Hey i’m new to bro but have been attempting to use the file extracting features. I can generally get it to work but a lot of the time its just wrong when i attempt it in real time.
For instance i’m downloading putty.exe and trying to extract it off the wire i get the below response when downloading it 5 times. It only successfully extracted and hashed it once:
file_hash, FZKBS62fkHvKf36GTd, sha1, 91b21fffe934d856c43e35a388c78fccce7471ea
The other times it completely misses it. If i attempt from a pcap file on the same machine it grabs it every time. Is there a threshold or something i need to set in bro for real time captures.
/tmp$ sudo /usr/local/bro/bin/bro -i eth0 -C
listening on eth0, capture length 8192 bytes
new file, FB4np7nWhWIo8sOg5
file_hash, FB4np7nWhWIo8sOg5, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68
new file, FxPYHc1et6sMSMY2jf <----- missed the file
new file, FsONwVnUBjs2Fq0i5
file_hash, FsONwVnUBjs2Fq0i5, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68
new file, FZKBS62fkHvKf36GTd <----- Yes it got the file
file_hash, FZKBS62fkHvKf36GTd, sha1, 91b21fffe934d856c43e35a388c78fccce7471ea
new file, Fp04jH3KL23Zx75OVf
file_hash, Fp04jH3KL23Zx75OVf, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68
new file, FK2LoX14jpBSyfpy67 <----- missed the file
new file, FnJ7Mg1ymupibnvSW1
file_hash, FnJ7Mg1ymupibnvSW1, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68
new file, FXriBu1tLEBhRVWTG3 <----- missed the file
new file, FwByiJ30INM9Mk6DO9
file_hash, FwByiJ30INM9Mk6DO9, sha1, 7788b3ba9a36112e0d429ecd358420d21ace7e68
new file, Fn5DEA1WWvsykOA2Lh <----- missed the file
^C1442296477.139167 received termination signal
1442296477.139167 2260 packets received on interface eth0, 0 dropped