zeek文件提取
齐乐
说明
文件位置
提取出来的文件默认存储在程序执行当前路径下的extract_files文件夹
文件类型识别
mime_type
常见:
text/plain
image/jpeg
image/png
text/html
application/pdf
application/x-dosexec
HTTP
官方demo:https://docs.zeek.org/en/current/examples/httpmonitor/index.html#inspecting-files
global mime_to_ext: table[string] of string = {
["application/x-dosexec"] = "exe",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
};
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( f$source != "HTTP" )
return;
if ( ! meta?$mime_type )
return;
if ( meta$mime_type !in mime_to_ext )
return;
local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
print fmt("Extracting file %s", fname);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
输出:
$ zeek -r zeek.org.pcap file_extraction.zeek
Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html
Extracting file HTTP-FMG4bMmVV64eOsCb.txt
Extracting file HTTP-FnaT2a3UDd093opCB9.txt
Extracting file HTTP-FfQGqj4Fhh3pH7nVQj.txt
Extracting file HTTP-FsvATF146kf1Emc21j.txt
[...]
FTP及SMTP
同时提取FTP文件和SMTP文件
event file_sniff(f: fa_file, meta: fa_metadata){
if ( f$source == "SMTP" || f$source == "FTP_DATA" ){
print (f$source);
local fname = fmt("%s-%s.bin", f$source, f$id);
print fmt("Extracting file %s", fname);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
}
类似资料: