We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4?
Should be easy, how to name extracted files, though? Just File ID + timestamp ?
We could always just do the single line script of...
Actually, I wouldn't even be opposed to changing the built in file naming to get rid of the protocol and just move to the suggestion you just made of uid and timestamp.
I prefer keeping protocol + fid - Easy to sort extracted files in different buckets quickly when going through a big pcap. Generally there isn't big need to tie back a file with session since the extractions are "going forward" in workflow. However FID is sufficient to tie backwards with other logs.
I am sure you have a better use case for uid+timestamp. I cannot quite think of one.
(I take timestamp is for case where multiple files are part of same uid ?)
I was mostly suggesting File ID + timestamp because I didn't remember that a default file name is provided, but I was also thinking it helps protect against File ID collisions over an extended period of time from clobbering each other.
I'll change the default naming to timestamp-protocol-FID and add the one-liner extract-all script.