[Bro] File Extraction: doc/xls=ok, docx/xlsx=ko

Tue Feb 16 06:01:13 PST 2016

> On Feb 16, 2016, at 6:29 AM, puntogtg at tiscali.it wrote:
> 
> Hello,
> I am trying to find out if I did some mistake in my extract.bro script.
> Basically   I am able to extract the doc,pdf,xls but not the docx,xlsx,xlsm etc (all new office files).

I believe the problem is that as far as bro is concerned, new office files are really .zip archives.

> Script looks like this:
>  
> global ext_map: table[string] of string = {
>     ["application/msword"] = "doc",
>     ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "docx",
>     ["application/vnd.openxmlformats-officedocument.wordprocessingml.template"] = "dotx",
> 
[..]
> } &default ="";
> 
>  
> event file_new(f: fa_file)
>    {
>        if ( ! f?$mime_type  )
>         return;
>     local ext = "";
>  if ( f?$mime_type )
>         ext = ext_map[f$mime_type];
>     #if ( ext !="pdf" && ext !="exe" && ext !="swf" )
>     if ( ext !="doc" && ext !="docx" && ext !="dotx" && ext !="docm" && ext !="dotm" && ext !="xls" && ext !="xlsx" && ext !="xltx" && ext !="xlsm" && ext !="xltm" && ext !="xlam" && ext !="xlsb" && ext !="ppt" && ext !="pptx" && ext !="potx" && ext !="ppsx" && ext !="ppam" && ext !="pptm" && ext !="potm" && ext !="ppsm" )
>     return;
> 
>       local fname = fmt("/bro/extracted/%s-%s.%s", f$source, f$id, ext);
>            Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
>            break;
> }

Aside from the issue that docx shows up as a zip file, here is a fixed up version of that file_new event:

event file_new(f: fa_file)
   {
    if (!f?$mime_type)
        return;

    if (f$mime_type !in ext_map)
        return;

    ext = ext_map[f$mime_type];
    local fname = fmt("/bro/extracted/%s-%s.%s", f$source, f$id, ext);
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
    break;
}

-- 
- Justin Azoff