[Zeek] Zeek - Usecase based File Extraction

Uton Cyr utoncyr at gmail.com
Thu Sep 12 12:40:12 PDT 2019 

Hi all,

I've recently been working on file carving/extraction based on a few
usecases.

Namely:
During a match with the Intel Framework on a FILE_HASH, I want to extract
the file.
During a match with the Intel Framework on a DOMAIN and ADDR, I want to
extract the file.

*See code below.*

Yet everytime I'll get the error message:
*Analyzer Files::ANALYZER_EXTRACT not added successfully to file ......*

This occurs when you try to extract from the event: file_hash.
However, within events such as file_new and file_sniff, files can be
extracted.
I'd like to hand over the hash within the event of file_hash to
Intel::Seen($indicator=hash)

A few questions:
- Is it possible to extract a file during an Intel::match event?
- If yes, how would I go about this?
- Is there a simple way to hand over the hash, originating tx_host and
domain to the Intel framework and extract a file after a match?

Looking forward to your reply.

Kind regards,
Bart

{CODE}

@load base/frameworks/intel
@load base/files/extract

##Redefine to path desired.
global path = "/home/zintern/EXTRACTED/temp/";

##Redefine to desired IoC .dat file
redef Intel::read_files += {fmt("%s/otx.dat", @DIR)};

## When a new file is seen:
event file_new(f: fa_file)
{
        Files::add_analyzer(f, Files::ANALYZER_MD5);
        Files::add_analyzer(f, Files::ANALYZER_SHA1);
        Files::add_analyzer(f, Files::ANALYZER_SHA256);
}

## When a file_hash has been seen
event file_hash(f: fa_file, kind: string, hash: string)
        {
        local seen = Intel::Seen($indicator=hash,
                                 $indicator_type=Intel::FILE_HASH,
                                 $f=f,
                                 $where=Files::IN_HASH);

        Intel::seen(seen);
        }

## When a match has been found between the seen traffic and the otx.dat
file indicators.
event Intel::match(s: Intel::Seen, items:set[Intel::Item])
{
                if(s$indicator_type == Intel::FILE_HASH)
                {
                local fname = fmt("%s%s-%s", path, s$f$source, s$f$id);
                Files::add_analyzer(s$f,
Files::ANALYZER_EXTRACT,[$extract_filename = fname]);
                }

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190912/93e65edb/attachment.html

More information about the Zeek mailing list