[Bro] check rx and tx hosts for files
Kellogg, Brian (GS IT PG-DR)
bkellogg at dresser-rand.com
Mon Oct 10 12:34:37 PDT 2016
Thanks, I did something similar. Always concerned I’m doing it the hard way.
From: fatema bannatwala [mailto:fatema.bannatwala at gmail.com]
Sent: Monday, October 10, 2016 3:32 PM
To: Kellogg, Brian (GS IT PG-DR)
Cc: bro at bro.org
Subject: Re: check rx and tx hosts for files
Hi Brian,
I had the kind of same use-case where I had to exclude file extraction for certain subnets.
Hence this is what I have done in my script:
# White list of subnets to exclude file extraction for.
global subnet_map: table[subnet] of string = {
[x.x.x.x/25] = "VIP subnet1",
[y.y.y.y/26] = "VIP subnet2",
[z.z.z.z/24] = "VIP subnet3",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
# check for right source to extract.
if(f$source != "HTTP")
return;
#check the right mime-type to extract.
if ( ! meta?$mime_type || meta$mime_type !in ext_map )
return;
# get the recieving hosts from the record.
local rx_addr: set[addr];
rx_addr = f$info$rx_hosts;
# check if the rx host is in VIP subnets
for (i in rx_addr)
{
if ( i in subnet_map )
{
return;
}
}
if ( meta?$mime_type )
{
local fname = fmt("%s-%s.%s", f$source, f$id, ext_map[meta$mime_type]);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
}
You can define the rx or tx which you want to exclude/include and modify accordingly.
I am sure there might be some more efficient ways to do this, I will let other more experience people to answer that :)
Hope this helps.
Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161010/70f5c891/attachment-0001.html
More information about the Bro
mailing list