[Bro] postprocessing extracted files
Seth Hall
seth at icir.org
Wed Apr 15 05:17:24 PDT 2015
> On Apr 15, 2015, at 3:45 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
>
> I want to use Bro to extract files. After extraction these files will undergo some post-processing (e.g. lookup in a db of known files). Can I be sure, that a file logged in files.log with its hash has been written to disk completely?
You can handle the file_state_remove event. At that point, everything about the file is complete and it’s being flushed from memory.
event file_state_remove(f: fa_file)
{
# Do what you need.
}
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list