Hi all,
After looking at an aggregate 30 days of files.log in Splunk, I noticed that 98% of the files identified by Bro have no filenames associated with them.
While I haven’t done any rigorous testing of this, it just seems wrong. Is this a known bug? Is anyone else experiencing this?
The file analysis framework does not annotate the original file names as I understand it. I am not sure why this is. What it does do is assign a Unique File ID to each file that can be used to search search across different Bro logs.
Chuck
It's because 98% of files transferred over the internet have no reliable name associated with them. 
Since most of the "files" in your files.log are http content and with HTTP there is a mechanism for transferring a file name along with the data (content-disposition header) it's a pretty bad idea to trust anything in the url as a file name. You would end up with lots of "files" being transferred named "index.php" and "index.asp" which I don't think you want either. We heavily tend toward conservatism in cases where an incorrect interpretation could arise.
All of that said, this is something that you could write an extension script to add to your files.log if you really want it. I'll leave it as an exercise to you to write the script though. 
.Seth
The file analysis framework itself doesn't do it. Some of the protocol scripts poke forward into files transferred and annotate the files log with a file name if a suitable one was found.
.Seth
Thanks for the thoughtful replies Chuck and Seth.
I will add this field to my files log and name it “inferred_filename”. For everyone else on the list, I will forward this along when I’m finished.
Seth - I don’t agree with your assumption that I don’t want to see the filename from the URL, I think that this is pretty relevant data, especially when viewed from a security context. I do however agree that one should definitely not “trust” the URL. This is the beauty of Bro - I can add and remove this data at my discretion :-).
Thanks again!!
Exactly!
.Seth