[Bro] File Extraction Related Scripting Questions

Jason Batchelor jxbatchelor at gmail.com
Thu Sep 18 10:12:01 PDT 2014 

FWIW - I managed to cobble together the following poc once I stumbled
across 'exec' :)

   when ( local dir_size = Exec::run([$cmd=fmt("du -b %s | cut -f1",
FileExtract::prefix)]) )
   {
      if ( to_int(dir_size$stdout[0]) < dir_size_limit )
         print "file can be written";
      else
         print "file cannot be written";
   }
Interested if this is the 'best' way or not. The drawback is this required
the use of 'when' which requires me to wait a little bit before I can
utilize the returned result. It also seems that if I place an 'extract'
analyzer inside the if statement when a file can be written, I get
the error 'field value missing [dir_size$stdout]'. This probably relates to
a timing issue on the part of the issued command I am guessing? Back to the
drawing board I suppose but that is as far as I've gotten so far :)


Also interested as well in the MIME type question with respect to Office
documents.

Thanks!
Jason

On Thu, Sep 18, 2014 at 11:00 AM, Jason Batchelor <jxbatchelor at gmail.com>
wrote:

> Hello:
>
> I would like for a quick way to simply get the directory size of the
> extract_files directory. If it meets a certain threshold I don't want to
> extract the file. I tried looking for a builtin function that did this but
> could not locate one. I then attempted to do the following system command:
>
> local somevar = system(fmt("du -b %s | cut -f1", FileExtract::prefix))
>
> However, I am unable to capture the output (since it goes directly to
> stdout). Does anyone have any advice on how to tackle this?
>
> Additionally, I was wondering if Bro is able to identify MIME types of
> modern Office docuements down to the type of application they support
> (Excel, Powerpoint, etc)... From my testing, it seems that the only thing
> one gets is 'application/zip' for the MIME type for a modern office
> document, this is technically correct, but I was hoping for a way to zone
> in on this a little more by being able to specify
> 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
> (if I wanted pptx files). Does Bro MIME detection support this in any way?
>
> Many thanks,
> Jason
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140918/ea8c8bc4/attachment.html

More information about the Bro mailing list