[Bro] Renaming carved files
Seth Hall
seth at icir.org
Wed Mar 2 21:21:11 PST 2016
> On Mar 1, 2016, at 12:35 PM, Michael Cochran <macochran0 at gmail.com> wrote:
>
> I'm trying to find a simple way to rename a carved file back to it's original file name using bro-script rather than having bash try to rip it out of the files.log file.
I actually had this fully implemented a long time ago (naming files as they were named on the wire), but then I ripped it all out because it gave attackers the ability to control files being written on your file system. FireEye just got caught doing nearly this same thing recently and it turned out to be an evasion for them. I generally would not recommend going down the path of letting attackers control file names on your disk because you're likely to open a much larger hole than an evasion if you aren't extremely careful.
�
I am curious why you would like to do that though? Is it purely for convenience when you are doing analysis?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list