Might be nothing, but having the extra &redef at the end seems strange to me.
--Vlad
Good catch, copy-paste from another script. Made the change, still no dice.
Played with it a bit more and
redef HTTP::generate_md5 = /NO_FILE_TYPE_EVER/;
added to a .bro file fixes the problem. I no longer get md5 sums, but
all executables are successfully extracted into the extraction
directory.
Is this anticipated behavior? Or should I get my cake and eat it too? 
Thanks again.
I have no clue why this happening. Also, you shouldn't need that whole list you defined in your earlier email. You should be to get away with only defining /application\/x-dosexec/
If I had to guess, it could be something to do with the first line you defined…
redef HTTP::extract_file_types = /application\/x-dosexec/ &redef;
Adding the attribute there doesn't even make sense and honestly that should be a parse-time error since using the &redef attribute in that situation would never make sense. I'll file a ticket.
File extraction should work like you want with this line:
redef HTTP::extract_file_types += /application\/x-dosexec/;
All of this will be changing for 2.2 also and will become much more flexible.
.Seth
No parsing error was generated, broctl check && broctl install &&
broctl restart completed successfully.
I was/am a bit lost as well. You gave me another thing to check. Got
rid of everything and only did the following:
redef HTTP::extract_file_types += /.*\/.*/;
Extracts all files, except for the windows exes that were MD5'd
----- then ----
redef HTTP::extract_file_types += /.*\/.*/;
redef HTTP::generate_md5 = /NO_FILE_TYPE_EVER/;
Extracts all files (including all windows exes) and none are MD5'd
Looking forward to the change in 2.2.
Weird, this doesn't make any sense. I've always felt a bit uncomfortable with the structure of the scripts that implement that functionality, but I never would have foreseen a problem like this.
Could you file this as a ticket in our tracker? http://tracker.bro-ids.org/
Thanks!
.Seth