[Bro] File Extraction

al brocino al.brocino1 at gmail.com
Fri Jul 29 06:42:32 PDT 2016


Hello Bro community,

I'm new to Bro and using version 2.3.2 and want to extract all the exe's
seen on the network. In bro-file-extract we are using the file-extract.bro
script to try to parse for the exe's (partial of script):

global ext_map:table[string] of string = {
["application/x/dosexec"] = "exe",
redef FileExtract::prefix="/var/log/netlogs/bro/file-extracts.bro";
redef FileExtract::default_limit = 314572800;
redef FileExtract::prefix = "/var/log/netlogs/bro/file-extracts/";

We also have the file-extract-http-local.bro set to extract on our network:

global http_extract_file_ignore: set [subnet] = {
                 10.0.0.0/8,
};

We think the problem is that _load_.bro has the file extract commented out
under bro-icmp:
#@load ./file-extract-http-local.bro
#@load ./file-extract-types.bro
@load ./bro-file-extract
When I tried to enable these Bro failed the scripts check with errors like:
internal warning in
/usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line
6: Discarded extraneous Broxygen comment: Modified from base scripts to
extract only from external hosts
fatal error in
/usr/local/bro/share/bro/site/./custom/./file-extract-http-local.bro, line
7:can't find base/protocols/http/file-ident
I continued to receive these errors and had to back out of removing the
comments

Under bro-file-extract _load_.bro looks correct:
@load ./file-extract

What I'm getting in /var/log/netlogs/bro/file-extracts are entries like:
HTTP-F7K52nSzN3h7GNM31.exe
These files occur occasionally I'm not sure what they are.

Thanks for your help,

Al
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160729/fe89e2a0/attachment.html 


More information about the Bro mailing list