sethhall/myextract.bro

## myextract.bro
redef record fa_file += {
	is_my_extractor_going: bool &default=F;
};

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
		{
		f$is_my_extractor_going=T;
		if ( f$source == "HTTP" && is_orig == F )
			{
			local filename = cat(f$source, "_", c$id$orig_h, ":", port_to_count(c$id$orig_p), "-", c$id$resp_h, ":", port_to_count(c$id$resp_p), "_", f$id, ".dat");
			Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=filename]);
			}
		else
			{
			Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
			}
		}
	}
	redef record fa_file += {
	is_my_extractor_going: bool &default=F;
	};

	event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
	{
	f$is_my_extractor_going=T;
	if ( f$source == "HTTP" && is_orig == F )
	{
	local filename = cat(f$source, "_", c$id$orig_h, ":", port_to_count(c$id$orig_p), "-", c$id$resp_h, ":", port_to_count(c$id$resp_p), "_", f$id, ".dat");
	Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=filename]);
	}
	else
	{
	Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
	}
	}
	}