TEMP files under /opt/zeek/spool/worker-*-*/extract_files

Zeek
1

While running some system checks, I noted that on the two zeek 3.0 boxes I have in a cluster that drive space was being taken up in the following directory:

/opt/zeek/spool/worker-3-1/extract_files.

These files not large but numerous.

total 15884720

-rw-rw-r-- 1 zeek zeek 50 Dec 30 16:26 CZi12w40mQqZt08H24_FWsM9w4uCR965XUybc__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-93.txt

-rw-rw-r-- 1 zeek zeek 326 Dec 30 16:26 CZi12w40mQqZt08H24_FEJBtK3MwBWHCM3ET__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110812.bat

-rw-rw-r-- 1 zeek zeek 44 Dec 30 16:26 CZi12w40mQqZt08H24_FzgNR24m7uP0dbeI54__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-92.txt

-rw-rw-r-- 1 zeek zeek 315 Dec 30 16:26 CZi12w40mQqZt08H24_FlcyIJ91gLM90QJhe__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110811.bat

-rw-rw-r-- 1 zeek zeek 23 Dec 30 16:26 CZi12w40mQqZt08H24_FXnI1p4BopgQQE4jye__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-91.txt

-rw-rw-r-- 1 zeek zeek 285 Dec 30 16:26 CZi12w40mQqZt08H24_FXROsS11QBGTbOJGNd__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110810.bat

-rw-rw-r-- 1 zeek zeek 19 Dec 30 16:25 CZi12w40mQqZt08H24_FZ3vCj4O7BqZZYdgT__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-90.txt

-rw-rw-r-- 1 zeek zeek 330 Dec 30 16:25 CZi12w40mQqZt08H24_FozvDx13eGGG5Sssyc__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110793.bat

-rw-rw-r-- 1 zeek zeek 77 Dec 30 16:25 CZi12w40mQqZt08H24_FIwGEp2TW6WJ8IbEcd__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-89.txt

-rw-rw-r-- 1 zeek zeek 313 Dec 30 16:25 CZi12w40mQqZt08H24_FWm9sG44On6hV5AoWj__10.1.24.161_c$Windows_TEMP_fstmp_fs_action_110781.bat

-rw-rw-r-- 1 zeek zeek 10 Dec 30 16:25 CZi12w40mQqZt08H24_Fo3rTB2pdq5ooABUCa__10.1.24.161_c$Windows_TEMP_fstmp_fs_smbfile_10.1.24.161-88.txt

Can these files be purged periodically?

Seeing this on both the master box and the cluster node.

Thank you.

2

Those aren’t TEMP files as far as zeek is concerned. Those are being extracted by the BZAR script: https://github.com/mitre-attack/bzar/blob/master/scripts/bzar_files.bro

they just happen to be from c:\windows\TEMP\ on the server.

You should be analyzing those files, or if you don’t want them at all the bzar script has BZAR::file_extract_option or some other ways of filtering things to turn that feature off.