[Bro] using bro for file extraction

[Earl Eiland]

Hello, Stephen.

Your code will work with minimal tweaking.

Thanks!
Earl

From: Hosom, Stephen M [mailto:hosom at battelle.org]
Sent: Tuesday, September 1, 2015 9:18 AM
To: Jason Batchelor <jxbatchelor at gmail.com>; Earl Eiland <earl.eiland at root9b.com>; bro at bro.org
Subject: RE: [Bro] using bro for file extraction

I have examples of this at:

https://github.com/hosom/bro-file-extraction

The plugins directory has examples of running external scripts on the extracted files. Check out the ones that store files by their hash names.

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org] On Behalf Of Jason Batchelor
Sent: Tuesday, September 01, 2015 9:40 AM
To: Earl Eiland; bro at bro.org<mailto:bro at bro.org>
Subject: Re: [Bro] using bro for file extraction

Hello Earl:

Are you attempting to do post processing on the file after it is fully extracted with Bro via a third party script? If so, you may want to tap into the file_state_remove event. I have an example of what this looks like here if you scroll to the bottom.

https://github.com/EmersonElectricCo/fsf/blob/master/docs/MODULES.md

Hope that helps,
Jason

On Mon, Aug 31, 2015 at 2:17 PM, Earl Eiland <earl.eiland at root9b.com<mailto:earl.eiland at root9b.com>> wrote:
I want to use bro to extract files for external analysis.  Bro::FileDataEvent appears to be the proper approach.  However, I’m not finding the event to write a script for, nor do I know how to write to anything other than a log file.

Please advise!

Best Regards,

Earl Eiland,
Sr. Cyber Security Engineer,
Emerging Technologies, root9B,
San Antonio, Texas


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150902/9d425ff7/attachment.html