[Zeek] TEMP files under /opt/zeek/spool/worker-*-*/extract_files

Justin Azoff justin at corelight.com
Tue Dec 31 06:27:19 PST 2019


Those aren't TEMP files as far as zeek is concerned.  Those are being
extracted by the BZAR script:
https://github.com/mitre-attack/bzar/blob/master/scripts/bzar_files.bro

they just happen to be from c:\windows\TEMP\ on the server.

You should be analyzing those files, or if you don't want them at all the
bzar script has BZAR::file_extract_option or some other ways of filtering
things to turn that feature off.

On Mon, Dec 30, 2019 at 4:35 PM Scot Harris <SHARRIS at hollywoodfl.org> wrote:

> While running some system checks, I noted that on the two zeek 3.0 boxes I
> have in a cluster that drive space was being taken up in the following
> directory:
>
>
>
> /opt/zeek/spool/worker-3-1/extract_files.
>
>
>
> These files not large but numerous.
>
>
>
> total 15884720
>
> -rw-rw-r-- 1 zeek zeek        50 Dec 30 16:26
> CZi12w40mQqZt08H24_FWsM9w4uCR965XUybc__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-93.txt
>
> -rw-rw-r-- 1 zeek zeek       326 Dec 30 16:26
> CZi12w40mQqZt08H24_FEJBtK3MwBWHCM3ET__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110812.bat
>
> -rw-rw-r-- 1 zeek zeek        44 Dec 30 16:26
> CZi12w40mQqZt08H24_FzgNR24m7uP0dbeI54__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-92.txt
>
> -rw-rw-r-- 1 zeek zeek       315 Dec 30 16:26
> CZi12w40mQqZt08H24_FlcyIJ91gLM90QJhe__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110811.bat
>
> -rw-rw-r-- 1 zeek zeek        23 Dec 30 16:26
> CZi12w40mQqZt08H24_FXnI1p4BopgQQE4jye__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-91.txt
>
> -rw-rw-r-- 1 zeek zeek       285 Dec 30 16:26
> CZi12w40mQqZt08H24_FXROsS11QBGTbOJGNd__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110810.bat
>
> -rw-rw-r-- 1 zeek zeek        19 Dec 30 16:25
> CZi12w40mQqZt08H24_FZ3vCj4O7BqZZYdgT__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-90.txt
>
> -rw-rw-r-- 1 zeek zeek       330 Dec 30 16:25
> CZi12w40mQqZt08H24_FozvDx13eGGG5Sssyc__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110793.bat
>
> -rw-rw-r-- 1 zeek zeek        77 Dec 30 16:25
> CZi12w40mQqZt08H24_FIwGEp2TW6WJ8IbEcd__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-89.txt
>
> -rw-rw-r-- 1 zeek zeek       313 Dec 30 16:25
> CZi12w40mQqZt08H24_FWm9sG44On6hV5AoWj__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110781.bat
>
> -rw-rw-r-- 1 zeek zeek        10 Dec 30 16:25
> CZi12w40mQqZt08H24_Fo3rTB2pdq5ooABUCa__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-88.txt
>
>
>
> Can these files be purged periodically?
>
>
>
> Seeing this on both the master box and the cluster node.
>
>
>
> Thank you.
>
>
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191231/335bc9aa/attachment.html 


More information about the Zeek mailing list