[Bro] File Extraction: doc/xls=ok, docx/xlsx=ko

Tue Feb 16 03:29:46 PST 2016

Hello,
I am trying to find out if I did some mistake in my
extract.bro script.
Basically I am able to extract the doc,pdf,xls but
not the docx,xlsx,xlsm etc (all new office files).
Script looks like
this:

global ext_map: table[string] of string = {

["application/msword"] = "doc",

["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]
= "docx",

["application/vnd.openxmlformats-officedocument.wordprocessingml.template"]
= "dotx",
 ["application/vnd.ms-word.document.macroEnabled.12"] =
"docm",
 ["application/vnd.ms-word.template.macroEnabled.12"] = "dotm",

["application/vnd.ms-excel"] = "xls",

["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] =
"xlsx",

["application/vnd.openxmlformats-officedocument.spreadsheetml.template"]
= "xltx",
 ["application/vnd.ms-excel.sheet.macroEnabled.12"] = "xlsm",

["application/vnd.ms-excel.template.macroEnabled.12"] = "xltm",

["application/vnd.ms-excel.addin.macroEnabled.12"] = "xlam",

["application/vnd.ms-excel.sheet.binary.macroEnabled.12"] = "xlsb",

["application/vnd.ms-powerpoint"] = "ppt",

["application/vnd.openxmlformats-officedocument.presentationml.presentation"]
= "pptx",

["application/vnd.openxmlformats-officedocument.presentationml.template"]
= "potx",

["application/vnd.openxmlformats-officedocument.presentationml.slideshow"]
= "ppsx",
 ["application/vnd.ms-powerpoint.addin.macroEnabled.12"] =
"ppam",
 ["application/vnd.ms-powerpoint.presentation.macroEnabled.12"]
= "pptm",

["application/vnd.ms-powerpoint.presentation.macroEnabled.12"] =
"potm",
 ["application/vnd.ms-powerpoint.slideshow.macroEnabled.12"] =
"ppsm",
} &default ="";

event file_new(f: fa_file)
 {
 if ( !
f?$mime_type )
 return;
 local ext = "";
 if ( f?$mime_type )
 ext =
ext_map[f$mime_type];
 #if ( ext !="pdf" && ext !="exe" && ext !="swf"
)
 if ( ext !="doc" && ext !="docx" && ext !="dotx" && ext !="docm" &&
ext !="dotm" && ext !="xls" && ext !="xlsx" && ext !="xltx" && ext
!="xlsm" && ext !="xltm" && ext !="xlam" && ext !="xlsb" && ext !="ppt"
&& ext !="pptx" && ext !="potx" && ext !="ppsx" && ext !="ppam" && ext
!="pptm" && ext !="potm" && ext !="ppsm" )
 return;

 local fname =
fmt("/bro/extracted/%s-%s.%s", f$source, f$id, ext);

Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
 break;
}

Into the files.log I can see when
extract matches:

1455104772.317535 FiWH8E2GK4LZmK8kYg 12.23.29.13
194.1.1.22 C9Ujyw1HodyV6hrs4f SMTP 5 DATA_EVENT,EXTRACT,SHA1,MD5
application/msword SPCH_100658601_1_Skillsupdatefebruary2016.doc
0.056888 T F 44973 - 2736 0 F - - - -
/bro/extracted/SMTP-FiWH8E2GK4LZmK8kYg.doc
1455105508.920691
FiqR9N1j5G1JlUlDe 12.23.29.13 12.3.16.5 COsYzjbE2bCVGewz1 SMTP 7
SHA1,DATA_EVENT,MD5,EXTRACT application/msword SCD List - SS101-612a.vsd
0.148642 T F 91656 - 2696 0 F - - - -
/bro/extracted/SMTP-FiqR9N1j5G1JlUlDe.doc
1455105575.354126
FmnQbA19ShsuCDh0bk 12.23.29.13 16.2.23.2 CXYSjQx0YmTqhDagf SMTP 3
DATA_EVENT,MD5,SHA1,EXTRACT application/msword 00336582.doc 0.378492 TF
177152 - 0 0 F - c7c213a316143494115c905fd28938f9
8b7d7c28b0d2c28ad1287db60e7c26925181ab07 -
/bro/extracted/SMTP-FmnQbA19ShsuCDh0bk.doc

But no matches for new
office files...

Do you have any idea?

I have another question: in
order to keep track of files extracted, how can I set the filename with
something trackable like realfilename ?

Thanks in advance.

Connetti gratis il mondo con la nuova indoona:  hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo.
E chiami gratis anche i numeri fissi e mobili nel mondo!
Scarica subito l’app Vai su https://www.indoona.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160216/d77478b0/attachment.html 