[Bro] surgical file extraction

McMahon, Kevin J kmcmahon at mitre.org
Wed Dec 2 07:29:34 PST 2015


Brandon,


It may be the extraneous "," at the end of your mime_to_ext table.


Kevin


________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Brandon Glaze <bglaze at gmail.com>
Sent: Wednesday, December 2, 2015 10:06 AM
To: bro at bro.org
Subject: Re: [Bro] surgical file extraction

Seth,
Thanks, but I have pulled up quite a few other examples and dont see where I am missing a semi-colon. I am wondering if its because I am running 32+ worker nodes and the script isnt built correctly to utilize the clustering (shot in the dark). Here is my script as I have it now. I was thinking I may want to move it to use a URL instead of the IP, especially if I start finding CnC comms to load balancer sites:

global mime_to_ext: table[string] of string = {
        ["text/plain"] = "txt",
        ["text/html"] = "html",
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
for ( cid in f$conns )
        {
        if ( f$conns[cid]$id$resp_h != 123.123.123.123 )
        return;

        if ( f$source != "HTTP" )
        return;

        if ( ! meta?$mime_type )
        return;

        if ( meta$mime_type !in mime_to_ext )
        return;

        local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
        print fmt("Extracting file %s", fname);
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}


=====================
Brandon Glaze
bglaze at gmail.com<mailto:bglaze at gmail.com>


"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr


On Tue, Dec 1, 2015 at 9:28 PM, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

> On Nov 30, 2015, at 7:14 PM, Brandon Glaze <bglaze at gmail.com<mailto:bglaze at gmail.com>> wrote:
>
> I validated that if I comment out my @load line for the new file extraction script this error goes away in a "broctl check" check.

You may be missing a semi-colon somewhere near the end of your script.  Bro's error reporting will accidentally report the problem on the first line of the next script in this case on accident.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151202/5b80cdd2/attachment.html 


More information about the Bro mailing list