[Bro] An assist with file extraction
James Lay
jlay at slave-tothe-box.net
Fri Apr 17 10:26:52 PDT 2015
On 2015-04-16 07:04 AM, Hosom, Stephen M wrote:
> For 2.3.2
(current release) you'll want to use the event file_new.
>
> Note that
in 2.3.2 if you are extracting based on mime_type (most people do) you
will want to verify that the field exists before you actually use it.
>
> For master, which is what you are likely referring to… you'll want
the event file_mime_type.
>
> FROM: bro-bounces at bro.org
[mailto:bro-bounces at bro.org] ON BEHALF OF James Lay
> SENT: Thursday,
April 16, 2015 7:56 AM
> TO: Bro-IDS
> SUBJECT: [Bro] An assist with
file extraction
>
> Hey all,
>
> The topic pretty much says it...I've
done a fair amount of reading trying to determine the best way to
extract file attachments in smtp traffic. Most of the information I've
found is related to older versions of bro. Can someone point me to a
current resource that will work with the current version of bro? Thank
you.
>
> James
Thank you Stephen...I really appreciate the advice.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150417/f59e2042/attachment.html
More information about the Bro
mailing list