[Bro] Renaming carved files

anthony kasza anthony.kasza at gmail.com
Tue Mar 1 10:48:49 PST 2016


This is a tricky thing to do regardless of how you do it. What happens when
the file was transfered over something besides protocols with URLs? Or,
what if the file is a PE and includes an original name in its manifest but
resides at a different URL?

-AK
On Mar 1, 2016 9:51 AM, "Michael Cochran" <macochran0 at gmail.com> wrote:

> I'm trying to find a simple way to rename a carved file back to it's
> original file name using bro-script rather than having bash try to rip it
> out of the files.log file. I have seen the mime type analyzers on git that
> re-add the extension based on known mime types, but I'd rather be able to
> immediately identify the original file name as it came across the wire. I
> don't need the unique session identifier because by the time I'm using bro
> file analysis I already have the individual session pcap isolated.
>
> I'm guessing there should be a way to capture the files.log table data in
> broscript, match the unique file identifier then rename the file with that
> filename string from files.log.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160301/0320f0ef/attachment.html 


More information about the Bro mailing list