Too easy, that worked! It created the extracted files in the ‘pwd’. I checked the md5 they matched from the wireshark pcap file. I’ll run another test on a tcpdump file and verify the md5 as well.
Three questions then:
- Can I safely assume, based on these test results, that broctl will perform the same way as bro?
- If so, where will broctl place the ‘extracted_files’ directory?
- Lastly, whats the best way to investigate these files (I’m capturing all exe downloads on HTTP)? For example, the directory ‘extracted_files’ will be full of HTTP-blahblah names. How would I correlate those file names to its actual file name? Is that information stored in the conn.log, files.log, http.log, packet_filter.log, & weird.log?
Thanks for your time.
JW