[Bro] forwarding Facebook inquiry
Liam Randall
liam.randall at gmail.com
Sun Mar 15 21:36:36 PDT 2015
Not 100% sure what the question is being asked, however I put together a
simple script to log files based directionality:
https://github.com/criticalstack/bro-scripts/blob/master/files-log-by-direction/files-log-by-direction.bro
There are some subtleties here that may not be obvious:
-- a file can have multiple transmitters or receivers; both tx_hosts and
rx_hosts in the Files::Info record are a set [ADDR]
-- files do not have to come from a connection
In my example I just use the first TX and RX for making a decision.
Thanks,
Liam Randall
On Sun, Mar 15, 2015 at 7:25 PM, Dopheide, Jeannette M <
jdopheid at illinois.edu> wrote:
> Hello Bro Community,
>
> I'm forwarding along a Facebook post our page received:
>
> Can some one help me how to split connection from internal and external
> in a separate log even i dont want the traffic from out side to the inside?
>
> Find bellow the script im using: i have been looking for someone to help
> me for a month now its for educational purposes
> -----------------------------------------
> global mime_to_ext: table[string] of string = {
> ["text/plain"] = "txt",
> ["text/html"] = "html",
> ["application/pdf"] = "pdf",
> ["application/x-pdf"] = "pdf",
> ["application/acrobat"] = "pdf",
> ["applications/vnd.pdf"] = "pdf",
> ["text/pdf"] = "pdf",
> ["text/x-pdf"] = "pdf",
> };
> global sn_pro: table[string] of string = {
> ["SMTP"] = "SMTP",
> ["HTTP"] = "HTTP",
> };
> event file_new(f: fa_file) {
> #if ( f$source !in ssl_ports )
> if ( f$source !in sn_pro ) return;
> if ( ! f?$mime_type ) return;
> if ( f$mime_type !in mime_to_ext ) return;
> local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]);
> print fmt("Extracting file %s", fname); Files::add_analyzer(f,
> Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
> }
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150316/1fe4a3ca/attachment.html
More information about the Bro
mailing list