Hey all,
I have a question about how Bro handles Micorsoft BITS (Background Intelligent Transfer Service) traffic since the file is only partially downloaded in the session it’s monitoring. We’ve seen some traffic and it looks like Bro just shows as an incomplete file and doesn’t carve it properly.
Is there anything we can do to mitigate this?
There is actually some support in the file analysis code to handle this type of situation. It *probably* already works if the BITS traffic you are seeing is in a pcap file or seen by a single Bro worker. We don't have anything in place yet to do extraction from traffic hitting multiple workers. This is also a bit of a weird feature because none of the other network monitoring software that's around does this.
I would be interested in how you see Bro handling the traffic if you have a pcap file with the full transfer happening over multiple connections to see if Bro extracts the file correctly. It's possible that they've changed things a bit I worked with it last.
.Seth