Hi all,
Is it possible to extract only the filename without extracting and storing it? Only the filename ….
Regards,
Is the filename field in the files.log what you are looking for?
Hi Justin,
No, it is not.
Can you share a pcap of your traffic, or at least upload it to try.zeek.org and share the URL? Some details might help us answer your question…
Sincerely,
Richard
Good morning,
Sorry for this later answer …. Here it is a pcap … Exists a filename README.mirrors.txt as you can see in my http.log (attached screenshot) …. I have attached files.log also where you can see that “filename” field is not created.
Many thanks for your help.
filename_capture.tar (5.5 KB)
Thanks for sharing the pcap.
It doesn’t actually reflect transferring that file. Here is the try.zeek.org output:
https://try.zeek.org/#/tryzeek/saved/550762
Here is a transcript from Wireshark:
GET /debian/README.mirrors.txt HTTP/1.1
User-Agent: Wget/1.19.5 (linux-gnu)
Accept: /
Accept-Encoding: identity
Host: ftp.au.debian.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache/2.4.10 (Debian)
Last-Modified: Sat, 04 Mar 2017 20:08:51 GMT
ETag: “56-549ed3b25abfb”
Accept-Ranges: bytes
Content-Length: 86
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
The list of Debian mirror sites is available here: https://www.debian.org/mirror/list
In other words, the “file” here is text/plain and is only the sentence “The list of Debian mirror sites is available here: https://www.debian.org/mirror/list”.
Sincerely,
Richard
I have a package somewhere that sets the filename field based on the
http url. Zeek only does this by default if there is a
content-disposition or content-type header that indicates a specific
filename, but many file downloads don't have that header. It can
produce a lot of noise, but it might be what you are asking for.
I'll see about making sure it is updated for 4.1 and work on getting
it added to the package manager.
Exactly Justin … this is what I am looking for …. Actually I am using Zeek 4.0.4 … can I enable it reconfiguring?
Hi!
Give this package a try: https://github.com/corelight/http-more-files-names
I didn't add it to the package manager metadata yet, but you can test it via
zkg install https://github.com/corelight/http-more-files-names
if you can confirm that works ok, I'll get it added to the package index.
