[Bro] Extract files based on magic number using Bro 2.2
Marius Portaas Haugen
mariusph at ifi.uio.no
Fri Jan 24 04:44:17 PST 2014
Hi all!
I'm just wondering; Is it possible to extract files based solely on
their magic number using Bro 2.2
In Bro 2.1, it was possible to extract files just by comparing the
magic number
with the first X bytes. I used the script provided here, with great
success:
http://scrapbook.zscaler.com/2012/05/bro-script-to-extract-artifacts-from.html
However, in Bro 2.2, thigs seem to have changed. Most examples and docs
now only
seem to use the MIME-type to determine if a file will be extracted or
not, e.g. here:
http://www.bro.org/sphinx-git/frameworks/file-analysis.html
I also see that there har been included some sort of "magic number
database"(/bro/share/bro/magic/), but I find little
documentation on what its role is in regards of file extraction, as
well as the formatting that is being used.
Have I missed something essential here?
If anyone could help me better understand how file extraction works now
in Bro 2.2, it is most appreciated! :)
Best regards,
Marius P. Haugen.
More information about the Bro
mailing list