[Zeek] Zeek - Usecase based File Extraction
Jan Grashöfer
jan.grashoefer at gmail.com
Fri Sep 13 08:54:59 PDT 2019
Hi Bart,
On 12/09/2019 21:40, Uton Cyr wrote:
> A few questions:
> - Is it possible to extract a file during an Intel::match event?
> ...
usually the match is too late to attach the file analyzer that handles
extraction. Furthermore, in a cluster setup its triggered on the
manager. The simplest way to get files for intel hits is to extract all
files and just preserve the ones that triggered a hit (for the poor
man's approach see
https://github.com/J-Gras/intel-extensions/blob/master/scripts/preserve_files.bro).
Jan
More information about the Zeek
mailing list