check rx and tx hosts for files

Hi Brian,

I had the kind of same use-case where I had to exclude file extraction for certain subnets.
Hence this is what I have done in my script:

White list of subnets to exclude file extraction for.

global subnet_map: table[subnet] of string = {
[x.x.x.x/25] = “VIP subnet1”,
[y.y.y.y/26] = “VIP subnet2”,
[z.z.z.z/24] = “VIP subnet3”,
} &default ="";

event file_sniff(f: fa_file, meta: fa_metadata)
{

check for right source to extract.

if(f$source != “HTTP”)
return;

#check the right mime-type to extract.
if ( ! meta?$mime_type || meta$mime_type !in ext_map )
return;

get the recieving hosts from the record.

local rx_addr: set[addr];
rx_addr = f$info$rx_hosts;

check if the rx host is in VIP subnets

for (i in rx_addr)
{
if ( i in subnet_map )
{
return;
}
}

if ( meta?$mime_type )
{
local fname = fmt("%s-%s.%s", f$source, f$id, ext_map[meta$mime_type]);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
}

You can define the rx or tx which you want to exclude/include and modify accordingly.
I am sure there might be some more efficient ways to do this, I will let other more experience people to answer that :slight_smile:

Hope this helps.

Thanks,
Fatema.

Thanks, I did something similar. Always concerned I’m doing it the hard way.