[Bro] Bro Digest, Vol 127, Issue 46

Johanna Amann johanna at icir.org
Wed Nov 30 10:38:47 PST 2016 

You call add_analyzer in one of your scripts, typically in file_new or in
file_sniff.

https://www.bro.org/sphinx-git/frameworks/file-analysis.html gives a lot
more detail on how and where to use the function.

Johanna

On Tue, Nov 29, 2016 at 10:27:38AM +1100, John Edwards wrote:
> Where is this line defined? what file would i define this once i create sub
> folders for file types?  I wish to get cron to compress specific folders to
> save disk space.
> 
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
> 
> Cheers,
> John
> 
> On Tue, Nov 29, 2016 at 7:00 AM, <bro-request at bro.org> wrote:
> 
> > Send Bro mailing list submissions to
> >         bro at bro.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > or, via email, send a message with subject or body 'help' to
> >         bro-request at bro.org
> >
> > You can reach the person managing the list at
> >         bro-owner at bro.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Bro digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re: Bro 2.5 CPU usage (Drew Dixon)
> >    2. File extraction in different directories (maybe day vise)
> >       (fatema bannatwala)
> >    3. Re: File extraction in different directories (maybe day vise)
> >       (Hosom, Stephen M)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Mon, 28 Nov 2016 13:19:47 -0500
> > From: Drew Dixon <dwdixon at umich.edu>
> > Subject: Re: [Bro] Bro 2.5 CPU usage
> > To: Daniel Thayer <dnthayer at illinois.edu>
> > Cc: bro at bro.org
> > Message-ID:
> >         <CA+pNqTOFXBseTFHdQqKM2r=FyZEGUH9Gj4O7i=Sn9PoZLbU-3w@
> > mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Would it be possible for someone quantify what a low bandwidth/low traffic
> > setup might be in terms of a bandwidth unit of measurement range where
> > Justin's patch would be advised to be used? I.E. Kbps/Mbps etc.  What would
> > be a cut-off bandwidth/traffic rate value where it would not be advisable
> > that this patch be used?
> >
> > On Fri, Nov 25, 2016 at 1:54 PM, Daniel Thayer <dnthayer at illinois.edu>
> > wrote:
> >
> > > Regarding broctl, you can disable the "not seeing any packets"
> > > warnings if you set this in your etc/broctl.cfg:
> > > StatsLogEnable = 0
> > >
> > > Doing so will also disable logging to broctl's stats.log (note:
> > > this is NOT the stats.log that Bro itself logs), which I'm
> > > guessing most people don't need anyway.
> > >
> > >
> > > On 11/25/16 11:43 AM, Michael Shirk wrote:
> > > > Is this something worthy of a feature request for low bandwidth setups?
> > > >
> > > > In addition to something like this, I have to do a patch for very low
> > > > network traffic with bro cron reporting network traffic has stopped on
> > > > the monitoring interface.
> > > >
> > > > --
> > > > Michael Shirk
> > > > Daemon Security, Inc.
> > > > http://www.daemon-security.com
> > > _______________________________________________
> > > Bro mailing list
> > > bro at bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> > 20161128/03d37f8d/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Mon, 28 Nov 2016 14:14:37 -0500
> > From: fatema bannatwala <fatema.bannatwala at gmail.com>
> > Subject: [Bro] File extraction in different directories (maybe day
> >         vise)
> > To: bro at bro.org
> > Message-ID:
> >         <CACX0rUSYj_8JnSwS7ZKjef=HNsKDnX6z+oxFo-VXw7mO0xZ4WA at mail.
> > gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > HI,
> >
> > Just wanted to check-in, so that I don't re-invent the wheel, is there any
> > way, or if somebody has tried extracting the files in different
> > directories,i.e maybe in daily directory (just like bro logs the events in
> > the day vise directory)?
> > Right now we have over thousands of files extracted in a single directory
> > and it's getting harder to manage the one single directory to access the
> > extracted files, hence was looking into the Bro logging framework so that I
> > can steal some code from the event logging and rotation part for the file
> > extraction script.
> > Any other way around to it?
> >
> > Appreciate the help.
> >
> > Thanks,
> > Fatema.
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> > 20161128/0453d91c/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Mon, 28 Nov 2016 19:46:20 +0000
> > From: "Hosom, Stephen M" <hosom at battelle.org>
> > Subject: Re: [Bro] File extraction in different directories (maybe day
> >         vise)
> > To: fatema bannatwala <fatema.bannatwala at gmail.com>, "bro at bro.org"
> >         <bro at bro.org>
> > Message-ID:
> >         <E5A2071C6FFFF640B714C224139C9B3327DEFC0F at WP-MBX2B.milky-
> > way.battelle.org>
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > One of the arguments for attaching the file extraction analyzer is the
> > filename that you want it to extract to. So long as you?re building this
> > filename on the fly every time you attach the analyzer, you should be able
> > to specify a different directory for every file?if you wished for such a
> > thing.
> >
> > Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
> >
> > Where I have specified ?fname?, just specify the string of the
> > filename/path that you would like to store the file.
> >
> > From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> > fatema bannatwala
> > Sent: Monday, November 28, 2016 2:15 PM
> > To: bro at bro.org
> > Subject: [Bro] File extraction in different directories (maybe day vise)
> >
> > HI,
> >
> > Just wanted to check-in, so that I don't re-invent the wheel, is there any
> > way, or if somebody has tried extracting the files in different
> > directories,i.e maybe in daily directory (just like bro logs the events in
> > the day vise directory)?
> > Right now we have over thousands of files extracted in a single directory
> > and it's getting harder to manage the one single directory to access the
> > extracted files, hence was looking into the Bro logging framework so that I
> > can steal some code from the event logging and rotation part for the file
> > extraction script.
> > Any other way around to it?
> >
> > Appreciate the help.
> >
> > Thanks,
> > Fatema.
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> > 20161128/061b9e37/attachment-0001.html
> >
> > ------------------------------
> >
> > _______________________________________________
> > Bro mailing list
> > Bro at bro.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
> > End of Bro Digest, Vol 127, Issue 46
> > ************************************
> >

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list