I’m still pretty new to the more complex aspects of Bro, so I’m not sure if this is possible or not. I’ve been testing file extraction and it’s working really well for me. My question is, can Bro (in extract.bro) get the file name of the file being extracted? So the final extracted file would have a naming convention like Analyzer-FileName.SpecifiedExtension
I started to head in that direction initially but then what bothered me a little bit was that external hosts could affect file names on your system and I started to get concerned about that. I started imagining scenarios where names are written out that do very unexpected things on your system or break out of the path they’re supposed to be extracted into. I would match up the filename in the files.log with the fuid on disk. If you look a files.log it will actually have the filename on disk and a filename (if one was discovered) from the network traffic.