[Bro] File Extraction: doc/xls=ok, docx/xlsx=ko

puntogtg at tiscali.it puntogtg at tiscali.it
Fri Feb 19 08:46:09 PST 2016 

  Josh,
I have to say apologies...
Was a good idea to check the
version: I was running 2.3!
Now compiled the new one: 2.4.1 ^__^
Into
extracted.bro put again: 

event file_sniff(f: fa_file, meta:
fa_metadata)

 {

 if ( meta?$mime_type )

 local fname =
fmt("/bro/extracted/%s.%s", f$info$filename, ext);

Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
 return;
 break;

it is working and files
are coming with name!

A question now: previously I was using the
map

global ext_map: table[string] of string = {

["application/x-dosexec"] = "exe",

 ["application/vnd.ms-excel"] =
"xls",
} &default ="";

to select what file type to save, now it seems
all extensions are saved..
How can select what to keep?

Thanks

Il
19.02.2016 16:20 Josh Liburdi ha scritto: 

> Apologies if I missed it,
but which version of Bro are you running?
> 
> Josh
> 
> On Fri, Feb 19,
2016 at 9:54 AM, wrote:
> 
>> Hi, I added but tells me identifier not
defined: fa_metadata Il 19.02.2016 15:17 Seth Hall ha scritto: On Feb
19, 2016, at 3:05 AM, puntogtg at tiscali.it [1] wrote: Of course the user
has rights to write in that folder and the folder exist, in fact with
previous conf everything is ok, apart the name of the files.. Ugh, I
just realized the problem... if ( f?$mime_type ) ext =
ext_map[f$mime_type]; That code can't work in the file_new event. In Bro
2.4, there is a new event named file_sniff. It's at the point where some
content from the file has been seen and Bro has had a chance to look at
it and take a guess about the file type. You aren't seeing any file
extraction because you have a return statement that's returning if there
is no known file extension (which there isn't at that point!). event
file_sniff(f: fa_file, meta: fa_metadata) { if ( meta?$mime_type ) { #
put your code here... } } .Seth -- Seth Hall International Computer
Science Institute (Bro) because everyone has a network
http://www.bro.org/ [2] Connetti gratis il mondo con la nuova indoona:
hai la chat, le chiamate, le video chiamate e persino le chiamate di
gruppo. E chiami gratis anche i numeri fissi e mobili nel mondo! Scarica
subito l'app Vai su https://www.indoona.com/ [3]
_______________________________________________ Bro mailing list
bro at bro-ids.org [4]
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [5]
 



Connetti gratis il mondo con la nuova indoona:  hai la chat, le chiamate, le video chiamate e persino le chiamate di gruppo.
E chiami gratis anche i numeri fissi e mobili nel mondo!
Scarica subito l’app Vai su https://www.indoona.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160219/20f0cc5e/attachment.html

More information about the Bro mailing list