[Bro] Realtime File Extracting problem

Doug Burks doug.burks at gmail.com
Tue Sep 15 04:29:09 PDT 2015 

Hi Josh,

Have you verified that all NIC offloading functions are disabled?
http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

On Tue, Sep 15, 2015 at 2:27 AM, josh summitt <ascetik at gmail.com> wrote:
> Hey i'm new to bro but have been attempting to use the file extracting
> features. I can generally get it to work but a lot of the time its just
> wrong when i attempt it in real time.
>
> For instance i'm downloading putty.exe and trying to extract it off the wire
> i get the below response when downloading it 5 times. It only successfully
> extracted and hashed it once:
> file_hash, FZKBS62fkHvKf36GTd, sha1,
> 91b21fffe934d856c43e35a388c78fccce7471ea
>
> The other times it completely misses it. If i attempt from a pcap file on
> the same machine it grabs it every time. Is there a threshold or something i
> need to set in bro for real time captures.
>
> /tmp$ sudo /usr/local/bro/bin/bro -i eth0 -C
>
> listening on eth0, capture length 8192 bytes
>
>
> new file, FB4np7nWhWIo8sOg5
>
> file_hash, FB4np7nWhWIo8sOg5, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68
>
> new file, FxPYHc1et6sMSMY2jf   <----- missed the file
>
> new file, FsONwVnUBjs2Fq0i5
>
> file_hash, FsONwVnUBjs2Fq0i5, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68
>
> new file, FZKBS62fkHvKf36GTd <----- Yes it got  the file
>
> file_hash, FZKBS62fkHvKf36GTd, sha1,
> 91b21fffe934d856c43e35a388c78fccce7471ea
>
> new file, Fp04jH3KL23Zx75OVf
>
> file_hash, Fp04jH3KL23Zx75OVf, sha1,
> 7788b3ba9a36112e0d429ecd358420d21ace7e68
>
> new file, FK2LoX14jpBSyfpy67 <----- missed the file
>
> new file, FnJ7Mg1ymupibnvSW1
>
> file_hash, FnJ7Mg1ymupibnvSW1, sha1,
> 7788b3ba9a36112e0d429ecd358420d21ace7e68
>
> new file, FXriBu1tLEBhRVWTG3 <----- missed the file
>
> new file, FwByiJ30INM9Mk6DO9
>
> file_hash, FwByiJ30INM9Mk6DO9, sha1,
> 7788b3ba9a36112e0d429ecd358420d21ace7e68
>
> new file, Fn5DEA1WWvsykOA2Lh  <----- missed the file
>
> ^C1442296477.139167 received termination signal
>
> 1442296477.139167 2260 packets received on interface eth0, 0 dropped
>
>
>
>
> Thanks
> Josh
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

More information about the Bro mailing list