[Bro] File Extraction: doc/xls=ok, docx/xlsx=ko

puntogtg at tiscali.it puntogtg at tiscali.it
Thu Feb 18 00:24:36 PST 2016


  Hello,
regarding filename I'm trying something like this:

 local
fname = fmt("/bro/extracted/%s.%s", f$info$filename, ext);

Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
 break;

No errors but files are not being
saved. :)
Can you give me some help?
Thanks

Il 16.02.2016 13:11 Peter
Österberg ha scritto: 

> I have never done this myself but it seems
like f$info$filename could be a possible solution to your second
question.
> 
> /Peter
> 
> Den 2016-02-16 kl. 12:29, skrev
puntogtg at tiscali.it [4]: 
> 
>> Hello,
>> I am trying to find out if I
did some mistake in my extract.bro script.
>> Basically I am able to
extract the doc,pdf,xls but not the docx,xlsx,xlsm etc (all new office
files).
>> Script looks like this:
>> 
>> global ext_map: table[string]
of string = {
>> ["application/msword"] = "doc",
>>
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]
= "docx",
>>
["application/vnd.openxmlformats-officedocument.wordprocessingml.template"]
= "dotx",
>> ["application/vnd.ms-word.document.macroEnabled.12"] =
"docm",
>> ["application/vnd.ms-word.template.macroEnabled.12"] =
"dotm",
>> ["application/vnd.ms-excel"] = "xls",
>>
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] =
"xlsx",
>>
["application/vnd.openxmlformats-officedocument.spreadsheetml.template"]
= "xltx",
>> ["application/vnd.ms-excel.sheet.macroEnabled.12"] =
"xlsm",
>> ["application/vnd.ms-excel.template.macroEnabled.12"] =
"xltm",
>> ["application/vnd.ms-excel.addin.macroEnabled.12"] =
"xlam",
>> ["application/vnd.ms-excel.sheet.binary.macroEnabled.12"] =
"xlsb",
>> ["application/vnd.ms-powerpoint"] = "ppt",
>>
["application/vnd.openxmlformats-officedocument.presentationml.presentation"]
= "pptx",
>>
["application/vnd.openxmlformats-officedocument.presentationml.template"]
= "potx",
>>
["application/vnd.openxmlformats-officedocument.presentationml.slideshow"]
= "ppsx",
>> ["application/vnd.ms-powerpoint.addin.macroEnabled.12"] =
"ppam",
>>
["application/vnd.ms-powerpoint.presentation.macroEnabled.12"] =
"pptm",
>>
["application/vnd.ms-powerpoint.presentation.macroEnabled.12"] =
"potm",
>> ["application/vnd.ms-powerpoint.slideshow.macroEnabled.12"] =
"ppsm",
>> } &default ="";
>> 
>> event file_new(f: fa_file)
>> {
>> if
( ! f?$mime_type )
>> return;
>> local ext = "";
>> if ( f?$mime_type
)
>> ext = ext_map[f$mime_type];
>> #if ( ext !="pdf" && ext !="exe" &&
ext !="swf" )
>> if ( ext !="doc" && ext !="docx" && ext !="dotx" && ext
!="docm" && ext !="dotm" && ext !="xls" && ext !="xlsx" && ext !="xltx"
&& ext !="xlsm" && ext !="xltm" && ext !="xlam" && ext !="xlsb" && ext
!="ppt" && ext !="pptx" && ext !="potx" && ext !="ppsx" && ext !="ppam"
&& ext !="pptm" && ext !="potm" && ext !="ppsm" )
>> return;
>> 
>>
local fname = fmt("/bro/extracted/%s-%s.%s", f$source, f$id, ext);
>>
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
>> break;
>> }
>> 
>> Into the files.log I
can see when extract matches:
>> 
>> 1455104772.317535
FiWH8E2GK4LZmK8kYg 12.23.29.13 194.1.1.22 C9Ujyw1HodyV6hrs4f SMTP 5
DATA_EVENT,EXTRACT,SHA1,MD5 application/msword
SPCH_100658601_1_Skillsupdatefebruary2016.doc 0.056888 T F 44973 - 2736
0 F - - - - /bro/extracted/SMTP-FiWH8E2GK4LZmK8kYg.doc
>>
1455105508.920691 FiqR9N1j5G1JlUlDe 12.23.29.13 12.3.16.5
COsYzjbE2bCVGewz1 SMTP 7 SHA1,DATA_EVENT,MD5,EXTRACT application/msword
SCD List - SS101-612a.vsd 0.148642 T F 91656 - 2696 0 F - - - -
/bro/extracted/SMTP-FiqR9N1j5G1JlUlDe.doc
>> 1455105575.354126
FmnQbA19ShsuCDh0bk 12.23.29.13 16.2.23.2 CXYSjQx0YmTqhDagf SMTP 3
DATA_EVENT,MD5,SHA1,EXTRACT application/msword 00336582.doc 0.378492 TF
177152 - 0 0 F - c7c213a316143494115c905fd28938f9
8b7d7c28b0d2c28ad1287db60e7c26925181ab07 -
/bro/extracted/SMTP-FmnQbA19ShsuCDh0bk.doc
>> 
>> But no matches for new
office files...
>> 
>> Do you have any idea?
>> 
>> I have another
question: in order to keep track of files extracted, how can I set the
filename with something trackable like realfilename ?
>> 
>> Thanks in
advance.
>> 
>> Connetti gratis il mondo con la nuova indoona: hai la
chat, le chiamate, le video chiamate e persino le chiamate di gruppo.
>>
E chiami gratis anche i numeri fissi e mobili nel mondo!
>> Scarica
subito l'app Vai su https://www.indoona.com/ [1]
>> 
>>
_______________________________________________
>> Bro mailing list
>>
bro at bro-ids.org [2]
>>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [3]

Connetti
gratis il mondo con la nuova indoona: hai la chat, le chiamate, le video
chiamate e persino le chiamate di gruppo.
 E chiami gratis anche i
numeri fissi e mobili nel mondo!
 Scarica subito l'app Vai su
https://www.indoona.com/ [5]

  


Connetti gratis il mondo con la nuova indoona:  hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo.
E chiami gratis anche i numeri fissi e mobili nel mondo!
Scarica subito l’app Vai su https://www.indoona.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160218/d6aed76e/attachment.html 


More information about the Bro mailing list