[Bro] [SOLVED] Re: Converting fa_file to file_sniff

Ricky Chapman riqiue at gmail.com
Mon Jul 13 17:46:42 PDT 2015


Perfect!  Exactly what I was looking for.  Thank you all!!
> On Jul 9, 2015, at 5:05 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> On 2015-07-09 02:17 PM, Doug Burks wrote:
>> Hi James,
>> 
>> Here's how I adapted a similar script:
>> https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro
>> 
>> On Thu, Jul 9, 2015 at 4:07 PM, James Lay <jlay at slave-tothe-box.net> 
>> wrote:
>>> So per:
>>> 
>>> https://www.bro.org/download/NEWS.bro.html
>>> 
>>> "Removed fa_file record’s mime_type and mime_types fields. The event
>>> file_sniff has been added which provides the same information. The
>>> mime_type field of Files::Info also still has this info."
>>> 
>>> I have a script...smtp-file-extract.bro:
>>> 
>>> global ext_map: table[string] of string = {
>>>         ["application/x-dosexec"] = "exe",
>>>         ["application/zip"] = "zip",
>>>         ["application/msword"] = "xls",
>>> };
>>> 
>>> event file_new(f: fa_file)
>>>         {
>>>         if ( f$source != "SMTP" )
>>>                 return;
>>> 
>>>         if ( ! f?$mime_type || f$mime_type !in ext_map )
>>>                 return;
>>> 
>>>         local ext = "";
>>> 
>>>         if ( f?$mime_type )
>>>                 ext = ext_map[f$mime_type];
>>> 
>>>         local fname = fmt("%s-%s.%s", f$source, f$id, ext);
>>>         Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
>>> [$extract_filename=fname]);
>>> }
>>> 
>>> which while not perfects gets what I need done.  This is now broken 
>>> with
>>> 2.4, as expected, however I'm at a loss on how to fix this.  Again, 
>>> per
>>> the NEWS link above:
>>> 
>>> "The earliest point that new mime type information is available is in
>>> the file_sniff event which comes after the file_new and
>>> file_over_new_connection events. Scripts which inspected mime type 
>>> info
>>> within those events will need to be adapted. (Note: for users that
>>> worked w/ versions of Bro from git, for a while there was also an 
>>> event
>>> called file_mime_type which is now replaced with the file_sniff 
>>> event)."
>>> 
>>> Awesome.  How do I adapt this?  Not sure where to look for changing
>>> this.  Thank you.
>>> 
>>> James
> 
> Thanks Gents...appreciate the fast help.  For those keeping score at 
> home here's what works:
> 
> global ext_map: table[string] of string = {
>         ["application/x-dosexec"] = "exe",
>         ["application/zip"] = "zip",
>         ["application/msword"] = "xls",
> };
> 
> event file_sniff(f: fa_file, meta: fa_metadata)
>         {
>         if ( f$source != "SMTP" )
>                 return;
> 
>         if ( ! meta?$mime_type || meta$mime_type !in ext_map )
>                 return;
> 
>         local ext = "";
> 
>         if ( meta?$mime_type )
>                 ext = ext_map[meta$mime_type];
> 
>         local fname = fmt("%s-%s.%s", f$source, f$id, ext);
>         Files::add_analyzer(f, Files::ANALYZER_EXTRACT, 
> [$extract_filename=fname]);
> }
> 
> 
> Have to say I would have never figured this out just by reading the Bro 
> documentation....thanks to you both again.
> 
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list