[Bro] check rx and tx hosts for files
Brian Kellogg
theflakes at gmail.com
Fri Oct 14 09:23:30 PDT 2016
Thanks, unfortunately I lose the ability to access mime type with that function. Therefore I think I'll stick with file_sniff. Get errors saying f$info$mime_type isn’t present. I’ll keep playing with it when I can. Thanks again for Bro, incredible tool to have.
On Fri, Oct 14, 2016 at 9:31 AM, Johanna Amann <johanna at icir.org <mailto:johanna at icir.org>> wrote:
Hi Brian,
you should be able to just use the event file_over_new_connection, which
includes the connection record. With that, you don't have to loop over
complex data structures and can just use Site::is_local_addr.
This would probably look similar to:
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if ( is_orig && Site::is_local_addr(c$id$orig_h) )
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
}
I hope this helps,
Johanna
_______________________________________________
Bro mailing list
bro at bro-ids.org <mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161014/6f14fbb5/attachment-0001.html
More information about the Bro
mailing list