[Zeek] Zeek won't extract exe and office files

Hank Duo jradih20 at gmail.com
Wed May 6 04:51:14 PDT 2020


Hi Mike, I checked the capture_loss log and found several records there. I
analyzed the traffic using Wireshark and observed packets loss when
downloading the .exe or .bin files. I am not sure what is causing the
problem so I am trying to figure out. Is there any thing to do on Zeek in
such case?


On Wed, 6 May 2020 at 01:32, Mike Ware <maware at ucsc.edu> wrote:

> Could this be caused by capture loss? If you don't have all the packets
> you can't reconstruct.
>
> On Tue, May 5, 2020, 15:18 Justin Azoff <justin at corelight.com> wrote:
>
>> What does the conn and http log entry look like for the file transfers
>> that are not  being extracted?
>>
>> On Tue, May 5, 2020 at 5:33 PM Hank Duo <jradih20 at gmail.com> wrote:
>> >
>> > Hi,
>> > Following my previous email, Zeek started extracting some .exe files
>> but not all. If for example I download twenty .exe files over http from a
>> certain website, Zeek extracts like 2 or 3 out of 20. Is there a reason why
>> Zeek is not recognizing and extracting all.exe files? Also, I added Binary
>> .bin files to be extracted, however it is not extracting them.
>> > Note: I am downloading all files over http protocol only and not SSL.
>> > Thank you for your help
>> > Regards,
>> > Hank
>> >
>> > On Wed, 29 Apr 2020 at 23:42, Hank Duo <jradih20 at gmail.com> wrote:
>> >>
>> >> Hi all,
>> >>
>> >> I would like to extract .exe and office files for static and dynamic
>> malware analysis purpose. I used the attached script however .exe or .docs
>> files are not extracted except for html, txt or zip files.
>> >>
>> >> Note that I modified the main.zeek file which is located in
>> /usr/local/zeek/share/zeek/zeekctl/main.bro by adding @load
>> /frameworks/files/extract-myfiles (which is the script file name) and
>> commented the default one and the script was applied properly.
>> >>
>> >> Also, is there a way to extract files only from http or smb protocols
>> while excluding https?
>> >> Thank you guys
>> >>
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Justin
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200506/0ee79b92/attachment.html 


More information about the Zeek mailing list