[Bro] loading modules and automatically using custom scripts (clautos)
clautos
sebclaut at gmail.com
Fri Sep 9 04:02:07 PDT 2016
Ok so I added the -C option to my brocfg and it works now. I got abused by
my tests. My bro installation does not check the checksums at all and I can
capture all the files correctly.
2016-09-09 12:49 GMT+02:00 clautos <sebclaut at gmail.com>:
> Ok so I tried something. I downloaded audacity, notepad++, 7zip (in HTTP
> from filehippo not from the official sites to make sure it's HTTP download).
> I captured the downlaod with wireshark, and I found the PE in the pcap,
> even with bro -r extract_file.
> When I just load the extract_file plugin and download my exe files, the
> extracted files are incomplete (they are much smaller than the real ones).
> In addition to that, I suspected that it might have been caused by the -C
> option but even without this option, my bro -r pcapfile.pcap extract_file
> module could extract the whole executable.
> In interactive mode though, I don't extract the whole executable.
>
> tldr: The live capture doesn't extract the whole file but the bro -r
> pcapfile.pcap path/extract_file does work
>
> 2016-09-08 16:05 GMT+02:00 Seth Hall <seth at icir.org>:
>
>>
>> > On Sep 8, 2016, at 5:49 AM, clautos <sebclaut at gmail.com> wrote:
>> >
>> > When I download audacity (.exe) through HTTP, I get an inccorect .exe
>> file. The original file has a size of 26.5 MB and what I collect in my
>> "extract_files" folder has a size of 1.4 kB. Obviously the md5sums mismatch.
>>
>> It's very possible that you encountered packet loss. You can either look
>> at the "missed_bytes" field in conn.log or the "missing_bytes" field in the
>> files.log. If either of those aren't zero, then you probably dropped
>> packets.
>>
>> Damn, now that I look at those field names, we ended up naming them
>> unfortunately different.
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160909/5d9bc4e0/attachment.html
More information about the Bro
mailing list