postprocessing extracted files

Franky · April 15, 2015, 7:45am

Hi.

I want to use Bro to extract files. After extraction these files will undergo some post-processing (e.g. lookup in a db of known files). Can I be sure, that a file logged in files.log with its hash has been written to disk completely?

If not, I have two ideas how to solve this:

use a temporary filename until the file is completely written (like a prefix/postfix). exclude temporary files from post-processing.
emit an appropriate signal from Extract::~Extract() after the file is closed.

I would be happy to implement a solution.

Franky

Seth_Hall3 · April 15, 2015, 12:17pm

You can handle the file_state_remove event. At that point, everything about the file is complete and it’s being flushed from memory.

event file_state_remove(f: fa_file)
  {
  # Do what you need.
  }

.Seth

Franky · April 15, 2015, 1:04pm

Hi,

Topic		Replies	Views
using bro for file extraction Zeek	5	66	May 6, 2022
Extract.bro Question Zeek	2	79	May 6, 2022
bro question. Zeek	2	45	May 6, 2022
Bro Scripting Question Zeek	4	44	May 6, 2022
Calling external scripts on extracted files Zeek	3	49	May 6, 2022

postprocessing extracted files

Related Topics