Trying to extract HTTP payload

Hi,

I am trying to extract HTTP payload and bro throws an error:

achanda@achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 http-reply
error in ./site, line 1: read failed with "Is a directory"
achanda@achanda-OptiPlex-780:~/bro/scripts$ bro -i eth0 contents
error in ./site, line 1: read failed with "Is a directory"
achanda@achanda-OptiPlex-780:~/bro/scripts$

I tried to run bro from the top level installation directory but that
failed since it could not find the scripts. What am I missing?

Thanks

What version of Bro are you running? There is not http-reply script anymore (it was removed in 2.0).

2.0 and 2.1 can extract payloads in several ways. There is currently only one mechanism builtin for doing it though by matching the sniffed mime type of the response body.

This will do it if you are just interested in running from the command line...
  bro -r somepackets.pcap "HTTP::extract_file_types=/.*/"

  .Seth

Hi,

Thanks for the reply.
This is bro 2.1. Now, I ran this:

sudo ./bro -i eth0 "HTTP::extract_file_types=/.jpg/"

But no file gets saved in the current directory. The entry appears in
http.log though with a 200 OK

1347988043.663837 SWYFHjGx0x6 192.168.10.185 58146 74.200.247.186 80 0 - - - - - 0 7240 200 OK - - - (empty) - - - image/jpeg - -
1347988052.178112 BVcSiCSyzA4 192.168.10.185 46424 54.240.160.141 80 0 - - - - - 0 31225 200 OK - - - (empty) - - - image/jpeg - -
#close 2012-09-18-10-07-40

Is there something else I need to do?

Thanks

sudo ./bro -i eth0 "HTTP::extract_file_types=/.*\.jpg/"

  .Seth

Hi,

It still does not seem to work, there is nothing in the current
directory. Here is an entry from http.log

1347988766.291078 t3VZX9hEzl7 192.168.10.185 48299 184.172.154.91 80 0 - - - - - 0 1131 200 OK - - - (empty) - - - image/jpeg - -

There are similar entries which do not have a file name.

Thanks

sudo ./bro -i eth0 "HTTP::extract_file_types=/.*\.jpeg/"

:slight_smile:

.Seth

The blank fields in http.log could be the result of checksum offloading:
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
Doug

Hah! Good catch Doug. Ironically, the file extraction as he's doing it will still work fine.

Abhishek, you can have Bro ignore checksums with the -C command line argument, but you definitely do not want to run Bro in production with that argument because it opens the door to easy evasions.

  .Seth

Hi Seth and Doug,

Thanks for the replies.
I still could not get Bro to work though. I am trying to save a gif
file since I thought this would cause less confusion with the file
MIME and extension. I disabled TCP checksum offloading as Doug
suggested. I ran Bro as:

sudo ./bro -C -i eth1 "HTTP::extract_file_types=/.*\.gif/"

I then pointed my browser to a gif image. The entry for the image
appears in http.log but the image does not get saved. I am sure that
the interface is correct. What else can go wrong?

Thanks

What's the line in http.log?

  .Seth

Here:

1347993371.841877 J6Gs3YxcaZ3 10.0.3.15 33554
216.92.99.29 80 1 GET www.effetech.com
/images/msn2_full.gif - Mozilla/5.0 (X11; Ubuntu; Linux i686;
rv:13.0) Gecko/20100101 Firefox/13.0.1 0 47818 200 OK
   - - - (empty) - - - image/gif
    - -

I cleared my browser cache before I tried to get the image.

Thanks