[Zeek] File extraction package

Kayode Enwerem Kayode_Enwerem at ao.uscourts.gov
Mon Apr 27 14:08:08 PDT 2020


Hello,

We are trying to do some customization to the file extraction package https://github.com/hosom/file-extraction

Does any one have any suggestions on how I can get any of these done?


  1.  Is there a way to define what network you want the "file extracting package" to extract the files from? Instead of extracting files from all the networks defined in network.cfg. Example: if I have 7 subnets defined in network.cfg  but I only the file extracting package to extract files from 2 out of the 7.
  2.  Is there a way to dedup the extracted files. Example: If a file was sent to 20 people, I only want to see the file 1 time instead of 20 times.
  3.  We would also like to exclude certain file types based coming via SMB. Example: excluding all .pdf files I just want to exclude .pdf files coming via SMB.

Zeek version we are running is 3.0.3.

Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200427/8072b508/attachment.html 


More information about the Zeek mailing list