ( f?$mime_type &&
> match_file_source in f$source &&
> match_file_mime in f$mime_type )
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
> }
>
>
> Thanks,
>
>
> Shane
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140101/76d8a2a5/attachment.html
More information about the Bro
mailing list