Hi,
I set the default_extract variable as
const default_extract = T &redef;
at the contents.bro script to get the dat files including tcp reassembly contents. Is there a way at the Python binding side so that i can save the binaries as seperate files in the created files? The dat files include many responses. I can read the file and try to parse the content out of by looking at the orig file. But maybe there is a better way at the binding side
Cheers.
What are you referring to as binaries? You are going to need to explain what you are trying to accomplish in more detail.
.Seth
Hi,
What are you referring to as binaries? You are going to need to explain what you are trying to accomplish in more detail.
When i run
bro -r somepcapfile base/protocols/conn/ (the aim is to make the contents.bro loaded, but i might be writing the wrong path now, i couldn't remembe the whole path of contencts.bro directory installed)
i got some dat files. They have names_
contencts_192.168.1.10_4356_193.255.98.2_80_orig.dat
contencts_192.168.1.10_4356_193.255.98.2_80_resp.dat
Each has the result of tcp reassembly sessions. I saved my port 80 traffic when i browse to an address to www.milliyet.com.tr, so the results has images, js files, returned HTMLs eveything that can a web site has.
By traversing each file, i can save the contents separetely. It seems the response dat files has the saved information like images, htmlfiles, texts in plain format.
Is there a way to tell Bro that ok don't save this response as a single file, but save the images here, js files here, etc. Or can i use Brocolli Python binding for it?
You are looking at the wrong extraction. 
This will extract windows executables from HTTP traffic:
redef HTTP::extract_file_types += /application\/x-dosexec/;
If you have different criteria for extracting files, it's possible to do your own thing by setting a boolean value in the c$http record. You just need to make sure that you set it before any data has begun to transfer. In your case, you might want to do this...
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if ( name == "HOST" && value == "www.milliyet.com.tr" )
c$http$extract_file = T;
}
The above code will make Bro extract all files from the site you mentioned in your previous email. This will all be changing when we get the file analysis framework released though, but should be easier and more generic for all protocols.
.Seth