[Bro] Converting file transfer signature hits into file analyzer events

[McMahon, Kevin J]

I've created a signature for capturing file transfers on odd ports (e.g., via netcat) using the magic number of particular file types that I'm interested in.  I haven't figured out how to turn this into an event that I can then use to automatically capture the file in a script.  Has anyone done something similar?  I have had lots of success with basic file-extract in http/ftp/smtp/irc but the non-standard transfers are eluding me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140305/0c19ec3a/attachment.html