Hi
I made change to local.bro to do http file extraction
and set the saving directory to …/files/http/file-http
problem is there is to many files in the http directory
so is there a way to make auto date directory under http
…files/http/today’s date/file-http
and date changes automatically.
I used the command
redef HTTP::extract_file_types = /application/.*/;
redef HTTP::extraction_prefix = “…/files/http/file-http”;
thank you
You can't do that by using those existing mechanisms since the extraction prefix is always a string constant at runtime and cannot change. It should be possible/easy to do in the next release when using the generic file analysis interface.
For now, what you could do is basically duplicate the code of scripts/base/protocols/http/file-extract.bro except replace usage of "extraction_prefix" with a call to your own function that returns the file prefix that you want (it would probably use something like "strftime("%Y-%m-%d", current_time()" to get the date part of it). Then change your local.bro to use your own version of the script.
- Jon