[Bro] An assist with file extraction
Hosom, Stephen M
hosom at battelle.org
Thu Apr 16 06:04:40 PDT 2015
For 2.3.2 (current release) you’ll want to use the event file_new.
Note that in 2.3.2 if you are extracting based on mime_type (most people do) you will want to verify that the field exists before you actually use it.
For master, which is what you are likely referring to… you’ll want the event file_mime_type.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Thursday, April 16, 2015 7:56 AM
To: Bro-IDS
Subject: [Bro] An assist with file extraction
Hey all,
The topic pretty much says it...I've done a fair amount of reading trying to determine the best way to extract file attachments in smtp traffic. Most of the information I've found is related to older versions of bro. Can someone point me to a current resource that will work with the current version of bro? Thank you.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150416/1ccc80da/attachment.html
More information about the Bro
mailing list