On Feb 29, 2016, at 12:44 PM, Josh Guild
I have a question about how Bro handles Micorsoft BITS (Background Intelligent Transfer
Service) traffic since the file is only partially downloaded in the session it's
monitoring. We've seen some traffic and it looks like Bro just shows as an incomplete
file and doesn't carve it properly.
There is actually some support in the file analysis code to handle this type of situation.
It *probably* already works if the BITS traffic you are seeing is in a pcap file or seen
by a single Bro worker. We don't have anything in place yet to do extraction from
traffic hitting multiple workers. This is also a bit of a weird feature because none of
the other network monitoring software that's around does this.
I would be interested in how you see Bro handling the traffic if you have a pcap file with
the full transfer happening over multiple connections to see if Bro extracts the file
correctly. It's possible that they've changed things a bit I worked with it
International Computer Science Institute
(Bro) because everyone has a network