[Bro] files.log - no filename over http

Azoff, Justin S jazoff at illinois.edu
Tue Aug 21 13:16:32 PDT 2018


> On Aug 21, 2018, at 10:21 AM, Izik Birka <Izik.Birka at hot.net.il> wrote:
> 
> Hi
> Why when I download file over HTTP bro doesn't extract the filename ?
>  
> Here's the http & files log :
>  
> srv at srv:/nsm/bro/logs/current$ tail -f http_br0.log  | grep 192.168.1.1
> 1534860833.865081       CxLm9G4WxaJ6Z0zqIh      192.168.1.1     31451   77.138.188.44     8080    1       GET     77.138.188.44   http://77.138.188.44/Browsing.exe       http://77.138.188.44/   1.1     Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36   0       506576  200     OK      -       -       (empty) -       -       PROXY-CONNECTION -> keep-alive  -       -       -       FI7yey3gl5U0JXLnji      -    application/x-dosexec
>  
> srv at srv:/nsm/bro/logs/current$ tail -f files.log  | grep 192.168.1.1
> 1534860834.713869       FI7yey3gl5U0JXLnji      77.138.188.44     192.168.1.1     CxLm9G4WxaJ6Z0zqIh      HTTP    0       PE,SHA1,MD5     application/x-dosexec   -       0.189665        F       F       506576  506576  0       0       F    -ea845778462ef5bd2bbf68381df324ca        4af433d0c22067d921c912deae87619b262262f3        -       -
>  

The way bro works by default is that it only extracts http filenames from an explicit content-disposition or content-type header

It wouldn't be that hard to write a script that sets the filename to the last component of the uri path though, if that's what
you really wanted.



— 
Justin Azoff




More information about the Bro mailing list