Calling external scripts on extracted files

Vikram_Basu · October 4, 2017, 12:54pm

Hi,

I am using the bro file-extraction script from the bro-pkg manager and want to run a python script as soon as the file is completely extracted.

Currently I am calling the script using the Bro Exec::run command after modifying the script but often times the script is running before the file has finished extracted and is failing as a result.

How can I make it so that Bro calls the script after file has already been extracted?

I thought maybe using file_state_remove would help but even in that case I am getting
/Input::READER_RAW: Child process exited with non-zero return code 127

which I am assuming means the script was run before the file as truly extracted?

Any advice would be much appreciated.

Regards

Vikram

Hosom_Stephen_M · October 4, 2017, 1:24pm

Vikram,

I'm the author of the package that you're using. Happy to help!

I don't know why it is precisely that your script is not working, however, I have good examples of how to do this type of activity within the plugin.

Check out the file store-files-by-md5.bro withing the plugins directory.

This script uses the mv command to move files and rename them based on their hash once Bro finishes extracting them and is a good example of how to perform an action on a file once it has been extracted "the right way".

Please let me know if you have any issues... You may find that I am more responsive to the issues page for the project on GitHub.

Thanks,

Stephen

Vikram_Basu · October 4, 2017, 1:41pm

Awesome. Thanks, I’ll check it out.

Topic		Replies	Views
using bro for file extraction Zeek	5	62	May 6, 2022
bro question. Zeek	2	43	May 6, 2022
Bro Scripting Question Zeek	4	42	May 6, 2022
- EXEC framework - run command Zeek	4	72	May 6, 2022
postprocessing extracted files Zeek	3	46	May 6, 2022

Calling external scripts on extracted files

Related Topics