[Bro] surgical file extraction

Josh Liburdi liburdi.joshua at gmail.com
Mon Nov 30 10:12:24 PST 2015 

You’re close! The field rx_hosts doesn’t exist in the meta record. If you want to get the destination IP, then you can do something similar to the first example on this page: https://www.bro.org/sphinx-git/frameworks/file-analysis.html <https://www.bro.org/sphinx-git/frameworks/file-analysis.html>

In your event, you’d do something like this …

for ( cid in f$conns )
        {
        if ( f$conns[cid]$id$resp_h == 123.123.123.123 )
			{
			print "found IP 123.123.123.123";
			}
        }

This should get you started: http://try.bro.org/#/trybro/saved/27817 <http://try.bro.org/#/trybro/saved/27817>

Josh

> On Nov 30, 2015, at 12:50 PM, Brandon Glaze <bglaze at gmail.com> wrote:
> 
> Good day all,
> 
> I am new to creating custom bro scripts, so please bear with me.
> 
>  
> I am looking to perform file extraction only on HTTP conversations to either a specific URL or destination IP address. I have some command and control traffic POST traffic that I want to capture with bro, as opposed to what I am using now. I am currently having to run TCPDumps on my sensors for traffic destined to a specific IP, then manually cut out the POST requests, redo the pcap, then run it through bro… tedious.
> 
>  
> Here is what I have, but cant get it to work (mainly due to a lack of bro script knowledge):
> 
>  
> global mime_to_ext: table[string] of string = {
> 
>         ["text/plain"] = "txt",
> 
>         ["text/html"] = "html",
> 
> };
> 
>  
> Event file_sniff(f: fa_file, meta: fa_metadata)
> 
>        {
> 
>         if ( f$source != "HTTP" )
> 
>                 return;
> 
>  
>         if ( meta$rx_hosts != "123.123.123.123" )
> 
>                 return;
> 
>  
>         if ( ! meta?$mime_type )
> 
>                 return;
> 
>  
>         if ( meta$mime_type !in mime_to_ext )
> 
>                 return;
> 
>  
>         local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
> 
>         print fmt("Extracting file %s", fname);
> 
>         Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
> 
>         }
> 
>  
> I get the warning that the meta$rx_hosts isn’t valid. I have tried a “redef record” statement, but it made it much worse. Am I even in the ballpark here? I wasnt sure if I needed to use some other means to identify the URL, then start file extraction.
> 
>  
> Appreciate any help.
> 
> =====================
> Brandon Glaze
> bglaze at gmail.com <mailto:bglaze at gmail.com>
> 
> "Lead me, follow me, or get the hell out of my way." 
> - General George Patton Jr
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151130/d38cfd3d/attachment.html

More information about the Bro mailing list