[Zeek] Zeek won't extract exe and office files

Hank Duo jradih20 at gmail.com
Tue May 5 19:45:09 PDT 2020 

Looking into http and conn files, I can see that the downloaded .exe files
appear in http.log however most of the time .exe files are not recognized
as application/x-dosexec files. For example, I tried downloading same .exe
file several times until it got recognized only once as x-dosexec file.
Also, there's a delay to present the traffic log in http or conn files.

Note: Due to lack of resources, the lab is made up of a single HP server
that has Windows 10 where three VMware VMs using VMware Workstation Pro.
The Zeek VM works as an IP Forwarder with two interfaces: one is connected
to the client PC (Internally) and the second interface is connected to the
internet. The client PC is a Windows 7 that has a Gateway IP of the
internal interface on Zeek Machine and get internet through Zeek VM.
The third machine is a web server with a single interface that is in the
same subnet as the Zeek second interface (Connected to the internet).

I configured zeek to monitor the internal interface and the subnet of the
client PC.

On Wed, 6 May 2020 at 01:16, Justin Azoff <justin at corelight.com> wrote:

> What does the conn and http log entry look like for the file transfers
> that are not  being extracted?
>
> On Tue, May 5, 2020 at 5:33 PM Hank Duo <jradih20 at gmail.com> wrote:
> >
> > Hi,
> > Following my previous email, Zeek started extracting some .exe files but
> not all. If for example I download twenty .exe files over http from a
> certain website, Zeek extracts like 2 or 3 out of 20. Is there a reason why
> Zeek is not recognizing and extracting all.exe files? Also, I added Binary
> .bin files to be extracted, however it is not extracting them.
> > Note: I am downloading all files over http protocol only and not SSL.
> > Thank you for your help
> > Regards,
> > Hank
> >
> > On Wed, 29 Apr 2020 at 23:42, Hank Duo <jradih20 at gmail.com> wrote:
> >>
> >> Hi all,
> >>
> >> I would like to extract .exe and office files for static and dynamic
> malware analysis purpose. I used the attached script however .exe or .docs
> files are not extracted except for html, txt or zip files.
> >>
> >> Note that I modified the main.zeek file which is located in
> /usr/local/zeek/share/zeek/zeekctl/main.bro by adding @load
> /frameworks/files/extract-myfiles (which is the script file name) and
> commented the default one and the script was applied properly.
> >>
> >> Also, is there a way to extract files only from http or smb protocols
> while excluding https?
> >> Thank you guys
> >>
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200506/c341f24f/attachment-0001.html

More information about the Zeek mailing list