[Bro] Bro Scripting Question

Jason Batchelor jxbatchelor at gmail.com
Wed Jul 2 08:35:30 PDT 2014


Hello all:

I am interested in learning Bro scripting, and I am attempting to write a
simple first script that simply extracts EXE files and have the MD5 hash of
the file as part of the filename written to disk.

I am aware of, and have studied the example and documentation here:

http://www.bro.org/bro-exchange-2013/exercises/faf.html
http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::Info

>From that I came up with the following...
---------------------
@load base/frameworks/files
@load frameworks/files/hash-all-files

export {
        const ext_map: table[string] of string = {
                ["application/x-dosexec"] = "exe"
        } &redef;
}

event file_new(f: fa_file)
{
        Files::add_analyzer(f, Files::ANALYZER_MD5);
}
event file_hash(f: fa_file, kind: string, hash: string)
{
        local ext = "";
        if ( f?$mime_type )
                ext = ext_map[f$mime_type];
        if ( kind == "md5" && ext != "")
                local fname = fmt("%s-%s-%s", f$source, hash, ext);
                Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
-----------------------

The file extraction event shows up in the files.log along with the
appropriate filename, and the extract_files directory is created under the
appropriate worker. Unfortunately, no file is ever written to disk.

Oddly (to me at least), when I use the example script (from the above
link) I am able to retrieve files. However, my goal was to have the hash in
the filename written to disk (replacing the id).

I tried the following derivative, with no luck either (more inline with the
example). With this one I don't have any evidence in files.log that
extractions are taking place.

-------------------------
@load base/frameworks/files
@load frameworks/files/hash-all-files

global ext_map: table[string] of string = {
    ["application/x-dosexec"] = "exe",
    ["text/plain"] = "txt",
    ["image/jpeg"] = "jpg",
    ["image/png"] = "png",
    ["text/html"] = "html",
} &default ="";
event file_new(f: fa_file)
{
        if ( ! f?$mime_type || f$mime_type != "application/x-dosexec" )
                return;
        local ext = ext_map[f$mime_type];
        Files::add_analyzer(f, Files::ANALYZER_MD5);
        local fname = fmt("%s-%s-%s", f$source, f$info$md5, ext);
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
event file_hash(f: fa_file, kind: string, hash: string)
{
        f$info$md5 = hash;
}
-------------------------------

Curious if anyone has any tips or pointers. This is likely something simple
I am missing, or a lack of understanding on my part.

Thanks,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140702/67d88f5f/attachment.html 


More information about the Bro mailing list