[Bro] using bro for file extraction
Hosom, Stephen M
hosom at battelle.org
Tue Sep 1 07:17:31 PDT 2015
I have examples of this at:
https://github.com/hosom/bro-file-extraction
The plugins directory has examples of running external scripts on the extracted files. Check out the ones that store files by their hash names.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Jason Batchelor
Sent: Tuesday, September 01, 2015 9:40 AM
To: Earl Eiland; bro at bro.org
Subject: Re: [Bro] using bro for file extraction
Hello Earl:
Are you attempting to do post processing on the file after it is fully extracted with Bro via a third party script? If so, you may want to tap into the file_state_remove event. I have an example of what this looks like here if you scroll to the bottom.
https://github.com/EmersonElectricCo/fsf/blob/master/docs/MODULES.md
Hope that helps,
Jason
On Mon, Aug 31, 2015 at 2:17 PM, Earl Eiland <earl.eiland at root9b.com<mailto:earl.eiland at root9b.com>> wrote:
I want to use bro to extract files for external analysis. Bro::FileDataEvent appears to be the proper approach. However, I’m not finding the event to write a script for, nor do I know how to write to anything other than a log file.
Please advise!
Best Regards,
Earl Eiland,
Sr. Cyber Security Engineer,
Emerging Technologies, root9B,
San Antonio, Texas
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150901/b03a06b8/attachment.html
More information about the Bro
mailing list