[Bro] surgical file extraction
Brandon Glaze
bglaze at gmail.com
Mon Nov 30 09:50:27 PST 2015
Good day all,
I am new to creating custom bro scripts, so please bear with me.
I am looking to perform file extraction only on HTTP conversations to
either a specific URL or destination IP address. I have some command and
control traffic POST traffic that I want to capture with bro, as opposed to
what I am using now. I am currently having to run TCPDumps on my sensors
for traffic destined to a specific IP, then manually cut out the POST
requests, redo the pcap, then run it through bro… tedious.
Here is what I have, but cant get it to work (mainly due to a lack of bro
script knowledge):
global mime_to_ext: table[string] of string = {
["text/plain"] = "txt",
["text/html"] = "html",
};
Event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "HTTP" )
return;
if ( meta$rx_hosts != "123.123.123.123" )
return;
if ( ! meta?$mime_type )
return;
if ( meta$mime_type !in mime_to_ext )
return;
local fname = fmt("%s-%s.%s", f$source, f$id,
mime_to_ext[meta$mime_type]);
print fmt("Extracting file %s", fname);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
I get the warning that the meta$rx_hosts isn’t valid. I have tried a “redef
record” statement, but it made it much worse. Am I even in the ballpark
here? I wasnt sure if I needed to use some other means to identify the URL,
then start file extraction.
Appreciate any help.
=====================
Brandon Glaze
bglaze at gmail.com
"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151130/636da68a/attachment.html
More information about the Bro
mailing list