Extracting file matching bro signature

Question

I've written a signature to match small iframes in http responses.

This works fine and I get an entry in signatures.log and notice.log.

I'd like to extract any files which hit this sig so I can have a closer look, If I look at the signature_match event I can see the http content in the data variable -

should I just output this data to a file or is there a way to use the file_extract functionality to extract the file correctly.

I'd like to extend this with more sigs so the file extract is my preferred method.

Should I be catching the sig_match event and then "call" file extract or catch the file_new event and somehow match the sig ?

Answer 1

You can do something simple that has a caveat. This will only match up to the first 4096 bytes of a file by using the bof_buffer (Begin Of File buffer) that is given with the fa_file record. We can look into that record with the file_sniff event to see if what you are looking for can be found there.

event file_sniff(f: fa_file, meta: fa_metadata)
    {
    if ( /<[iI][fF][rR][aA][mM][eE][[:blank:]]/ in f$bof_buffer )
        {
        Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
        }
    }

What makes the caveat of this a little less important is that you don't actually have the opportunity to extract the complete file after the file_sniff event anyway. Bro always operates on data in a streaming fashion and it doesn't keep things in memory forever so we only maintain this small buffer to allow us to make a decision on the file before we flush it to analyzers (such as the file extract analyzer).

Are you actually looking to extract the entire file or are you just looking to extract the url of the iframe?