[Bro] using bro for file extraction

Hosom, Stephen M hosom at battelle.org
Tue Sep 1 07:17:31 PDT 2015


I have examples of this at:

https://github.com/hosom/bro-file-extraction

The plugins directory has examples of running external scripts on the extracted files. Check out the ones that store files by their hash names.

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Jason Batchelor
Sent: Tuesday, September 01, 2015 9:40 AM
To: Earl Eiland; bro at bro.org
Subject: Re: [Bro] using bro for file extraction

Hello Earl:

Are you attempting to do post processing on the file after it is fully extracted with Bro via a third party script? If so, you may want to tap into the file_state_remove event. I have an example of what this looks like here if you scroll to the bottom.

https://github.com/EmersonElectricCo/fsf/blob/master/docs/MODULES.md

Hope that helps,
Jason

On Mon, Aug 31, 2015 at 2:17 PM, Earl Eiland <earl.eiland at root9b.com<mailto:earl.eiland at root9b.com>> wrote:
I want to use bro to extract files for external analysis.  Bro::FileDataEvent appears to be the proper approach.  However, I’m not finding the event to write a script for, nor do I know how to write to anything other than a log file.

Please advise!

Best Regards,

Earl Eiland,
Sr. Cyber Security Engineer,
Emerging Technologies, root9B,
San Antonio, Texas


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150901/b03a06b8/attachment.html 


More information about the Bro mailing list