I’m working on BRO and extracting certain type of files on file systems. My question is Bro often has different file size from original one. So I performed some test with a vanilla BRO only configured like below.
redef HTTP::extract_file_types = /application/.*/;
redef HTTP::extraction_prefix= “/usr/local/bro/logs/http-entity/”
After then I compared with a file from original one while capturing packets.
I found below :
Downloaded file(Bamf.zip) :
Original file size: 96396 bytes
From Bro: 94119 bytes
Pcap: 96396 bytes
Pcap hasn’t any missed parts but the file from Bro created uncompleted file which doesn’t have last parts of file(2277bytes)
I would appreciate if you provide me any clue or thought for solving it