[Bro] File extraction filters
Mike Kolkebeck
mkolkebeck at gmail.com
Mon Jul 28 14:56:19 PDT 2014
I have two questions on the file extraction framework:
1) If I only want to capture files from a specific worker or ip ranges, what is the best/simplest way to ensure that this happens?
-I've tried using f$info$tx_hosts with event file_new, but this seems inconsistently populated, and using f$conns with event file_new seems consistent, but I don't know if it's the best/simplest way.
2) If missing_bytes > 0, what is the best/simplest way to remove the file (and possibly clear it from logging a successful extract in the files.log file)?
-I've tested using event file_state_remove, and I can use system to rm the file, but again I'm not sure this is the best/simplest way, and the files.log continues to show this as extracted.
More information about the Bro
mailing list