Newbie question Extract Binaries from traffic

Scott_P · July 26, 2016, 2:08pm

Newbie question added the following to my local.bro file

#Extract EXEs
redef HTTP::extract_file_types += /application/x-dosexec/;
redef FTP::extract_file_types += /application/x-dosexec/;

#Extract files to /nsm/bro/extracted
redef HTTP::extraction_prefix = “/nsm/bro/extracted/http/http-item”;
redef FTP::extraction_prefix = “/nsm/bro/extracted/ftp/ftp-file”;

But when I test against the file I am getting:

sudo bro -r http-putty.pcap /opt/bro/share/bro/site/local.bro

error in /opt/bro/share/bro/site/local.bro, line 105: “redef” used but not previously defined (HTTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can’t document redef of HTTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 106: “redef” used but not previously defined (FTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can’t document redef of FTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 109: “redef” used but not previously defined (HTTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can’t document redef of HTTP::extraction_prefix, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 110: “redef” used but not previously defined (FTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can’t document redef of FTP::extraction_prefix, identifier lookup failed

Any insight would be helpful.

johanna · July 27, 2016, 1:13am

Hi Scott,

I think the syntax you are using there was retired with Bro 2.2 (or
potentially earlier). Newer versions of Bro use the file analysis
framework; Documentation for it is available at
https://www.bro.org/sphinx-git/frameworks/file-analysis.html

To see an example of someone using the framework, see e.g. the email
thread at
http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008715.html

I hope this helps,
Johanna

Hosom_Stephen_M · July 27, 2016, 12:22pm

Scott,

I have an example of how file extraction is usually done on modern Bro versions here:

https://github.com/hosom/bro-file-extraction

I'm assuming based on what it looks like you were trying to do that you want to extract PE files that appear in HTTP and FTP?

You might try loading the extract-pe.bro script from the plugins directory in that repo. It won't limit the extraction to just HTTP and FTP though. You'd have to modify the script to get it to do that.

-Stephen

Scott_P · August 2, 2016, 9:34am

Thank you both. Exactly what I was looking for

Topic		Replies	Views
File Extraction Zeek	5	134	May 6, 2022
File Extraction Question Zeek	1	77	May 6, 2022
Problem extracting files Zeek	4	98	May 6, 2022
File Extraction: doc/xls=ok, docx/xlsx=ko Zeek	13	108	May 6, 2022
File Extraction Directory Zeek	4	112	May 6, 2022

Newbie question Extract Binaries from traffic

Related Topics