[Bro] Extract.bro Question

Seth Hall seth at icir.org
Wed Jun 17 10:06:48 PDT 2015


> On Jun 16, 2015, at 3:35 PM, Damon Rouse <damonrouse at gmail.com> wrote:
> 
> I'm still pretty new to the more complex aspects of Bro, so I'm not sure if this is possible or not.  I've been testing file extraction and it's working really well for me.  My question is, can Bro (in extract.bro) get the file name of the file being extracted?  So the final extracted file would have a naming convention like Analyzer-FileName.SpecifiedExtension

I started to head in that direction initially but then what bothered me a little bit was that external hosts could affect file names on your system and I started to get concerned about that.  I started imagining scenarios where names are written out that do very unexpected things on your system or break out of the path they’re supposed to be extracted into.  I would match up the filename in the files.log with the fuid on disk.  If you look a files.log it will actually have the filename on disk and a filename (if one was discovered) from the network traffic.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150617/f1556230/attachment.bin 


More information about the Bro mailing list