bro question.

Hello all,

I am setting up a service that uses bro to simply extract exe files for a network stream for sandbox analysis. Currently, everything in my test environment is local.

I have an apache web server that is serving up a few exe files. On the same server, I have bro 2.3.1 running the attached file extraction script below.

The problem is that the file extracted never exactly match the downloaded file and the behavior is very inconsistent, i.e. sometimes the file would be extracted and most times, the file would not even show up in the file.log log.

I suspect that I need to do something to check for file write completion but don't know how to go about doing it as there is not a file_done event. There is,however, a file_gap event that I read about.

Has anyone successfully done this?

I am using the loopback device on a linux server.
sudo bro -i lo extract.bro

wget http://localhost/test.exe

================extract.bro=======================================

global ext_map: table[string] of string = {
    ["application/x-dosexec"] = "exe",
} &default ="";

event file_new(f: fa_file)
    {
    if ( ! f?$mime_type || ext_map[f$mime_type] == "" )
       return;

    local ext = "";
    ext = ext_map[f$mime_type];

    local fname = fmt("%s-%s.%s", f$source, f$id, ext);
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
    }

You’re probably looking for the file_state_remove event (https://www.bro.org/sphinx-git/scripts/base/bif/event.bif.bro.html#id-file_state_remove). Afaik, that is the only reliable way to know that a file has has fully downloaded.