[Zeek] Zeek - Usecase based File Extraction

Uton Cyr utoncyr at gmail.com
Sat Sep 14 08:36:38 PDT 2019 

Hi Jan,

Thank you for the clarification!
I should've known a file cannot be extracted "after" the hash of the file
has been calculated.
To calculate the hash of a file in the first place you'd need to analyse
the file in its entirety.
Meaning after the hash has been analysed of the file it's likely at the END
bit of the data stream.

The partial solution to extract first and verify later might be overkill on
a network where thousands of files are downloaded.
Restricting it to particular data protocols such as HTTP 'only' will have
less of an impact on the computational load.
I'll have to try your suggested method, thank you for the link!

I was wondering if the usecase of extracting after getting an intel hit on
INTEL::DOMAIN and INTEL::ADDR might still work.
My assumption here is that the time between the event file_new and
intel::match might be small enough to not make a difference.
As long as the function Intel::seen is called immediately during a file_new
event (this might cause some dataloss).

I have a one more questions if you or anyone has time:
- I'd like to compare the tx_hosts seen of a file with the INTEL::ADDR, how
would I go about this? (since tx_hosts is a set (still learning bro)).

Kind regards,
Bart


Op vr 13 sep. 2019 om 18:03 schreef Jan Grashöfer <jan.grashoefer at gmail.com
>:

> Hi Bart,
>
> On 12/09/2019 21:40, Uton Cyr wrote:
> > A few questions:
> > - Is it possible to extract a file during an Intel::match event?
> > ...
>
> usually the match is too late to attach the file analyzer that handles
> extraction. Furthermore, in a cluster setup its triggered on the
> manager. The simplest way to get files for intel hits is to extract all
> files and just preserve the ones that triggered a hit (for the poor
> man's approach see
>
> https://github.com/J-Gras/intel-extensions/blob/master/scripts/preserve_files.bro
> ).
>
> Jan
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190914/6ef9bf70/attachment.html

More information about the Zeek mailing list