I am trying to modify the file extraction module and to understand this module better…
This module extracts multiple file types by default, where should I comment or change the configuration to ignore some file types ( let’s say image/png or application/x-dosexec ) , what I’ve loaded so far in local.zeek is only /packages/file-extraction/plugins/extract-common-exploit-types.zeek which contains some file types, but I see more types extracted.
Every file type from base/frameworks/files/magic is extracted by default ?
Also, if I want to add other file types / mime_types ( docs or elf ) what do I need to modify or add ?
Thanks for kipping this community so strong <3 and see you in Munich
which contains some file types, but I see more types extracted.
Any chance you’re loading the extract-all-files.zeek script from the Zeek distribution? The package alone shouldn’t result in more files being extract IIUC.
There’s also a hook that you could implement for selectively ignoring certain file types:
In your local.zeek, you could place something like the following:
Also, if I want to add other file types / mime_types ( docs or elf ) what do I need to modify or add ?
You mean for updating known suffixes?
Preferably the mime_to_ext table would be &redef, but unfortunately it’s not. It might be easiest to fork the repo and submit a PR with any updates (or fork and add the &redef attribute).