[Bro] extract jar files from HTTP stream

drum drummachina at tdhack.com
Wed Jan 1 04:39:16 PST 2014 

Thanks Shane, could you please write step-by-step instruction where should
I put your code. I have no idea how to port it into my installation. Let's
assume I use 'plain' bro (no security onion) installed in /opt/bro. What is
the next step? BTW - I have these both files (extract.bro and main.bro):

root at onion:~# ls -al /opt/bro/share/bro/base/files/extract/main.bro
/opt/bro/share/bro/file-extraction/extract.bro
-rw-r--r-- 1 root root 2126 Nov  7 18:27
/opt/bro/share/bro/base/files/extract/main.bro
-rw-r--r-- 1 root root  572 Jan  1 12:26
/opt/bro/share/bro/file-extraction/extract.bro



Pozdrawiam,
drumm


2013/12/30 Shane Filus <filus at psc.edu>

> On 12/29/13 2:25 PM, drum wrote:
> > Hello,
> >
> >
> > Is there a tutorial for version 2.2 of BRO? I'd like to understand how
> > can I write my own scripts to support extraction of verious files,
> > like jar. So far I tried adding "application/jar" (it was logged to
> > /nsm/bro/logs/current/files.
> > log) as mime type to /opt/bro/share/bro/file-extraction/extract.bro
> > file but it seems I have to do something else too as this change is
> > not capturing files to /nsm/bro/extracted/ directory.
> Hello,
>
>
> Check the second example under 'Adding Analysis'  for a start in file
> extraction.
> http://www.bro.org/sphinx/frameworks/file-analysis.html#adding-analysis
>
> Also, not sure how it maps to Sec Onion, but there is
> $PREFX/share/bro/base/files/extract/main.bro from a source install.
> Might be your 'extract.bro'? I don't that file name in either 2.1 or 2.2
> source trees.
>
> Used the code below to do something similar. There's probably a more
> elegant, or efficient solution, but it seems to working as expected,
> given the limited testing I've done.
>
>
> # define file extraction filters
> const match_file_source = /HTTP/ |
>               /IRC/ |
>               /IRC_DATA/ |
>               /FTP/ |
>               /FTP_DATA/ &redef;
>
> const match_file_mime =   /text\/x-perl/ |
>               /text\/x-msdos-batch/ |
>               /text\/x-java/ |
>               /application\/x-gzip/ |
>               /application\/x-bzip2/ |
>               /application\/x-dosexec/ |
>               /application\/zip/ |
>               /application\/jar/ |
>               /application\/x-tar/ |
>               /application\/x-archive/ |
>               /application\/mac-binhex40/ |
>               /application\/x-java-keystore/ |
>               /application\/x-java-jce-keystore/ |
>               /application\/x-executable/ |
>               /application\/javascript/ &redef;
>
> # add analyer to file_new event
> event file_new(f: fa_file)
>     {
>     if ( f?$mime_type &&
>         match_file_source in f$source &&
>         match_file_mime in f$mime_type )
>             Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
>        }
>
>
> Thanks,
>
>
> Shane
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140101/76d8a2a5/attachment.html

More information about the Bro mailing list