FILE FRAMEWORK | EXTRACT FILES

the "File Analysis" framework's "extract-all-files" script is used to retrieve all files from a pcap or ingested data. when used, a new directory named extract_files will automatically be created and all detected files are located in it

#zeek frameworks
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks
 cluster  dpd    intel       notice         signatures
 control  files  netcontrol  packet-filter  software
 
#
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks/files/
 detect-MHR.zeek  entropy-test-all-files.zeek  extract-all-files.zeek  hash-all-files.zeek

root@dco:~$ cat /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 ##! Extract all files to disk.
 @load base/files/extract
 event file_new(f: fa_file)
   {
     Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
   }

#usage
root@dco:~$ zeek -C -r case1.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 * the extracted files will be located in the "extracted_files" directory
 
root@dco:~$ ls
 101.zeek  102.zeek  103.zeek  case1.pcap  clear-logs.sh  conn.log  dhcp.log  dns.log  extract_files  files.log  ftp.pcap  http.log  packet_filter.log  pe.log
root@dco:~$ cd extracted_files
 ...

root@dco:~$ ls extract_files | nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

root@dco:~$ cd extract_files
root@dco:~$ file *| nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja:  ASCII text, with no line terminators
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3:  Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 27 18:24:00 2019, Last Saved Time/Date: Thu Jun 27 18:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl: PE32 executable (GUI) Intel 80386, for MS Windows

 *  the extracted files is renamed by zeek based on the values coming from:
     a.conn.log
     b.files.log
     c."extract" keyword
     d.timestamp vale (ts)
     e.protocol (source)
     f.connection id (conn_uids)
 * example:
    {keyword} {ts}            {protocol} {conn_uids}
    extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl
PreviousFILE FRAMEWORK | HASHESNextNOTICE FRAMEWORK | INTELLIGENCE

Last updated