[Bro] Extract complete files
Albert Zaharovits
albert.zaharovits at gmail.com
Wed May 13 08:12:24 PDT 2015
Hi Frank,
Perhaps I didn’t explain myself properly. I meant extracting only complete files (or removing incomplete ones). There might be file gaps because of improper taping…
I attached the Files::ANALYZER_EXTRACT and Files::ANALYZER_SHA256 in the file_sniff event. The event_hash triggers only for complete files, but the file gets extracted anyway.
Albert
> On 13 May 2015, at 17:46, Frank Meier <franky.meier.1 at gmx.de> wrote:
>
> Hi Albert,
>
> it's hard to help without any context, so just some hints: It took me some time to find the -C switch to ignore wrong checksums in bro. Without it the traffic did not reach the extraction layer. Also it's always a good idea to compare bro with other tools. Make sure wireshark does show the complete http session.
>
>
> Franky
>
> On Di, Mai 12, 2015 at 7:12 , Albert Zaharovits <albert.zaharovits at gmail.com> wrote:
>> Hello,
>>
>> I am experimenting with the Files framework in bro 2.4 beta. I would like to extract HTTP files, *without* missing_bytes.
>> Can anyone please help me on this?
>>
>> Thanks,
>> Albert
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150513/8ee877b4/attachment-0001.html
More information about the Bro
mailing list