Hello all:
I am interested in learning Bro scripting, and I am attempting to write a simple first script that simply extracts EXE files and have the MD5 hash of the file as part of the filename written to disk.
I am aware of, and have studied the example and documentation here:
http://www.bro.org/bro-exchange-2013/exercises/faf.html
http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::Info
From that I came up with the following…
You have a chicken and egg problem. 
You have to begin extracting the file as soon as the file starts to be transferred but you don't have the hash of the file until the file is done being transferred. I did some work quite a while back that would give you the ability to do what you want but it did it by spooling the file into a temporary file name and then moving the file into the correct name once the file is complete and all needed information is available. That's what you'll have to do.
I'll let you spend some time implementing that if you're interested, but if you're having any trouble getting to a workable solution, reach out again and I can give you some more hints. 
.Seth
Thanks Seth that helps. I thought of that as a possibility but I didn’t understand enough about what exactly happens during a file extract trigger to settle on that conclusion (is the file stream tagged, spooled in memory, hashed, then written, or something else… etc).
With those guidelines whipping something up that does this should not be to terrible an exercise.
One additional question however, if someone is interested in writing a new analyzer, what would be a good place to start?
For example, what if someone wanted to write an analyzer that examined the MZ header of an executable for certain characteristics? What would be a good starting point for them? I’ve started reviewing the following…
http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::AnalyzerArgs
As well as different modules like /files/extract/main.bro, but didn’t know if you knew of a better place to begin for an ambitious novice
Also Kevin, thanks for your reply. I think you are correct, and combining your input with Seth’s, it is clear to me why the example was working and why I was getting halfway then zero results with my earlier attempts.
Thanks,
Jason
One additional question however, if someone is interested in writing a new analyzer, what would be a good place to start?
You could watch Vlad Grigorescu's presentation at last year's Bro Exchange about how to write a protocol analyzer:
https://www.youtube.com/watch?v=1eDIl9y6ZnM
For example, what if someone wanted to write an analyzer that examined the MZ header of an executable for certain characteristics? What would be a good starting point for them? I've started reviewing the following...
Writing file analyzers is a tiny bit different than writing protocol analyzers but generally the same model holds in both cases. We actually have a draft of a windows executable analyzer that Vlad recently made some changes to and can be found in the git repository under topic/vladg/file-analysis-exe-analyzer if you're curious about what that would look like. It's still incomplete and doesn't do everything we'd like it to.
Unfortunately it's still not something that you will be doing in a Bro script however (in case that's what you were asking).
.Seth