[Bro] Converting fa_file to file_sniff

Doug Burks doug.burks at gmail.com
Thu Jul 9 13:17:51 PDT 2015 

Hi James,

Here's how I adapted a similar script:
https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro

On Thu, Jul 9, 2015 at 4:07 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> So per:
>
> https://www.bro.org/download/NEWS.bro.html
>
> "Removed fa_file record’s mime_type and mime_types fields. The event
> file_sniff has been added which provides the same information. The
> mime_type field of Files::Info also still has this info."
>
> I have a script...smtp-file-extract.bro:
>
> global ext_map: table[string] of string = {
>          ["application/x-dosexec"] = "exe",
>          ["application/zip"] = "zip",
>          ["application/msword"] = "xls",
> };
>
> event file_new(f: fa_file)
>          {
>          if ( f$source != "SMTP" )
>                  return;
>
>          if ( ! f?$mime_type || f$mime_type !in ext_map )
>                  return;
>
>          local ext = "";
>
>          if ( f?$mime_type )
>                  ext = ext_map[f$mime_type];
>
>          local fname = fmt("%s-%s.%s", f$source, f$id, ext);
>          Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
> [$extract_filename=fname]);
> }
>
> which while not perfects gets what I need done.  This is now broken with
> 2.4, as expected, however I'm at a loss on how to fix this.  Again, per
> the NEWS link above:
>
> "The earliest point that new mime type information is available is in
> the file_sniff event which comes after the file_new and
> file_over_new_connection events. Scripts which inspected mime type info
> within those events will need to be adapted. (Note: for users that
> worked w/ versions of Bro from git, for a while there was also an event
> called file_mime_type which is now replaced with the file_sniff event)."
>
> Awesome.  How do I adapt this?  Not sure where to look for changing
> this.  Thank you.
>
> James
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

More information about the Bro mailing list