[Bro] Bro Scripting Question
Jason Batchelor
jxbatchelor at gmail.com
Wed Jul 2 08:35:30 PDT 2014
Hello all:
I am interested in learning Bro scripting, and I am attempting to write a
simple first script that simply extracts EXE files and have the MD5 hash of
the file as part of the filename written to disk.
I am aware of, and have studied the example and documentation here:
http://www.bro.org/bro-exchange-2013/exercises/faf.html
http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::Info
>From that I came up with the following...
---------------------
@load base/frameworks/files
@load frameworks/files/hash-all-files
export {
const ext_map: table[string] of string = {
["application/x-dosexec"] = "exe"
} &redef;
}
event file_new(f: fa_file)
{
Files::add_analyzer(f, Files::ANALYZER_MD5);
}
event file_hash(f: fa_file, kind: string, hash: string)
{
local ext = "";
if ( f?$mime_type )
ext = ext_map[f$mime_type];
if ( kind == "md5" && ext != "")
local fname = fmt("%s-%s-%s", f$source, hash, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
-----------------------
The file extraction event shows up in the files.log along with the
appropriate filename, and the extract_files directory is created under the
appropriate worker. Unfortunately, no file is ever written to disk.
Oddly (to me at least), when I use the example script (from the above
link) I am able to retrieve files. However, my goal was to have the hash in
the filename written to disk (replacing the id).
I tried the following derivative, with no luck either (more inline with the
example). With this one I don't have any evidence in files.log that
extractions are taking place.
-------------------------
@load base/frameworks/files
@load frameworks/files/hash-all-files
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_new(f: fa_file)
{
if ( ! f?$mime_type || f$mime_type != "application/x-dosexec" )
return;
local ext = ext_map[f$mime_type];
Files::add_analyzer(f, Files::ANALYZER_MD5);
local fname = fmt("%s-%s-%s", f$source, f$info$md5, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
event file_hash(f: fa_file, kind: string, hash: string)
{
f$info$md5 = hash;
}
-------------------------------
Curious if anyone has any tips or pointers. This is likely something simple
I am missing, or a lack of understanding on my part.
Thanks,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140702/67d88f5f/attachment.html
More information about the Bro
mailing list