[Bro] Bro Scripting Question
Jason Batchelor
jxbatchelor at gmail.com
Wed Jul 2 10:59:35 PDT 2014
Thanks Seth that helps. I thought of that as a possibility but I didn't
understand enough about what exactly happens during a file extract trigger
to settle on that conclusion (is the file stream tagged, spooled in memory,
hashed, then written, or something else... etc).
With those guidelines whipping something up that does this should not be to
terrible an exercise.
One additional question however, if someone is interested in writing a new
analyzer, what would be a good place to start?
For example, what if someone wanted to write an analyzer that examined the
MZ header of an executable for certain characteristics? What would be a
good starting point for them? I've started reviewing the following...
http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::AnalyzerArgs
As well as different modules like /files/extract/main.bro, but didn't know
if you knew of a better place to begin for an ambitious novice :)
Also Kevin, thanks for your reply. I think you are correct, and combining
your input with Seth's, it is clear to me why the example was working and
why I was getting halfway then zero results with my earlier attempts.
Thanks,
Jason
On Wed, Jul 2, 2014 at 12:01 PM, Seth Hall <seth at icir.org> wrote:
>
> On Jul 2, 2014, at 11:35 AM, Jason Batchelor <jxbatchelor at gmail.com>
> wrote:
>
> > Hello all:
> >
> > I am interested in learning Bro scripting, and I am attempting to write
> a simple first script that simply extracts EXE files and have the MD5 hash
> of the file as part of the filename written to disk.
>
> You have a chicken and egg problem. :)
>
> You have to begin extracting the file as soon as the file starts to be
> transferred but you don't have the hash of the file until the file is done
> being transferred. I did some work quite a while back that would give you
> the ability to do what you want but it did it by spooling the file into a
> temporary file name and then moving the file into the correct name once the
> file is complete and all needed information is available. That's what
> you'll have to do.
>
> I'll let you spend some time implementing that if you're interested, but
> if you're having any trouble getting to a workable solution, reach out
> again and I can give you some more hints. ;)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140702/10c017dd/attachment.html
More information about the Bro
mailing list