[Bro] using bro for file extraction

Jason Batchelor jxbatchelor at gmail.com
Tue Sep 1 06:40:27 PDT 2015


Hello Earl:

Are you attempting to do post processing on the file after it is fully
extracted with Bro via a third party script? If so, you may want to tap
into the file_state_remove event. I have an example of what this looks like
here if you scroll to the bottom.

https://github.com/EmersonElectricCo/fsf/blob/master/docs/MODULES.md

Hope that helps,
Jason

On Mon, Aug 31, 2015 at 2:17 PM, Earl Eiland <earl.eiland at root9b.com> wrote:

> I want to use bro to extract files for external analysis.
> Bro::FileDataEvent appears to be the proper approach.  However, I’m not
> finding the event to write a script for, nor do I know how to write to
> anything other than a log file.
>
>
>
> Please advise!
>
>
>
> Best Regards,
>
>
>
> Earl Eiland,
>
> Sr. Cyber Security Engineer,
>
> Emerging Technologies, root9B,
>
> San Antonio, Texas
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150901/f664495a/attachment-0001.html 


More information about the Bro mailing list