[Bro] Extracted files don't rotate
James Lay
jlay at slave-tothe-box.net
Mon Feb 6 09:32:55 PST 2017
Hey all,
So I recently changed the way I run bro at a site. Originally this was
run via command line, now I have the below:
[logger]
type=logger
host=localhost
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=ethx
[worker-2]
type=worker
host=localhost
interface=ethx
extract_files shows up in worker-2. Here's the extract-files script:
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/zip"] = "zip",
["application/msword"] = "xls",
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]
= "docx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] =
"xlsx",
["application/vnd.openxmlformats-officedocument.presentationml.presentation"]
= "pptx"
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "SMTP" )
return;
if ( ! meta?$mime_type || meta$mime_type !in ext_map )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
In looking, I see that the files are accumulating and not rotating out.
Anything I can do to troubleshoot this? Thank you.
James
More information about the Bro
mailing list