[Bro] [SOLVED] Re: Converting fa_file to file_sniff
James Lay
jlay at slave-tothe-box.net
Thu Jul 9 14:05:20 PDT 2015
On 2015-07-09 02:17 PM, Doug Burks wrote:
> Hi James,
>
> Here's how I adapted a similar script:
> https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro
>
> On Thu, Jul 9, 2015 at 4:07 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>> So per:
>>
>> https://www.bro.org/download/NEWS.bro.html
>>
>> "Removed fa_file record’s mime_type and mime_types fields. The event
>> file_sniff has been added which provides the same information. The
>> mime_type field of Files::Info also still has this info."
>>
>> I have a script...smtp-file-extract.bro:
>>
>> global ext_map: table[string] of string = {
>> ["application/x-dosexec"] = "exe",
>> ["application/zip"] = "zip",
>> ["application/msword"] = "xls",
>> };
>>
>> event file_new(f: fa_file)
>> {
>> if ( f$source != "SMTP" )
>> return;
>>
>> if ( ! f?$mime_type || f$mime_type !in ext_map )
>> return;
>>
>> local ext = "";
>>
>> if ( f?$mime_type )
>> ext = ext_map[f$mime_type];
>>
>> local fname = fmt("%s-%s.%s", f$source, f$id, ext);
>> Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
>> [$extract_filename=fname]);
>> }
>>
>> which while not perfects gets what I need done. This is now broken
>> with
>> 2.4, as expected, however I'm at a loss on how to fix this. Again,
>> per
>> the NEWS link above:
>>
>> "The earliest point that new mime type information is available is in
>> the file_sniff event which comes after the file_new and
>> file_over_new_connection events. Scripts which inspected mime type
>> info
>> within those events will need to be adapted. (Note: for users that
>> worked w/ versions of Bro from git, for a while there was also an
>> event
>> called file_mime_type which is now replaced with the file_sniff
>> event)."
>>
>> Awesome. How do I adapt this? Not sure where to look for changing
>> this. Thank you.
>>
>> James
Thanks Gents...appreciate the fast help. For those keeping score at
home here's what works:
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/zip"] = "zip",
["application/msword"] = "xls",
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "SMTP" )
return;
if ( ! meta?$mime_type || meta$mime_type !in ext_map )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
Have to say I would have never figured this out just by reading the Bro
documentation....thanks to you both again.
James
More information about the Bro
mailing list