[Bro] Issue when adding a field to files.log
Boreham-Smith
boreham.smith at gmail.com
Fri Sep 11 23:38:27 PDT 2015
Thanks Daniel,
What you suggest makes sense and explains the behaviour I observed. I guess
this leads me to the next thought - is there a way to delay the file
getting written out, or an alternate File event that could be used to
achive the outcome I am looking for?
I am happy pulling the data form the notice logs I am generating, but it
seemed tidy to have this information in the file.log too if possible.
regards,
Boreham
On Sat, Sep 12, 2015 at 3:33 PM, Daniel Thayer <dnthayer at illinois.edu>
wrote:
> What is most likely happening is that by the time your
> external program returns its result, the log record has
> already been written (without the cuckoo_id value) to files.log.
>
>
>
> On 09/11/2015 09:45 PM, Boreham-Smith wrote:
>
>> Hi All,
>>
>> I have written a script that extracts filetypes of interest, submits the
>> extracted file to the cuckoo sandbox, and records the cuckoo task_id. I
>> currently store this information successfully in the notice log, but
>> would like to add an optional field to the files.log to store this
>> task_id.
>>
>> I have confirmed that I can add and populate the new files.log field
>> with static values, but if I attempt to do this when calling an external
>> program to handle the cuckoo submission (ie I use the 'when' block
>> below), the value is not output in the log. The print statement within
>> the when block, and notice.log output confirms the value is being
>> populated, it is just not being written to files.log.
>>
>> Any suggestions on what I might be doing incorrectly?
>>
>> I have provided what I think are the relevant code extracts below, but
>> am happy to provide more detail if that will assist:
>>
>> # Add the new field to the files.log
>>
>> redef record Files::Info += {
>> cuckoo_id: int &optional &log;
>> };
>>
>> # Function that returns the cuckoo task_id
>> function submit_cuckoo(f: fa_file): int
>> {
>> local command = Exec::Command($cmd=fmt("%s
>> extract_files/%s",tool,f$info$extracted));
>> return when ( local result = Exec::run(command)){
>> local id: int = to_int(result$stdout[0]);
>> return id;
>> }
>> }
>>
>> # Populate the new field
>> event file_state_remove( f: fa_file )
>> {
>> if (f$info?$extracted) {
>> when ( local id = submit_cuckoo(f) ){
>> f$info$cuckoo_id = id;
>> print fmt("Cuckoo ID value set: %d", f$info$cuckoo_id);
>> NOTICE([$note=File::Cuckoo_Submission,
>> $msg=fmt("https://cuckoo/analysis/%s
>> <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__cuckoo_analysis_-25s&d=AwMGaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=Bi5qPBnY0NmYPqnRTPj_AfXQKpfQTZUpCzpfFBcawv0&m=ae24aZX-BlkOV69c9Alc2GQYRcmqia6ijosigglu5aM&s=uTipFhJT472EtdFuf9enkoihzQS0Hvht3uFGYtii2Bw&e=
>> >",
>>
>> f$info$cuckoo_id),
>> $f=f]);
>> }
>> }
>> }
>>
>>
>> # files.log extract
>> #fields ts fuid tx_hosts rx_hosts conn_uids
>> source depth analyzers mime_type filename
>> duration local_orig is_orig seen_bytes
>> total_bytes missing_bytes overflow_bytes timedout
>> parent_fuid md5 sha1 sha256 extracted cuckoo_id
>> #types time string set[addr] set[addr] set[string]
>> string count set[string] string string interval bool
>> bool count count countcount bool string string string
>> string string int
>> 1441526348.202595 FtBY2c3CsMMNsBdAil 192.168.1.xxx
>> 192.168.1.yyy CKkqBYszNpSR6Bgaf HTTP 0 EXTRACT
>> application/msword - 0.108599 -F 616960 616960
>> 0 0 F - - - -
>> HTTP-FtBY2c3CsMMNsBdAil.doc -
>>
>> # notice.log extract
>> #fields ts uid id.orig_h id.orig_p id.resp_h
>> id.resp_p fuid file_mime_type file_desc proto note
>> msg sub src dst pn peer_descr actions
>> suppress_for dropped remote_location.country_code
>> remote_location.region remote_location.city
>> remote_location.latitude remote_location.longitude
>> #types time string addr port addr port string string
>> string enum enum string string addr addr port count
>> string set[enum] interval bool string string string
>> double double
>> 1441526362.215942 CKkqBYszNpSR6Bgaf 192.168.1.yyy 33805
>> 192.168.1.xxx 80 FtBY2c3CsMMNsBdAil application/msword
>> http://192.168.1.xxx/files/test.doc
>> <
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__192.168.1.xxx_files_test.doc&d=AwMGaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=Bi5qPBnY0NmYPqnRTPj_AfXQKpfQTZUpCzpfFBcawv0&m=ae24aZX-BlkOV69c9Alc2GQYRcmqia6ijosigglu5aM&s=C_rjh_HibNWOcOyptdaUavr_Ktn6wRtFVNCaq_cYAW4&e=
>> >
>> tcp File::Cuckoo_Submission https://cuckoo/analysis/80
>> <
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__cuckoo_analysis_80&d=AwMGaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=Bi5qPBnY0NmYPqnRTPj_AfXQKpfQTZUpCzpfFBcawv0&m=ae24aZX-BlkOV69c9Alc2GQYRcmqia6ijosigglu5aM&s=mhE5lNaIUBpgobeJZf9rZ9XlwD8p_Bjky-V2i9eheD8&e=
>> >
>> - 192.168.1.yyy 192.168.1.xxx 80 - bro
>> Notice::ACTION_LOG 3600.000000 F- - - - -
>>
>> -------
>> regards,
>>
>> Boreham
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150912/c674fbf6/attachment.html
More information about the Bro
mailing list