[Bro] Extract only certain files types
James Lay
jlay at slave-tothe-box.net
Tue Mar 6 08:29:41 PST 2018
This took me way to long to get to sorry..here's what I have for my smtp
extract...should help:
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/zip"] = "zip",
["application/msword"] = "xls",
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]
= "docx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] =
"xlsx",
["application/vnd.openxmlformats-officedocument.presentationml.presentation"]
= "pptx"
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "SMTP" )
return;
if ( ! meta?$mime_type || meta$mime_type !in ext_map )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
[$extract_filename=fname]);
}
James
On 2018-02-16 04:47, Fernandez, Mark I wrote:
> Ambros,
>
>>> What should the extract-all-files.bro look like in order to
>>> only extract pdf, exe, doc and docx?
>
> The fa_metadata record contains the MIME type. Using the MIME type,
> you can make a condition on whether or not to extract the file.
>
> Mark
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list