[Bro] Bro Scripting Question
Seth Hall
seth at icir.org
Wed Jul 2 10:01:33 PDT 2014
On Jul 2, 2014, at 11:35 AM, Jason Batchelor <jxbatchelor at gmail.com> wrote:
> Hello all:
>
> I am interested in learning Bro scripting, and I am attempting to write a simple first script that simply extracts EXE files and have the MD5 hash of the file as part of the filename written to disk.
You have a chicken and egg problem. :)
You have to begin extracting the file as soon as the file starts to be transferred but you don't have the hash of the file until the file is done being transferred. I did some work quite a while back that would give you the ability to do what you want but it did it by spooling the file into a temporary file name and then moving the file into the correct name once the file is complete and all needed information is available. That's what you'll have to do.
I'll let you spend some time implementing that if you're interested, but if you're having any trouble getting to a workable solution, reach out again and I can give you some more hints. ;)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140702/5e5b2e23/attachment.bin
More information about the Bro
mailing list