Hello
What should the extract-all-files.bro look like in order to only extract pdf, exe, doc and docx?
My attempts are extracting so many files.
Dankon,
Ambros
Ambros,
What should the extract-all-files.bro look like in order to
only extract pdf, exe, doc and docx?
The fa_metadata record contains the MIME type. Using the MIME type, you can make a condition on whether or not to extract the file.
Mark
This took me way to long to get to sorry..here's what I have for my smtp extract...should help:
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/zip"] = "zip",
["application/msword"] = "xls",
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "docx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"] = "xlsx",
["application/vnd.openxmlformats-officedocument.presentationml.presentation"] = "pptx"
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "SMTP" )
return;
if ( ! meta?$mime_type || meta$mime_type !in ext_map )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
James