[Bro] Renaming carved files

Michael Cochran macochran0 at gmail.com
Wed Mar 2 07:15:44 PST 2016 

So the problem I'm running into with this extraction script is here (I've
already got a script that handles the extracted metadata mime types):

local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);

I don't need f$source or f$id in the filename. What I'm searching for is
being generated here in main.bro. I just need a way to grab this
information and add it to the extract.bro script to rename extracted file.

https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::Info
Files::Info
filename: string
<https://www.bro.org/sphinx-git/script-reference/types.html#type-string>
&log
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&log>
&optional
<https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&optional>

A filename for the file if one is available from the source for the file.
These will frequently come from “Content-Disposition” headers in network
protocols


The logic (forgive my terrible syntax) should be along the lines of

if f$filename is not empty,

    local fname = fmt(outputdir, f$filename, ext);

else

   local fname = fmt("outputdir", f$source, f$id, ext);



On Tue, Mar 1, 2016 at 2:18 PM, Daniel Guerra <daniel.guerra69 at gmail.com>
wrote:

>
>
> https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro
>
>
> On 01 Mar 2016, at 18:35, Michael Cochran <macochran0 at gmail.com> wrote:
>
> I'm trying to find a simple way to rename a carved file back to it's
> original file name using bro-script rather than having bash try to rip it
> out of the files.log file. I have seen the mime type analyzers on git that
> re-add the extension based on known mime types, but I'd rather be able to
> immediately identify the original file name as it came across the wire. I
> don't need the unique session identifier because by the time I'm using bro
> file analysis I already have the individual session pcap isolated.
>
> I'm guessing there should be a way to capture the files.log table data in
> broscript, match the unique file identifier then rename the file with that
> filename string from files.log.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160302/7f4eea16/attachment-0001.html

More information about the Bro mailing list