[Bro] Newbie question Extract Binaries from traffic

Johanna Amann johanna at icir.org
Tue Jul 26 18:13:57 PDT 2016 

Hi Scott,

I think the syntax you are using there was retired with Bro 2.2 (or
potentially earlier). Newer versions of Bro use the file analysis
framework; Documentation for it is available at
https://www.bro.org/sphinx-git/frameworks/file-analysis.html

To see an example of someone using the framework, see e.g. the email
thread at
http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008715.html

I hope this helps,
 Johanna

On Tue, Jul 26, 2016 at 10:08:57AM -0400, Scott P wrote:
> Newbie question added the following to my local.bro file
> 
> #Extract EXEs
> redef HTTP::extract_file_types += /application\/x-dosexec/;
> redef FTP::extract_file_types += /application\/x-dosexec/;
> 
> #Extract files to /nsm/bro/extracted
> redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
> redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
> 
> But when I test against the file I am getting:
> 
> sudo bro -r http-putty.pcap  /opt/bro/share/bro/site/local.bro
> 
> 
> error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but not
> previously defined (HTTP::extract_file_types)
> internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
> document redef of HTTP::extract_file_types, identifier lookup failed
> error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but not
> previously defined (FTP::extract_file_types)
> internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
> document redef of FTP::extract_file_types, identifier lookup failed
> error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but not
> previously defined (HTTP::extraction_prefix)
> internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
> document redef of HTTP::extraction_prefix, identifier lookup failed
> error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but not
> previously defined (FTP::extraction_prefix)
> internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
> document redef of FTP::extraction_prefix, identifier lookup failed
> 
> 
> Any insight would be helpful.
> 
> -- 
> *Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause, *read,
> *pause, (perhaps *go back*), pause, *write, ....* -- *Alan Turing (1936)*

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list