[Bro] Inconsistent file size during extraction
Josh Liburdi
liburdi.joshua at gmail.com
Thu Feb 1 16:13:33 PST 2018
Hi all,
I'm seeing instances where files are being extracted inconsistently with
what is reported in files.log. Here is a redacted example:
files.log:
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type
filename duration local_orig is_orig *seen_bytes* *total_bytes*
missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
extracted_cutoff extracted_size
#types time string set[addr] set[addr] set[string] string count set[string]
string string interval bool bool count count count count bool string string
string string string bool count
1517528771.042220 Fz2Z2m3zwQcc3gqDS3 x.x.x.x x.x.x.x CpaGD227W0Cy2BA1Tf HTTP
0 EXTRACT application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
0.258350 - F *219414* *12977556* 0 0 F - - - -
extract-1517528771.04222-HTTP-Fz2Z2m3zwQcc3gqDS3 F -
File on disk:
*219414* Feb 1 16:04 extract-1517528771.04222-HTTP-Fz2Z2m3zwQcc3gqDS3
The file on disk is the same size as the amount of bytes sent to the file
analyzer (seen_bytes field) -- it should be the same size as the
total_bytes field. I've seen this happen many times (though, relatively
speaking, it is rare).
Any thoughts on this behavior? I'm seeing this on Bro 2.5.1.
Thanks,
Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180201/59866a8a/attachment.html
More information about the Bro
mailing list