[Bro] Renaming carved files
Michael Cochran
macochran0 at gmail.com
Tue Mar 1 09:35:55 PST 2016
I'm trying to find a simple way to rename a carved file back to it's
original file name using bro-script rather than having bash try to rip it
out of the files.log file. I have seen the mime type analyzers on git that
re-add the extension based on known mime types, but I'd rather be able to
immediately identify the original file name as it came across the wire. I
don't need the unique session identifier because by the time I'm using bro
file analysis I already have the individual session pcap isolated.
I'm guessing there should be a way to capture the files.log table data in
broscript, match the unique file identifier then rename the file with that
filename string from files.log.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160301/553d4608/attachment.html
More information about the Bro
mailing list