[Bro] Extract complete files

Hosom, Stephen M hosom at battelle.org
Wed May 13 08:17:06 PDT 2015


Albert, 

You have a chicken and egg problem. Specifically, you're not going to be certain of how many bytes are missing at the time you have to determine whether or not you'll be extracting the file. Instead, you'll have to extract all files and then later remove the files that aren't the ones that you want. This is similar to how the issue of 'how do I name the file after the hash' is solved. 

I have some examples of that here in the plugins directory: https://github.com/hosom/bro-file-extraction/

While it isn't precisely what you want... you'll be able to piece together the hashing examples into removing files from the filesystem that show as having missing bytes.

If you're seeing a large number of missing bytes in files consistently, there are likely other problems occurring. 

Thanks, 

Stephen

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Albert Zaharovits
Sent: Tuesday, May 12, 2015 1:13 PM
To: bro at bro.org
Subject: [Bro] Extract complete files

Hello,

I am experimenting with the Files framework in bro 2.4 beta. I would like to extract HTTP files, *without* missing_bytes.
Can anyone please help me on this?

Thanks,
Albert
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list