Converting fa_file to file_sniff

So per:

https://www.bro.org/download/NEWS.bro.html

"Removed fa_file record’s mime_type and mime_types fields. The event file_sniff has been added which provides the same information. The mime_type field of Files::Info also still has this info."

I have a script...smtp-file-extract.bro:

global ext_map: table[string] of string = {
         ["application/x-dosexec"] = "exe",
         ["application/zip"] = "zip",
         ["application/msword"] = "xls",
};

event file_new(f: fa_file)
         {
         if ( f$source != "SMTP" )
                 return;

         if ( ! f?$mime_type || f$mime_type !in ext_map )
                 return;

         local ext = "";

         if ( f?$mime_type )
                 ext = ext_map[f$mime_type];

         local fname = fmt("%s-%s.%s", f$source, f$id, ext);
         Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}

which while not perfects gets what I need done. This is now broken with 2.4, as expected, however I'm at a loss on how to fix this. Again, per the NEWS link above:

"The earliest point that new mime type information is available is in the file_sniff event which comes after the file_new and file_over_new_connection events. Scripts which inspected mime type info within those events will need to be adapted. (Note: for users that worked w/ versions of Bro from git, for a while there was also an event called file_mime_type which is now replaced with the file_sniff event)."

Awesome. How do I adapt this? Not sure where to look for changing this. Thank you.

James

James,

Take a look at this script, it's almost identical to yours:
https://github.com/bro/bro/blob/2b1cd66f17194a30b90490965cbdffdd71c18c09/doc/httpmonitor/file_extraction.bro

Josh

Hi James,

Here's how I adapted a similar script:
https://github.com/Security-Onion-Solutions/securityonion-bro-scripts/blob/master/file-extraction/extract.bro

Thanks Gents...appreciate the fast help. For those keeping score at home here's what works:

global ext_map: table[string] of string = {
         ["application/x-dosexec"] = "exe",
         ["application/zip"] = "zip",
         ["application/msword"] = "xls",
};

event file_sniff(f: fa_file, meta: fa_metadata)
         {
         if ( f$source != "SMTP" )
                 return;

         if ( ! meta?$mime_type || meta$mime_type !in ext_map )
                 return;

         local ext = "";

         if ( meta?$mime_type )
                 ext = ext_map[meta$mime_type];

         local fname = fmt("%s-%s.%s", f$source, f$id, ext);
         Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}

Have to say I would have never figured this out just by reading the Bro documentation....thanks to you both again.

James

Perfect! Exactly what I was looking for. Thank you all!!