base/protocols/conn/contents.bro

Conn

This script can be used to extract either the originator’s data or the responders data or both. By default nothing is extracted, and in order to actually extract data the c$extract_orig and/or the c$extract_resp variable must be set to T. One way to achieve this would be to handle the connection_established event elsewhere and set the extract_orig and extract_resp options there. However, there may be trouble with the timing due to event queue delay.

Note

This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.

Namespace:Conn Imports:base/utils/files.bro Source File:/scripts/base/protocols/conn/contents.bro

Summary

Runtime Options

Conn::default_extract: bool &redef	If this variable is set to T, then all contents of all connections will be extracted.
Conn::extraction_prefix: string &redef	The prefix given to files containing extracted connections as they are opened on disk.

Redefinitions

connection: record

Detailed Interface

Runtime Options

Conn::default_extract

Type:bool Attributes:&redef Default:F

If this variable is set to T, then all contents of all connections will be extracted.

Conn::extraction_prefix

Type:string Attributes:&redef Default:"contents"

The prefix given to files containing extracted connections as they are opened on disk.