File extraction exclude local sites

Mike_Kolkebeck · February 1, 2014, 10:53pm

Does anyone have a solution to exclude extracting files transmitted from internal hosts?

I modified the script below from the bro exchange exercise, but I continue to get executable files from internal hosts. I am using broctl and networks.cfg is populated. I haven’t tried using the file_over_new_connection event yet, but I would prefer to use file_new event, if I can. Any ideas on what I’m doing wrong?

Thanks!
Mike

global ext_map: table[string] of string = {
[“application/x-dosexec”] = “exe”,
} &default ="";

event file_new(f: fa_file)
{
if ( ! f?$mime_type || f$mime_type != “application/x-dosexec” )
return;

if ( ! f?$info || ! f$info?$tx_hosts )
return;

for ( txhost in f$info$tx_hosts )
{
if ( Site::is_local_addr(txhost) )
return;
}

local ext = “”;

if ( f?$mime_type )
ext = ext_map[f$mime_type];

local fname = fmt("%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}

Marius_Portaas_Hauge · February 2, 2014, 1:26pm

Hi Mike,

I have planned to do something similar myself, and I'm planning on using the
local_orig variable and test for something like
if(f$info?$local_org) return;

but I haven't tried it out yet.
From the documentation (http://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html#type-Files::Info):

local_orig: bool &log &optional
If the source of this file is a network connection, this field indicates if the data originated from the local network or not as determined by the configured Site::local_nets.

Maybe this could work?

Best regards,
Marius P. Haugen

Topic		Replies	Views
File Extraction Zeek	5	87	May 6, 2022
bro question. Zeek	2	43	May 6, 2022
An assist with file extraction Zeek	7	50	May 6, 2022
Extracted files don't rotate Zeek	6	64	May 6, 2022
Extract.bro Question Zeek	2	77	May 6, 2022

File extraction exclude local sites

Related Topics