2.1 file analysis logging in 2.2

I’m fairly new to Bro, but had a question I was hoping to get answered. I’ve combed documentation and source code, but can’t quite get to what I’m looking for.

I believe in 2.2, the file analysis engine was modified such that the HTTP, SMTP,etc. file analysis logs were merged into a single files.log file. Some of the guys around the office thought they remembered a presentation back in August on being able to configure Bro to still report files in the 2.1 mode.

Am I way off base, or is there a way to do this in 2.2 to report like 2.1?

Thanks,
Mike

I believe in 2.2, the file analysis engine was modified such that the HTTP, SMTP,etc. file analysis logs were merged into a single files.log file.

Yep, sort of. There is still some information about the files pulled back into the protocol logs too. (and you could write scripts that pull more back).

Some of the guys around the office thought they remembered a presentation back in August on being able to configure Bro to still report files in the 2.1 mode.

I think you're going to need to describe what is missing that you want back.

  .Seth

I believe in 2.2, the file analysis engine was modified such that the
HTTP, SMTP,etc. file analysis logs were merged into a single files.log
file.

Yep, sort of. There is still some information about the files pulled
back into the protocol logs too. (and you could write scripts that pull
more back).

Some of the guys around the office thought they remembered a
presentation back in August on being able to configure Bro to still
report files in the 2.1 mode.

I think you're going to need to describe what is missing that you want
back.

So in 2.1, the http.log format had field/column values for 'mime_type' and
'md5', both simple strings. That appears to have been expanded
significantly in 2.2 such that there are now 4 columns:
'orig_fuids','orig_mime_types', 'resp_fuids', 'resp_mime_types', which are
vectors of strings that reference the fuid's in files.log(if my
understanding is correct).

Is there a simple way to add back those two old columns to the http.log
file? Understanding that the new mime_types fields are vectors instead of
straight strings, do either of the new mime_type fields correspond to the
old mime_type column?

You can certainly do that, but I do want to point out that the old log was incorrect. HTTP uses MIME to transfer data so you can send multiple files and receive multiple files in a single request or response.

mime_type is basically the same as the resp_mime_types field except that it can represent more than one file. Hashes are not included in the HTTP log at all anymore but you can add it back by basically copying how the resp_mime_types field is populated.

Finally I should probably point out that the resp_fuids and orig_fuids fields correspond to the second field (fuid) in the files.log.

  .Seth