[Bro] Converting fa_file to file_sniff
James Lay
jlay at slave-tothe-box.net
Thu Jul 9 13:07:56 PDT 2015
So per:
https://www.bro.org/download/NEWS.bro.html
"Removed fa_file record’s mime_type and mime_types fields. The event
file_sniff has been added which provides the same information. The
mime_type field of Files::Info also still has this info."
I have a script...smtp-file-extract.bro:
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/zip"] = "zip",
["application/msword"] = "xls",
};
event file_new(f: fa_file)
{
if ( f$source != "SMTP" )
return;
if ( ! f?$mime_type || f$mime_type !in ext_map )
return;
local ext = "";
if ( f?$mime_type )
ext = ext_map[f$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
which while not perfects gets what I need done. This is now broken with
2.4, as expected, however I'm at a loss on how to fix this. Again, per
the NEWS link above:
"The earliest point that new mime type information is available is in
the file_sniff event which comes after the file_new and
file_over_new_connection events. Scripts which inspected mime type info
within those events will need to be adapted. (Note: for users that
worked w/ versions of Bro from git, for a while there was also an event
called file_mime_type which is now replaced with the file_sniff event)."
Awesome. How do I adapt this? Not sure where to look for changing
this. Thank you.
James
More information about the Bro
mailing list