I've recently started playing with file extraction via bro, and it
seems to mostly work. I seem to have an issue extracting executable
files.
I have the following lines in a .bro file
redef HTTP::extract_file_types = /application\/x-dosexec/ &redef;
redef HTTP::extract_file_types += /application\/x-executable/;
redef HTTP::extract_file_types += /application\/x-msdownload/;
redef HTTP::extract_file_types += /application\/exe/;
redef HTTP::extract_file_types += /application\/x-exe/;
redef HTTP::extract_file_types += /application\/dos-exe/;
redef HTTP::extract_file_types += /application\/x-winexe/;
redef HTTP::extract_file_types += /application\/msdos-windows/;
redef HTTP::extract_file_types += /application\/x-msdos-program/;
redef HTTP::extract_file_types += /.*\/.*/;
The catch all at the end is to make sure something is happening (which
it is). I seem to get every file type but executable. The really odd
thing is executables will show up in the notice.log as an entry with
the MD5 of the executable. Is this some kind of weird edge case were
any files that have an MD5 calculated are not put in the extraction
directory (they show up as file names, the file is 0 len)?
I'm pretty confused, any ideas/thoughts would be appreciated.
Thanks
-=Mike