Extract all files policy script

Description

We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4?

Environment

None

Activity

Show:
Jon Siwek
March 13, 2015, 3:00 PM

Should be easy, how to name extracted files, though? Just File ID + timestamp ?

Seth Hall
March 13, 2015, 6:24 PM
Edited

We could always just do the single line script of...

event file_new()
{
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
}

Seth Hall
March 13, 2015, 6:24 PM

Actually, I wouldn't even be opposed to changing the built in file naming to get rid of the protocol and just move to the suggestion you just made of uid and timestamp.

Aashish Sharma
March 13, 2015, 6:33 PM

I prefer keeping protocol + fid - Easy to sort extracted files in different buckets quickly when going through a big pcap. Generally there isn't big need to tie back a file with session since the extractions are "going forward" in workflow. However FID is sufficient to tie backwards with other logs.

I am sure you have a better use case for uid+timestamp. I cannot quite think of one.

(I take timestamp is for case where multiple files are part of same uid ?)

Jon Siwek
March 13, 2015, 7:01 PM

I was mostly suggesting File ID + timestamp because I didn't remember that a default file name is provided, but I was also thinking it helps protect against File ID collisions over an extended period of time from clobbering each other.

I'll change the default naming to timestamp-protocol-FID and add the one-liner extract-all script.

Assignee

Jon Siwek

Reporter

Vlad Grigorescu

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Trivial
Configure