[Bro] [SOLVED] Re: Converting fa_file to file_sniff
Ricky Chapman
riqiue at gmail.com
Mon Jul 13 17:46:42 PDT 2015
Perfect! Exactly what I was looking for. Thank you all!!
> On Jul 9, 2015, at 5:05 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> On 2015-07-09 02:17 PM, Doug Burks wrote:
>> Hi James,
>>
>> Here's how I adapted a similar script:
>> https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro
>>
>> On Thu, Jul 9, 2015 at 4:07 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>> So per:
>>>
>>> https://www.bro.org/download/NEWS.bro.html
>>>
>>> "Removed fa_file record’s mime_type and mime_types fields. The event
>>> file_sniff has been added which provides the same information. The
>>> mime_type field of Files::Info also still has this info."
>>>
>>> I have a script...smtp-file-extract.bro:
>>>
>>> global ext_map: table[string] of string = {
>>> ["application/x-dosexec"] = "exe",
>>> ["application/zip"] = "zip",
>>> ["application/msword"] = "xls",
>>> };
>>>
>>> event file_new(f: fa_file)
>>> {
>>> if ( f$source != "SMTP" )
>>> return;
>>>
>>> if ( ! f?$mime_type || f$mime_type !in ext_map )
>>> return;
>>>
>>> local ext = "";
>>>
>>> if ( f?$mime_type )
>>> ext = ext_map[f$mime_type];
>>>
>>> local fname = fmt("%s-%s.%s", f$source, f$id, ext);
>>> Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
>>> [$extract_filename=fname]);
>>> }
>>>
>>> which while not perfects gets what I need done. This is now broken
>>> with
>>> 2.4, as expected, however I'm at a loss on how to fix this. Again,
>>> per
>>> the NEWS link above:
>>>
>>> "The earliest point that new mime type information is available is in
>>> the file_sniff event which comes after the file_new and
>>> file_over_new_connection events. Scripts which inspected mime type
>>> info
>>> within those events will need to be adapted. (Note: for users that
>>> worked w/ versions of Bro from git, for a while there was also an
>>> event
>>> called file_mime_type which is now replaced with the file_sniff
>>> event)."
>>>
>>> Awesome. How do I adapt this? Not sure where to look for changing
>>> this. Thank you.
>>>
>>> James
>
> Thanks Gents...appreciate the fast help. For those keeping score at
> home here's what works:
>
> global ext_map: table[string] of string = {
> ["application/x-dosexec"] = "exe",
> ["application/zip"] = "zip",
> ["application/msword"] = "xls",
> };
>
> event file_sniff(f: fa_file, meta: fa_metadata)
> {
> if ( f$source != "SMTP" )
> return;
>
> if ( ! meta?$mime_type || meta$mime_type !in ext_map )
> return;
>
> local ext = "";
>
> if ( meta?$mime_type )
> ext = ext_map[meta$mime_type];
>
> local fname = fmt("%s-%s.%s", f$source, f$id, ext);
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
> [$extract_filename=fname]);
> }
>
>
> Have to say I would have never figured this out just by reading the Bro
> documentation....thanks to you both again.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list