[Bro] Newbie question Extract Binaries from traffic
Scott P
55sjp55 at gmail.com
Tue Jul 26 07:08:57 PDT 2016
Newbie question added the following to my local.bro file
#Extract EXEs
redef HTTP::extract_file_types += /application\/x-dosexec/;
redef FTP::extract_file_types += /application\/x-dosexec/;
#Extract files to /nsm/bro/extracted
redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
But when I test against the file I am getting:
sudo bro -r http-putty.pcap /opt/bro/share/bro/site/local.bro
error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but not
previously defined (HTTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
document redef of HTTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but not
previously defined (FTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
document redef of FTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but not
previously defined (HTTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
document redef of HTTP::extraction_prefix, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but not
previously defined (FTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
document redef of FTP::extraction_prefix, identifier lookup failed
Any insight would be helpful.
--
*Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause, *read,
*pause, (perhaps *go back*), pause, *write, ....* -- *Alan Turing (1936)*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160726/6b6ed389/attachment.html
More information about the Bro
mailing list