[Bro] bro question.

M K mkhan04 at gmail.com
Thu Sep 25 17:31:19 PDT 2014 

You're probably looking for the file_state_remove event (
https://www.bro.org/sphinx-git/scripts/base/bif/event.bif.bro.html#id-file_state_remove).
Afaik, that is the only reliable way to know that a file has has fully
downloaded.


On Thu, Sep 25, 2014 at 7:36 PM, Ken Chiang <kchiang at sandia.gov> wrote:

> Hello all,
>
> I am setting up a service that uses bro to simply extract exe files for a
> network stream for sandbox analysis.  Currently, everything in my test
> environment is local.
>
> I have an apache web server that is serving up a few exe files.  On the
> same server, I have bro 2.3.1 running the attached file extraction script
> below.
>
> The problem is that the file extracted never exactly match the downloaded
> file and the behavior is very inconsistent, i.e. sometimes the file would
> be extracted and most times, the file would not even show up in the
> file.log log.
>
> I suspect that I need to do something to check for file write completion
> but don't know how to go about doing it as there is not a file_done event.
> There is,however, a file_gap event that I read about.
>
> Has anyone successfully done this?
>
>
> I am using the loopback device on a linux server.
> sudo bro -i lo extract.bro
>
> wget http://localhost/test.exe
>
>
> ================extract.bro=======================================
>
> global ext_map: table[string] of string = {
>     ["application/x-dosexec"] = "exe",
> } &default ="";
>
> event file_new(f: fa_file)
>     {
>     if ( ! f?$mime_type || ext_map[f$mime_type] == "" )
>        return;
>
>     local ext = "";
>     ext = ext_map[f$mime_type];
>
>     local fname = fmt("%s-%s.%s", f$source, f$id, ext);
>     Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
> [$extract_filename=fname]);
>     }
>
>
>
>
> =======================================
>
> Thanks,
>
> Ken
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140925/1357ea09/attachment.html

More information about the Bro mailing list