[Bro] files.log - no filename over http
Azoff, Justin S
jazoff at illinois.edu
Tue Aug 21 13:16:32 PDT 2018
> On Aug 21, 2018, at 10:21 AM, Izik Birka <Izik.Birka at hot.net.il> wrote:
>
> Hi
> Why when I download file over HTTP bro doesn't extract the filename ?
>
> Here's the http & files log :
>
> srv at srv:/nsm/bro/logs/current$ tail -f http_br0.log | grep 192.168.1.1
> 1534860833.865081 CxLm9G4WxaJ6Z0zqIh 192.168.1.1 31451 77.138.188.44 8080 1 GET 77.138.188.44 http://77.138.188.44/Browsing.exe http://77.138.188.44/ 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 0 506576 200 OK - - (empty) - - PROXY-CONNECTION -> keep-alive - - - FI7yey3gl5U0JXLnji - application/x-dosexec
>
> srv at srv:/nsm/bro/logs/current$ tail -f files.log | grep 192.168.1.1
> 1534860834.713869 FI7yey3gl5U0JXLnji 77.138.188.44 192.168.1.1 CxLm9G4WxaJ6Z0zqIh HTTP 0 PE,SHA1,MD5 application/x-dosexec - 0.189665 F F 506576 506576 0 0 F -ea845778462ef5bd2bbf68381df324ca 4af433d0c22067d921c912deae87619b262262f3 - -
>
The way bro works by default is that it only extracts http filenames from an explicit content-disposition or content-type header
It wouldn't be that hard to write a script that sets the filename to the last component of the uri path though, if that's what
you really wanted.
—
Justin Azoff
More information about the Bro
mailing list