Does anyone have a solution to exclude extracting files transmitted from internal hosts?
I modified the script below from the bro exchange exercise, but I continue to get executable files from internal hosts. I am using broctl and networks.cfg is populated. I haven’t tried using the file_over_new_connection event yet, but I would prefer to use file_new event, if I can. Any ideas on what I’m doing wrong?
Thanks!
Mike
global ext_map: table[string] of string = {
[“application/x-dosexec”] = “exe”,
} &default ="";
event file_new(f: fa_file)
{
if ( ! f?$mime_type || f$mime_type != “application/x-dosexec” )
return;
if ( ! f?$info || ! f$info?$tx_hosts )
return;
for ( txhost in f$info$tx_hosts )
{
if ( Site::is_local_addr(txhost) )
return;
}
local ext = “”;
if ( f?$mime_type )
ext = ext_map[f$mime_type];
local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}