This is a Bro script module for Bro (current master release only) that provides convenient extraction of files.
Additionally, this script will generate file extensions for commonly encountered file types.
cd <prefix>/share/bro/site/
git clone git://github.com/hosom/bro-file-extraction file-extraction
echo "@load file-extraction" >> local.bro
With the above installation, the module will not extract any files. In addition to the changes above, code must be written to hook FileExtraction::extract. For examples of this, look at the scripts in the plugins directory.
In many cases, the desired functionality is for files commonly containing malware or exploits to be extracted. To do that, uncomment the following line from plugins/load.bro.
@load file-extraction/plugins/extract-common-exploit-types
Additionally, to store files by sha1 hash, uncomment the following:
@load file-extraction/plugins/store-files-by-sha1
This set of scripts provides you with the ability to tune which files you are extracting and from where.
Other than the extracted files, this module will generate no output.
Attaches the extract files analyzer to every file that has a mime_type detected.
Attaches the extract files analyzer to every JNLP and Java Archive file detected.
Attaches the extract files analyzer to every PE file detected.
Attaches the extract files analyzer to every ms office file detected.
Attaches the extract files analyzer to every PDF file detected.
Loads the following plugins:
- extract-java.bro
- extract-pe.bro
- extract-ms-office.bro
- extract-pdf.bro
Uses file_state_remove to rename extracted files based on the md5 checksum whenever it is available.
Uses file_state_remove to rename extracted files based on the sha1 checksum whenever it is available.
Uses file_state_remove to rename extracted files based on the sha256 checksum whenever it is available.