Create different file size from original one in HTTP File-extract

JH_YANG · July 22, 2013, 9:24pm

Hey guys,

I’m working on BRO and extracting certain type of files on file systems. My question is Bro often has different file size from original one. So I performed some test with a vanilla BRO only configured like below.
redef HTTP::extract_file_types = /application/.*/;
redef HTTP::extraction_prefix= “/usr/local/bro/logs/http-entity/”

After then I compared with a file from original one while capturing packets.

I found below :
Downloaded file(Bamf.zip) :

Original file size: 96396 bytes

From Bro: 94119 bytes

Pcap: 96396 bytes

Pcap hasn’t any missed parts but the file from Bro created uncompleted file which doesn’t have last parts of file(2277bytes)

I would appreciate if you provide me any clue or thought for solving it

Thank you*,*

Seth_Hall3 · July 23, 2013, 3:07am

I think that there is a bug in Bro that shows up like this in some cases. This is unlikely a bug that any of us on the core team are likely to look into though because there is new "file" handling code that is coming soon and just generally works better all around.

Sorry for the probably unsatisfactory answer, but things will be even better soon!

.Seth

Topic		Replies	Views
http incomplete file extraction (Files::ANALYZER_EXTRACT) Zeek	8	120	May 6, 2022
Bro - File Extraction Zeek	2	73	May 6, 2022
Problem extracting files Zeek	4	59	May 6, 2022
issues with file extraction. Multiple files created. Zeek	2	69	May 6, 2022
Extracting files from HTTP Zeek	2	92	May 6, 2022

Create different file size from original one in HTTP File-extract

Related Topics