files.log - no filename over http


Why when I download file over HTTP bro doesn’t extract the filename ?

Here’s the http & files log :

srv@srv:/nsm/bro/logs/current$ tail -f http_br0.log | grep

1534860833.865081 CxLm9G4WxaJ6Z0zqIh 31451 8080 1 GET 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 0 506576 200 OK - - (empty) - - PROXY-CONNECTION → keep-alive - - - FI7yey3gl5U0JXLnji - application/x-dosexec

srv@srv:/nsm/bro/logs/current$ tail -f files.log | grep

1534860834.713869 FI7yey3gl5U0JXLnji CxLm9G4WxaJ6Z0zqIh HTTP 0 PE,SHA1,MD5 application/x-dosexec - 0.189665 F F 506576 506576 0 0 F -ea845778462ef5bd2bbf68381df324ca 4af433d0c22067d921c912deae87619b262262f3 - -



The way bro works by default is that it only extracts http filenames from an explicit content-disposition or content-type header

It wouldn't be that hard to write a script that sets the filename to the last component of the uri path though, if that's what
you really wanted.

I need to write a script for people to test. I discussed a set of conditions in which we can pull the file name from the url and be reasonably certain that the uri path component was referencing a file on disk (as Izik showed in his log). I'll see if I can get to that tonight. If enough people test it and it seems to work reasonably well I think we could roll it into Bro directly.


A little late, but here is a script that adds a bunch of file names for files over HTTP. If some people can run it and we get feedback I think we can target this change for 2.6.

For those that don't want to click on it, it works by watching for ETAG headers which are typically generated from the file timestamp and inode number of the file. It appears that web apps don't tend to include this header and my testing showed that it was pretty reliable about only logging things that were real file names.

Let me know how it goes if anyone runs this! Lots of new file names in files.log. :slight_smile:


Hi Seth,
Just run it , works very good !