Broker - File Extraction

Hi All,

I was doing some reading on broker and came across the remote logging section of the documentation. This seems very useful.
Is there a mechanism for remote file extraction? I think it would be useful to be able to extract files to a remote system instead of a local directory. Is this possible with broker?

-AK

I was doing some reading on broker and came across the remote logging section of the documentation. This seems very useful.
Is there a mechanism for remote file extraction?

There’s not a direct/built-in mechanism for that like there is w/ remote logging.

I think it would be useful to be able to extract files to a remote system instead of a local directory. Is this possible with broker?

Yes, it should be possible, in a couple different ways. Using the Broker library directly and implementing it in Bro core (similar to remote logging) would be an option. Or using Bro’s scripting interface to the Broker library in combination w/ the scripting interface for file analysis should also work — e.g. ask for access to the contents of a file via events then send it to a remote peer via Broker.

- Jon

Adding to what Jon said, this was something he and I discussed a lot while the files framework was being developed. I suspect that at some point it will be added as a supported feature in Bro but there are so many edge cases to how this needs to be handled that it wasn’t quite an immediately obvious feature to implement so we skipped it initially.

My aim for it is to be able to extract BitTorrent transfers on clusters. That’s super complicated and will take some time unfortunately but we have continued laying the groundwork for it. For instance, full file reassembly went into Bro 2.4 which was a requirement for actually doing this correctly.

  .Seth

Yeah, I think we're actually in good shape now for tackling this. I've
added it to the list of project ideas on bro.org so that we keep it on
the radar.

Robin