[Bro] Newbie question Extract Binaries from traffic

Hosom, Stephen M hosom at battelle.org
Wed Jul 27 05:22:29 PDT 2016 

Scott, 

I have an example of how file extraction is usually done on modern Bro versions here: 

https://github.com/hosom/bro-file-extraction

I'm assuming based on what it looks like you were trying to do that you want to extract PE files that appear in HTTP and FTP?

You might try loading the extract-pe.bro script from the plugins directory in that repo. It won't limit the extraction to just HTTP and FTP though. You'd have to modify the script to get it to do that.

-Stephen

________________________________________
From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Johanna Amann [johanna at icir.org]
Sent: Tuesday, July 26, 2016 9:13 PM
To: Scott P
Cc: bro at bro.org
Subject: Re: [Bro] Newbie question Extract Binaries from traffic

Hi Scott,

I think the syntax you are using there was retired with Bro 2.2 (or
potentially earlier). Newer versions of Bro use the file analysis
framework; Documentation for it is available at
https://www.bro.org/sphinx-git/frameworks/file-analysis.html

To see an example of someone using the framework, see e.g. the email
thread at
http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008715.html

I hope this helps,
 Johanna

On Tue, Jul 26, 2016 at 10:08:57AM -0400, Scott P wrote:
> Newbie question added the following to my local.bro file
>
> #Extract EXEs
> redef HTTP::extract_file_types += /application\/x-dosexec/;
> redef FTP::extract_file_types += /application\/x-dosexec/;
>
> #Extract files to /nsm/bro/extracted
> redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
> redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
>
> But when I test against the file I am getting:
>
> sudo bro -r http-putty.pcap  /opt/bro/share/bro/site/local.bro
>
>
> error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but not
> previously defined (HTTP::extract_file_types)
> internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
> document redef of HTTP::extract_file_types, identifier lookup failed
> error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but not
> previously defined (FTP::extract_file_types)
> internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
> document redef of FTP::extract_file_types, identifier lookup failed
> error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but not
> previously defined (HTTP::extraction_prefix)
> internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
> document redef of HTTP::extraction_prefix, identifier lookup failed
> error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but not
> previously defined (FTP::extraction_prefix)
> internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
> document redef of FTP::extraction_prefix, identifier lookup failed
>
>
> Any insight would be helpful.
>
> --
> *Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause, *read,
> *pause, (perhaps *go back*), pause, *write, ....* -- *Alan Turing (1936)*

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list