[Zeek] Zeek won't extract exe and office files
Justin Azoff
justin at corelight.com
Tue May 5 15:16:13 PDT 2020
What does the conn and http log entry look like for the file transfers
that are not being extracted?
On Tue, May 5, 2020 at 5:33 PM Hank Duo <jradih20 at gmail.com> wrote:
>
> Hi,
> Following my previous email, Zeek started extracting some .exe files but not all. If for example I download twenty .exe files over http from a certain website, Zeek extracts like 2 or 3 out of 20. Is there a reason why Zeek is not recognizing and extracting all.exe files? Also, I added Binary .bin files to be extracted, however it is not extracting them.
> Note: I am downloading all files over http protocol only and not SSL.
> Thank you for your help
> Regards,
> Hank
>
> On Wed, 29 Apr 2020 at 23:42, Hank Duo <jradih20 at gmail.com> wrote:
>>
>> Hi all,
>>
>> I would like to extract .exe and office files for static and dynamic malware analysis purpose. I used the attached script however .exe or .docs files are not extracted except for html, txt or zip files.
>>
>> Note that I modified the main.zeek file which is located in /usr/local/zeek/share/zeek/zeekctl/main.bro by adding @load /frameworks/files/extract-myfiles (which is the script file name) and commented the default one and the script was applied properly.
>>
>> Also, is there a way to extract files only from http or smb protocols while excluding https?
>> Thank you guys
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
More information about the Zeek
mailing list