Hey Bro members,
Some questions about File Extraction for Bro on my Red Hat 6.5 server.
I’ve configured Bro appropriately to extract “exe” mime types from the HTTP protocol. It works great. However, the “files.log” only contains MD5 and SHA1 entries for some of the files, not all of them. How do I fix this so that all of the extracted files have the MD5 and SHA1 entries?
I have analysts that need access to the files (/var/data/bro/extracted), but I’ve noticed that bro creates the files with random permissions, either 644 or 600… so they can only access the ones with 644. How do I ensure bro extracts the file with the 644 permission set on all of them? (see below example)
-rw-r–r–. 1 root root 703736 Nov 7 04:29 HTTP-FzedfU1k233I0Kiwn8.exe.dead
-rw-------. 1 root root 358799 Nov 5 04:07 HTTP-FzFPDF3EF77DEUSjdf.exe.dead
-rw-------. 1 root root 26121658 Nov 6 03:17 HTTP-FzhwqG33dNtUHZraZ4.exe.dead
-rw-------. 1 root root 249856 Nov 5 00:00 HTTP-FZi4XxyXiaoBquRu.exe.dead
-rw-r–r–. 1 root root 332536 Nov 28 14:21 HTTP-FZikQY3r8a7gXtLlee.exe.dead
-rw-r–r–. 1 root root 24306 Nov 12 05:02 HTTP-FzjIxe2MR9Uj8S8j27.exe.dead
-rw-------. 1 root root 94568 Nov 6 04:00 HTTP-FzJjxg23F3HPqtRbC2.exe.dead
- Is there a way to tell bro to run as a different user / group other than root? I didn’t see any options for it in the bro --help. I would assume I would have to give broctl and bro binaries / modules the ownership and executable rights by another user, then have bro start up as that new user, but wanted to see if there was an easier way. Otherwise I’d have to change the default install configuration each time I upgrade.