[Zeek] Zeek - Usecase based File Extraction

Uton Cyr utoncyr at gmail.com
Thu Sep 12 12:40:12 PDT 2019

Hi all,

I've recently been working on file carving/extraction based on a few

During a match with the Intel Framework on a FILE_HASH, I want to extract
the file.
During a match with the Intel Framework on a DOMAIN and ADDR, I want to
extract the file.

*See code below.*

Yet everytime I'll get the error message:
*Analyzer Files::ANALYZER_EXTRACT not added successfully to file ......*

This occurs when you try to extract from the event: file_hash.
However, within events such as file_new and file_sniff, files can be
I'd like to hand over the hash within the event of file_hash to

A few questions:
- Is it possible to extract a file during an Intel::match event?
- If yes, how would I go about this?
- Is there a simple way to hand over the hash, originating tx_host and
domain to the Intel framework and extract a file after a match?

Looking forward to your reply.

Kind regards,


@load base/frameworks/intel
@load base/files/extract

##Redefine to path desired.
global path = "/home/zintern/EXTRACTED/temp/";

##Redefine to desired IoC .dat file
redef Intel::read_files += {fmt("%s/otx.dat", @DIR)};

## When a new file is seen:
event file_new(f: fa_file)
        Files::add_analyzer(f, Files::ANALYZER_MD5);
        Files::add_analyzer(f, Files::ANALYZER_SHA1);
        Files::add_analyzer(f, Files::ANALYZER_SHA256);

## When a file_hash has been seen
event file_hash(f: fa_file, kind: string, hash: string)
        local seen = Intel::Seen($indicator=hash,


## When a match has been found between the seen traffic and the otx.dat
file indicators.
event Intel::match(s: Intel::Seen, items:set[Intel::Item])
                if(s$indicator_type == Intel::FILE_HASH)
                local fname = fmt("%s%s-%s", path, s$f$source, s$f$id);
Files::ANALYZER_EXTRACT,[$extract_filename = fname]);

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190912/93e65edb/attachment.html 

More information about the Zeek mailing list