[Bro] surgical file extraction

Mon Nov 30 09:50:27 PST 2015

Good day all,

I am new to creating custom bro scripts, so please bear with me.

I am looking to perform file extraction only on HTTP conversations to
either a specific URL or destination IP address. I have some command and
control traffic POST traffic that I want to capture with bro, as opposed to
what I am using now. I am currently having to run TCPDumps on my sensors
for traffic destined to a specific IP, then manually cut out the POST
requests, redo the pcap, then run it through bro… tedious.

Here is what I have, but cant get it to work (mainly due to a lack of bro
script knowledge):

global mime_to_ext: table[string] of string = {

        ["text/plain"] = "txt",

        ["text/html"] = "html",

};

Event file_sniff(f: fa_file, meta: fa_metadata)

       {

        if ( f$source != "HTTP" )

                return;

        if ( meta$rx_hosts != "123.123.123.123" )

                return;

        if ( ! meta?$mime_type )

                return;

        if ( meta$mime_type !in mime_to_ext )

                return;

        local fname = fmt("%s-%s.%s", f$source, f$id,
mime_to_ext[meta$mime_type]);

        print fmt("Extracting file %s", fname);

        Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);

        }

I get the warning that the meta$rx_hosts isn’t valid. I have tried a “redef
record” statement, but it made it much worse. Am I even in the ballpark
here? I wasnt sure if I needed to use some other means to identify the URL,
then start file extraction.

Appreciate any help.
=====================
Brandon Glaze
bglaze at gmail.com

"Lead me, follow me, or get the hell out of my way."
- General George Patton Jr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151130/636da68a/attachment.html 