I want to use bro to extract files for external analysis. Bro::FileDataEvent appears to be the proper approach. However, I’m not finding the event to write a script for, nor do I know how to write to anything other than a log file.
Please advise!
Best Regards,
Earl Eiland,
Sr. Cyber Security Engineer,
Emerging Technologies, root9B,
San Antonio, Texas
Look at ‘scripts/base/protocols/conn/contents.bro’ for example. That extract sessions and save to disks.
Hello Earl:
Are you attempting to do post processing on the file after it is fully extracted with Bro via a third party script? If so, you may want to tap into the file_state_remove event. I have an example of what this looks like here if you scroll to the bottom.
https://github.com/EmersonElectricCo/fsf/blob/master/docs/MODULES.md
Hope that helps,
Jason
I have examples of this at:
https://github.com/hosom/bro-file-extraction
The plugins directory has examples of running external scripts on the extracted files. Check out the ones that store files by their hash names.
Hello, Stephen.
Your code will work with minimal tweaking.
Thanks!
Earl