Hi Brian,
I had the kind of same use-case where I had to exclude file extraction for certain subnets.
Hence this is what I have done in my script:
White list of subnets to exclude file extraction for.
global subnet_map: table[subnet] of string = {
[x.x.x.x/25] = “VIP subnet1”,
[y.y.y.y/26] = “VIP subnet2”,
[z.z.z.z/24] = “VIP subnet3”,
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
check for right source to extract.
if(f$source != “HTTP”)
return;
#check the right mime-type to extract.
if ( ! meta?$mime_type || meta$mime_type !in ext_map )
return;
get the recieving hosts from the record.
local rx_addr: set[addr];
rx_addr = f$info$rx_hosts;
check if the rx host is in VIP subnets
for (i in rx_addr)
{
if ( i in subnet_map )
{
return;
}
}
if ( meta?$mime_type )
{
local fname = fmt("%s-%s.%s", f$source, f$id, ext_map[meta$mime_type]);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
}
You can define the rx or tx which you want to exclude/include and modify accordingly.
I am sure there might be some more efficient ways to do this, I will let other more experience people to answer that
Hope this helps.
Thanks,
Fatema.