[Bro] File extraction filters

Siwek, Jon jsiwek at illinois.edu
Tue Jul 29 07:48:34 PDT 2014


On Jul 28, 2014, at 4:56 PM, Mike Kolkebeck <mkolkebeck at gmail.com> wrote:

> I have two questions on the file extraction framework:
> 
> 1) If I only want to capture files from a specific worker or ip ranges, what is the best/simplest way to ensure that this happens?
> -I've tried using f$info$tx_hosts with event file_new, but this seems inconsistently populated, and using f$conns with event file_new seems consistent, but I don't know if it's the best/simplest way.

In either case, I’d probably try using “file_over_new_connection” instead of “file_new” — it might end up not mattering for your use, but the fields you’re inspecting are more closely associated with the former event.  A given file can technically be transferred over many different connections, depending on the protocol involved, so using “file_new” may not always give the full story since that’s only ever raised once for a given file.

Using f$info${tx,rx}_hosts may be better if transfer direction is important, otherwise f$conns should be fine.

> 2) If missing_bytes > 0, what is the best/simplest way to remove the file (and possibly clear it from logging a successful extract in the files.log file)?
> -I've tested using event file_state_remove, and I can use system to rm the file, but again I'm not sure this is the best/simplest way, and the files.log continues to show this as extracted.

There’s the “file_gap” event that you might want to handle, call “Files::remove_analyzer”, then use a system call to rm the file, and finally “delete f$info$extracted;” to unset the field and prevent it from being logged in files.log.

- Jon



More information about the Bro mailing list