[Bro] Extracted files don't rotate
James Lay
jlay at slave-tothe-box.net
Wed Feb 8 14:01:43 PST 2017
Any takers on the below? Thank you.
James
On 2017-02-06 10:32, James Lay wrote:
> Hey all,
>
> So I recently changed the way I run bro at a site. Originally this was
> run via command line, now I have the below:
>
> [logger]
> type=logger
> host=localhost
>
> [manager]
> type=manager
> host=localhost
>
> [proxy-1]
> type=proxy
> host=localhost
>
> [worker-1]
> type=worker
> host=localhost
> interface=ethx
>
> [worker-2]
> type=worker
> host=localhost
> interface=ethx
>
> extract_files shows up in worker-2. Here's the extract-files script:
>
> global ext_map: table[string] of string = {
> ["application/x-dosexec"] = "exe",
> ["application/zip"] = "zip",
> ["application/msword"] = "xls",
>
> ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]
> = "docx",
>
> ["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"]
> =
> "xlsx",
>
> ["application/vnd.openxmlformats-officedocument.presentationml.presentation"]
> = "pptx"
>
> };
>
> event file_sniff(f: fa_file, meta: fa_metadata)
> {
> if ( f$source != "SMTP" )
> return;
>
> if ( ! meta?$mime_type || meta$mime_type !in ext_map )
> return;
>
> local ext = "";
>
> if ( meta?$mime_type )
> ext = ext_map[meta$mime_type];
>
> local fname = fmt("%s-%s.%s", f$source, f$id, ext);
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
> [$extract_filename=fname]);
> }
>
>
> In looking, I see that the files are accumulating and not rotating out.
> Anything I can do to troubleshoot this? Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list