Bro File detection

[Sabbo]

What is the best way of finding file names in BRO?

For instance i drill into files, and see PDF, I drill in again and see 50 sessions, but i want to see the filenames without having to extract each session as a PCAP - is there a way of doing this?

[Wes]

Sabbo,

Have you tried taking a look in /nsm/bro/extracted/?

Thanks,
Wes

[Sabbo]

Hi Wes,

There are only exe files extracted and in this location (not PDF's).

Also the exe's in this location have strange (perhaps tokenised) names, any idea why this is?

[Wes]

Sabbo,

I believe only EXEs are extracted here by default. You should be able to change this by editing /opt/bro/share/bro/file-extraction/extract.bro to include the desired application/filetype and restarting broctl.

(https://groups.google.com/forum/#!searchin/security-onion/extracted/security-onion/1vvTFq0c6Lc/3_BuTL8jAwAJ)

/nsm/bro/logs/files.log should contain the names of files (filename) extracted by Bro.

Have you tried searching ELSA or the Bro HTTP logs for filename=blah and mimetype=application/pdf?

Thanks,
Wes

[Sabbo]

I'm not really looking to extract every PDF and thats the challenge i am finding, I can drill down and find the pdf's under mime type but there is no detail on filenames and i have to download the PCAP for each one and it is extremely manual when i just want to know the filename.

[Wes]

Sorry, I'm not sure what other methods there are, other than, as I mentioned, looking in files.log for the "filename" value for the downloaded files.

Thanks,
Wes

[Doug Burks]

Hi Sabbo,

- click the Files category and then the "MIME Types" query

- find a MIME Type of interest (you mentioned PDF) and click to show
all file entries with that MIME type

- look at one of individual file entries and focus on the raw Bro log,
it's in the top half of the row and highlighted in bold, it should
begin with a timestamp and fields are pipe-delimited

- look right after the first pipe delimiter at the second field, it
should start with an "F". This is a File ID. Double-click this value
and then ctrl-c to copy.

- go up to the ELSA query bar and triple-click to select all the text
in the current query, ctrl-v to paste the File ID, and press Enter

- ELSA should then show you all of the logs related to this particular
File ID, depending on the protocol that was used to download the file,
you may see an HTTP log or an FTP log or some other log and they may
contain the filename that was requested when the file was downloaded

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Sabbo]

Hi Doug,

This works great for PDF's but not for EXE/Word documents that have been downloaded over http, is there any reason for this?

[Doug Burks]

This works for some EXE samples that I just looked at.

Perhaps you could provide some example log entries?