[Bro] Renaming carved files
Daniel Guerra
daniel.guerra69 at gmail.com
Tue Mar 1 11:18:38 PST 2016
https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro <https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro>
> On 01 Mar 2016, at 18:35, Michael Cochran <macochran0 at gmail.com> wrote:
>
> I'm trying to find a simple way to rename a carved file back to it's original file name using bro-script rather than having bash try to rip it out of the files.log file. I have seen the mime type analyzers on git that re-add the extension based on known mime types, but I'd rather be able to immediately identify the original file name as it came across the wire. I don't need the unique session identifier because by the time I'm using bro file analysis I already have the individual session pcap isolated.
>
> I'm guessing there should be a way to capture the files.log table data in broscript, match the unique file identifier then rename the file with that filename string from files.log.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160301/dcb8ad89/attachment-0001.html
More information about the Bro
mailing list