[Bro] surgical file extraction

Seth Hall seth at icir.org
Wed Dec 2 07:31:59 PST 2015 

You are missing a right curly brace at the end.  If you go through and clean up your indentation it should quickly become clear what’s missing. :)

  .Seth


> On Dec 2, 2015, at 10:06 AM, Brandon Glaze <bglaze at gmail.com> wrote:
> 
> Seth,
> Thanks, but I have pulled up quite a few other examples and dont see where I am missing a semi-colon. I am wondering if its because I am running 32+ worker nodes and the script isnt built correctly to utilize the clustering (shot in the dark). Here is my script as I have it now. I was thinking I may want to move it to use a URL instead of the IP, especially if I start finding CnC comms to load balancer sites:
> 
> global mime_to_ext: table[string] of string = {
>         ["text/plain"] = "txt",
>         ["text/html"] = "html",
> };
> event file_sniff(f: fa_file, meta: fa_metadata)
> {
> for ( cid in f$conns )
>         {
>         if ( f$conns[cid]$id$resp_h != 123.123.123.123 )
>         return;
> 
>         if ( f$source != "HTTP" )
>         return;
> 
>         if ( ! meta?$mime_type )
>         return;
> 
>         if ( meta$mime_type !in mime_to_ext )
>         return;
> 
>         local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
>         print fmt("Extracting file %s", fname);
>         Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
> }
> 
> 
> =====================
> Brandon Glaze
> bglaze at gmail.com
> 
> "Lead me, follow me, or get the hell out of my way." 
> - General George Patton Jr
> 
> 
> 
> On Tue, Dec 1, 2015 at 9:28 PM, Seth Hall <seth at icir.org> wrote:
> 
> > On Nov 30, 2015, at 7:14 PM, Brandon Glaze <bglaze at gmail.com> wrote:
> >
> > I validated that if I comment out my @load line for the new file extraction script this error goes away in a "broctl check" check.
> 
> You may be missing a semi-colon somewhere near the end of your script.  Bro’s error reporting will accidentally report the problem on the first line of the next script in this case on accident.
> 
>   .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list