26 Jul
2016
26 Jul
'16
7:08 a.m.
Newbie question added the following to my local.bro file
#Extract EXEs
redef HTTP::extract_file_types += /application\/x-dosexec/;
redef FTP::extract_file_types += /application\/x-dosexec/;
#Extract files to /nsm/bro/extracted
redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
But when I test against the file I am getting:
sudo bro -r http-putty.pcap /opt/bro/share/bro/site/local.bro
error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but not
previously defined (HTTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
document redef of HTTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but not
previously defined (FTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
document redef of FTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but not
previously defined (HTTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
document redef of HTTP::extraction_prefix, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but not
previously defined (FTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
document redef of FTP::extraction_prefix, identifier lookup failed
Any insight would be helpful.
--
*Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause, *read,
*pause, (perhaps *go back*), pause, *write, ....* -- *Alan Turing (1936)*
26 Jul
26 Jul
6:13 p.m.
Hi Scott,
I think the syntax you are using there was retired with Bro 2.2 (or
potentially earlier). Newer versions of Bro use the file analysis
framework; Documentation for it is available at
https://www.bro.org/sphinx-git/frameworks/file-analysis.html
To see an example of someone using the framework, see e.g. the email
thread at
http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008715.html
I hope this helps,
Johanna
On Tue, Jul 26, 2016 at 10:08:57AM -0400, Scott P wrote:
Newbie question added the following to my local.bro
file
#Extract EXEs
redef HTTP::extract_file_types += /application\/x-dosexec/;
redef FTP::extract_file_types += /application\/x-dosexec/;
#Extract files to /nsm/bro/extracted
redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
But when I test against the file I am getting:
sudo bro -r http-putty.pcap /opt/bro/share/bro/site/local.bro
error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but not
previously defined (HTTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
document redef of HTTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but not
previously defined (FTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
document redef of FTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but not
previously defined (HTTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
document redef of HTTP::extraction_prefix, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but not
previously defined (FTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
document redef of FTP::extraction_prefix, identifier lookup failed
Any insight would be helpful.
--
*Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause, *read,
*pause, (perhaps *go back*), pause, *write, ....* -- *Alan Turing (1936)*
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
27 Jul
27 Jul
5:22 a.m.
Scott,
I have an example of how file extraction is usually done on modern Bro versions here:
https://github.com/hosom/bro-file-extraction
I'm assuming based on what it looks like you were trying to do that you want to
extract PE files that appear in HTTP and FTP?
You might try loading the extract-pe.bro script from the plugins directory in that repo.
It won't limit the extraction to just HTTP and FTP though. You'd have to modify
the script to get it to do that.
-Stephen
________________________________________
From: bro-bounces(a)bro.org [bro-bounces(a)bro.org] on behalf of Johanna Amann
[johanna(a)icir.org]
Sent: Tuesday, July 26, 2016 9:13 PM
To: Scott P
Cc: bro(a)bro.org
Subject: Re: [Bro] Newbie question Extract Binaries from traffic
Hi Scott,
I think the syntax you are using there was retired with Bro 2.2 (or
potentially earlier). Newer versions of Bro use the file analysis
framework; Documentation for it is available at
https://www.bro.org/sphinx-git/frameworks/file-analysis.html
To see an example of someone using the framework, see e.g. the email
thread at
http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008715.html
I hope this helps,
Johanna
On Tue, Jul 26, 2016 at 10:08:57AM -0400, Scott P wrote:
Newbie question added the following to my local.bro
file
#Extract EXEs
redef HTTP::extract_file_types += /application\/x-dosexec/;
redef FTP::extract_file_types += /application\/x-dosexec/;
#Extract files to /nsm/bro/extracted
redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
But when I test against the file I am getting:
sudo bro -r http-putty.pcap /opt/bro/share/bro/site/local.bro
error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but not
previously defined (HTTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
document redef of HTTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but not
previously defined (FTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
document redef of FTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but not
previously defined (HTTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
document redef of HTTP::extraction_prefix, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but not
previously defined (FTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
document redef of FTP::extraction_prefix, identifier lookup failed
Any insight would be helpful.
--
*Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause, *read,
*pause, (perhaps *go back*), pause, *write, ....* -- *Alan Turing (1936)*
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
2 Aug
2 Aug
2:34 a.m.
Thank you both. Exactly what I was looking for
On Jul 27, 2016 08:22, "Hosom, Stephen M" <hosom(a)battelle.org> wrote:
Scott,
I have an example of how file extraction is usually done on modern Bro
versions here:
https://github.com/hosom/bro-file-extraction
I'm assuming based on what it looks like you were trying to do that you
want to extract PE files that appear in HTTP and FTP?
You might try loading the extract-pe.bro script from the plugins directory
in that repo. It won't limit the extraction to just HTTP and FTP though.
You'd have to modify the script to get it to do that.
-Stephen
________________________________________
From: bro-bounces(a)bro.org [bro-bounces(a)bro.org] on behalf of Johanna
Amann [johanna(a)icir.org]
Sent: Tuesday, July 26, 2016 9:13 PM
To: Scott P
Cc: bro(a)bro.org
Subject: Re: [Bro] Newbie question Extract Binaries from traffic
Hi Scott,
I think the syntax you are using there was retired with Bro 2.2 (or
potentially earlier). Newer versions of Bro use the file analysis
framework; Documentation for it is available at
https://www.bro.org/sphinx-git/frameworks/file-analysis.html
To see an example of someone using the framework, see e.g. the email
thread at
http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008715.html
I hope this helps,
Johanna
On Tue, Jul 26, 2016 at 10:08:57AM -0400, Scott P wrote:
Newbie question added the following to my
local.bro file
#Extract EXEs
redef HTTP::extract_file_types += /application\/x-dosexec/;
redef FTP::extract_file_types += /application\/x-dosexec/;
#Extract files to /nsm/bro/extracted
redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
But when I test against the file I am getting:
sudo bro -r http-putty.pcap /opt/bro/share/bro/site/local.bro
error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but
not
previously defined (HTTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
document redef of HTTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but
not
previously defined (FTP::extract_file_types)
internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
document redef of FTP::extract_file_types, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but
not
previously defined (HTTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
document redef of HTTP::extraction_prefix, identifier lookup failed
error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but
not
previously defined (FTP::extraction_prefix)
internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
document redef of FTP::extraction_prefix, identifier lookup failed
Any insight would be helpful.
--
*Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause,
*read,
*pause, (perhaps *go back*), pause, *write, ....*
-- *Alan Turing (1936)*
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
2118
days inactive
2125
days old
3 comments
3 participants
participants (3)
-
Hosom, Stephen M -
Johanna Amann -
Scott P