evoxco/extract-files.bro

## extract-files.bro
Enable file extraction (Prior to 2.4.1)
---------------
sudo vi  /mnt/data/bro/share/bro/site/local.bro
@load misc/extract-files


vi /mnt/data/bro/share/bro/policy/misc/extract-files.bro
global ext_map: table[string] of string = {
    ["application/x-dosexec"] = "exe",
    ["application/pdf"] = "pdf",
    ["application/msword"] = "doc",
    ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "docx",
} &default ="";

event file_new(f: fa_file)
    {
    local ext = "";

    if ( f?$mime_type )
        ext = ext_map[f$mime_type];

    local fname = fmt("%s-%s.%s", f$source, f$id, ext);
    Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
    }
	Enable file extraction (Prior to 2.4.1)
	---------------
	sudo vi /mnt/data/bro/share/bro/site/local.bro
	@load misc/extract-files


	vi /mnt/data/bro/share/bro/policy/misc/extract-files.bro
	global ext_map: table[string] of string = {
	["application/x-dosexec"] = "exe",
	["application/pdf"] = "pdf",
	["application/msword"] = "doc",
	["application/vnd.openxmlformats-officedocument.wordprocessingml.document"] = "docx",
	} &default ="";

	event file_new(f: fa_file)
	{
	local ext = "";

	if ( f?$mime_type )
	ext = ext_map[f$mime_type];

	local fname = fmt("%s-%s.%s", f$source, f$id, ext);
	Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
	}