File extraction exclude local sites

Does anyone have a solution to exclude extracting files transmitted from internal hosts?

I modified the script below from the bro exchange exercise, but I continue to get executable files from internal hosts. I am using broctl and networks.cfg is populated. I haven’t tried using the file_over_new_connection event yet, but I would prefer to use file_new event, if I can. Any ideas on what I’m doing wrong?


global ext_map: table[string] of string = {
[“application/x-dosexec”] = “exe”,
} &default ="";

event file_new(f: fa_file)
if ( ! f?$mime_type || f$mime_type != “application/x-dosexec” )

if ( ! f?$info || ! f$info?$tx_hosts )

for ( txhost in f$info$tx_hosts )
if ( Site::is_local_addr(txhost) )

local ext = “”;

if ( f?$mime_type )
ext = ext_map[f$mime_type];

local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);

Hi Mike,

I have planned to do something similar myself, and I'm planning on using the
local_orig variable and test for something like
if(f$info?$local_org) return;

but I haven't tried it out yet.
From the documentation (

local_orig: bool &log &optional
If the source of this file is a network connection, this field indicates if the data originated from the local network or not as determined by the configured Site::local_nets.

Maybe this could work?

Best regards,
Marius P. Haugen