files.log - no filename over http

Hi

Why when I download file over HTTP bro doesn’t extract the filename ?

Here’s the http & files log :

srv@srv:/nsm/bro/logs/current$ tail -f http_br0.log | grep 192.168.1.1

1534860833.865081 CxLm9G4WxaJ6Z0zqIh 192.168.1.1 31451 77.138.188.44 8080 1 GET 77.138.188.44 http://77.138.188.44/Browsing.exe http://77.138.188.44/ 1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 0 506576 200 OK - - (empty) - - PROXY-CONNECTION → keep-alive - - - FI7yey3gl5U0JXLnji - application/x-dosexec

srv@srv:/nsm/bro/logs/current$ tail -f files.log | grep 192.168.1.1

1534860834.713869 FI7yey3gl5U0JXLnji 77.138.188.44 192.168.1.1 CxLm9G4WxaJ6Z0zqIh HTTP 0 PE,SHA1,MD5 application/x-dosexec - 0.189665 F F 506576 506576 0 0 F -ea845778462ef5bd2bbf68381df324ca 4af433d0c22067d921c912deae87619b262262f3 - -

image001.jpg

image002.jpg

The way bro works by default is that it only extracts http filenames from an explicit content-disposition or content-type header

It wouldn't be that hard to write a script that sets the filename to the last component of the uri path though, if that's what
you really wanted.

I need to write a script for people to test. I discussed a set of conditions in which we can pull the file name from the url and be reasonably certain that the uri path component was referencing a file on disk (as Izik showed in his log). I'll see if I can get to that tonight. If enough people test it and it seems to work reasonably well I think we could roll it into Bro directly.

   .Seth

A little late, but here is a script that adds a bunch of file names for files over HTTP. If some people can run it and we get feedback I think we can target this change for 2.6.
  https://gist.github.com/sethhall/727ac36a630a642ca941661db68b87f4

For those that don't want to click on it, it works by watching for ETAG headers which are typically generated from the file timestamp and inode number of the file. It appears that web apps don't tend to include this header and my testing showed that it was pretty reliable about only logging things that were real file names.

Let me know how it goes if anyone runs this! Lots of new file names in files.log. :slight_smile:

   .Seth

Hi Seth,
Just run it , works very good !
Thanks!