[Bro] [SOLVED] Re: Converting fa_file to file_sniff

James Lay jlay at slave-tothe-box.net
Thu Jul 9 14:05:20 PDT 2015 

On 2015-07-09 02:17 PM, Doug Burks wrote:
> Hi James,
> 
> Here's how I adapted a similar script:
> https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro
> 
> On Thu, Jul 9, 2015 at 4:07 PM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>> So per:
>> 
>> https://www.bro.org/download/NEWS.bro.html
>> 
>> "Removed fa_file record’s mime_type and mime_types fields. The event
>> file_sniff has been added which provides the same information. The
>> mime_type field of Files::Info also still has this info."
>> 
>> I have a script...smtp-file-extract.bro:
>> 
>> global ext_map: table[string] of string = {
>>          ["application/x-dosexec"] = "exe",
>>          ["application/zip"] = "zip",
>>          ["application/msword"] = "xls",
>> };
>> 
>> event file_new(f: fa_file)
>>          {
>>          if ( f$source != "SMTP" )
>>                  return;
>> 
>>          if ( ! f?$mime_type || f$mime_type !in ext_map )
>>                  return;
>> 
>>          local ext = "";
>> 
>>          if ( f?$mime_type )
>>                  ext = ext_map[f$mime_type];
>> 
>>          local fname = fmt("%s-%s.%s", f$source, f$id, ext);
>>          Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
>> [$extract_filename=fname]);
>> }
>> 
>> which while not perfects gets what I need done.  This is now broken 
>> with
>> 2.4, as expected, however I'm at a loss on how to fix this.  Again, 
>> per
>> the NEWS link above:
>> 
>> "The earliest point that new mime type information is available is in
>> the file_sniff event which comes after the file_new and
>> file_over_new_connection events. Scripts which inspected mime type 
>> info
>> within those events will need to be adapted. (Note: for users that
>> worked w/ versions of Bro from git, for a while there was also an 
>> event
>> called file_mime_type which is now replaced with the file_sniff 
>> event)."
>> 
>> Awesome.  How do I adapt this?  Not sure where to look for changing
>> this.  Thank you.
>> 
>> James

Thanks Gents...appreciate the fast help.  For those keeping score at 
home here's what works:

global ext_map: table[string] of string = {
         ["application/x-dosexec"] = "exe",
         ["application/zip"] = "zip",
         ["application/msword"] = "xls",
};

event file_sniff(f: fa_file, meta: fa_metadata)
         {
         if ( f$source != "SMTP" )
                 return;

         if ( ! meta?$mime_type || meta$mime_type !in ext_map )
                 return;

         local ext = "";

         if ( meta?$mime_type )
                 ext = ext_map[meta$mime_type];

         local fname = fmt("%s-%s.%s", f$source, f$id, ext);
         Files::add_analyzer(f, Files::ANALYZER_EXTRACT, 
[$extract_filename=fname]);
}


Have to say I would have never figured this out just by reading the Bro 
documentation....thanks to you both again.

James

More information about the Bro mailing list