[Bro] File Extraction Related Scripting Questions

[Seth Hall]

On Sep 18, 2014, at 1:12 PM, Jason Batchelor <jxbatchelor at gmail.com> wrote:

> FWIW - I managed to cobble together the following poc once I stumbled across 'exec' :)

Yep, that's probably the correct thing to do for now.

> The drawback is this required the use of 'when' which requires me to wait a little bit before I can utilize the returned result.

Since Bro needs to keep running in a non-blocking manner all the time, basically any solution you aim for will be using when since looking at the file system is almost intrinsically a blocking operation.

What I would recommend is that you have a scheduled event that regularly checks the size of the directory and modifies a global value to let you know if you're safe to extract or not.  That will combine the benefit of the asynchronous operation with the benefit of being able to check in an if statement if your extraction directory is overly full.

> It also seems that if I place an 'extract' analyzer inside the if statement when a file can be written, I get the error 'field value missing [dir_size$stdout]'. This probably relates to a timing issue on the part of the issued command I am guessing?

I'm not sure why you're seeing that problem, that seems weird.  However, I wouldn't expect that to work generally because once the when statement returns could be after quite a bit of the file has already transferred.

>  Also interested as well in the MIME type question with respect to Office documents.

Yeah, what would help a lot there is for someone to pull together files that they don't feel are being detected with accurate mime types and to provide those files or links to files on the internet that don't get detected accurately.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/