[Bro] surgical file extraction

Brandon Glaze bglaze at gmail.com
Wed Dec 2 07:50:33 PST 2015 

Yeah, I think it was that missing closing bracket. I was stuck with using
"vi" on one box, but once I opened it with "vim" it was clear. Taking the
comma out in the table was just good practice, so thanks for that guys.  I
ran a check, and deployed it. Now I will have to monitor my test box to see
what kind of performance hit this makes.

Really appreciate the help. I am trying to show the benefits of using Bro
in my work environment, and this is a huge win if I can get it working well.

=====================
Brandon Glaze
bglaze at gmail.com

"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr


On Wed, Dec 2, 2015 at 7:31 AM, Seth Hall <seth at icir.org> wrote:

> You are missing a right curly brace at the end.  If you go through and
> clean up your indentation it should quickly become clear what’s missing. :)
>
>   .Seth
>
>
> > On Dec 2, 2015, at 10:06 AM, Brandon Glaze <bglaze at gmail.com> wrote:
> >
> > Seth,
> > Thanks, but I have pulled up quite a few other examples and dont see
> where I am missing a semi-colon. I am wondering if its because I am running
> 32+ worker nodes and the script isnt built correctly to utilize the
> clustering (shot in the dark). Here is my script as I have it now. I was
> thinking I may want to move it to use a URL instead of the IP, especially
> if I start finding CnC comms to load balancer sites:
> >
> > global mime_to_ext: table[string] of string = {
> >         ["text/plain"] = "txt",
> >         ["text/html"] = "html",
> > };
> > event file_sniff(f: fa_file, meta: fa_metadata)
> > {
> > for ( cid in f$conns )
> >         {
> >         if ( f$conns[cid]$id$resp_h != 123.123.123.123 )
> >         return;
> >
> >         if ( f$source != "HTTP" )
> >         return;
> >
> >         if ( ! meta?$mime_type )
> >         return;
> >
> >         if ( meta$mime_type !in mime_to_ext )
> >         return;
> >
> >         local fname = fmt("%s-%s.%s", f$source, f$id,
> mime_to_ext[meta$mime_type]);
> >         print fmt("Extracting file %s", fname);
> >         Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
> [$extract_filename=fname]);
> > }
> >
> >
> > =====================
> > Brandon Glaze
> > bglaze at gmail.com
> >
> > "Lead me, follow me, or get the hell out of my way."
> > - General George Patton Jr
> >
> >
> >
> > On Tue, Dec 1, 2015 at 9:28 PM, Seth Hall <seth at icir.org> wrote:
> >
> > > On Nov 30, 2015, at 7:14 PM, Brandon Glaze <bglaze at gmail.com> wrote:
> > >
> > > I validated that if I comment out my @load line for the new file
> extraction script this error goes away in a "broctl check" check.
> >
> > You may be missing a semi-colon somewhere near the end of your script.
> Bro’s error reporting will accidentally report the problem on the first
> line of the next script in this case on accident.
> >
> >   .Seth
> >
> > --
> > Seth Hall
> > International Computer Science Institute
> > (Bro) because everyone has a network
> > http://www.bro.org/
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151202/8fbd6ea7/attachment-0001.html

More information about the Bro mailing list