What is the best/most efficient method for checking if rx_hosts is_local_addr and tx_hosts is not is_local_addr? I’m extracting files and only want to extract files coming from the Inet to an internal host.
I’ve also seen some scripts using f$conns[cid]$id… .
Thanks,
Brian
Hi Brian,
you should be able to just use the event file_over_new_connection, which
includes the connection record. With that, you don't have to loop over
complex data structures and can just use Site::is_local_addr.
This would probably look similar to:
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if ( is_orig && Site::is_local_addr(c$id$orig_h) )
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
}
I hope this helps,
Johanna
Thanks, unfortunately I lose the ability to access mime type with that function. Therefore I think I’ll stick with file_sniff. Get errors saying f$info$mime_type isn’t present. I’ll keep playing with it when I can. Thanks again for Bro, incredible tool to have.