base/protocols/conn/contents.bro

Conn

This script can be used to extract either the originator’s data or the responders data or both. By default nothing is extracted, and in order to actually extract data the c$extract_orig and/or the c$extract_resp variable must be set to T. One way to achieve this would be to handle the connection_established event elsewhere and set the extract_orig and extract_resp options there. However, there may be trouble with the timing due to event queue delay.

Note

This script does not work well in a cluster context unless it has a remotely mounted disk to write the content files to.

Namespace:Conn
Imports:base/utils/files.bro
Source File:/scripts/base/protocols/conn/contents.bro

Summary

Runtime Options

Conn::default_extract: bool &redef If this variable is set to T, then all contents of all connections will be extracted.
Conn::extraction_prefix: string &redef The prefix given to files containing extracted connections as they are opened on disk.

Redefinitions

connection: record  

Detailed Interface

Runtime Options

Conn::default_extract
Type:bool
Attributes:&redef
Default:F

If this variable is set to T, then all contents of all connections will be extracted.

Conn::extraction_prefix
Type:string
Attributes:&redef
Default:"contents"

The prefix given to files containing extracted connections as they are opened on disk.

Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.