Git Product home page Git Product logo

file-extraction's Introduction

Module for File Extraction

This is a Zeek package that provides convenient extraction of files.

As a secondary goal, this script performs additional commonly requested file extraction and logging tasks, such as naming extracted files after their calculated file checksum or naming the file with its common file extension.

Installing with zkg (preferred)

This package can be installed through the zeek package manager by utilizing the following commands:

zkg install zeek/hosom/file-extraction

# you must separately load the package for it to actually do anything
zkg load zeek/hosom/file-extraction

Installing manually

While not preferred, this package can also be installed manually. To do this, follow the tasks below:

cd <prefix>/share/zeek/site

git clone git://github.com/hosom/file-extraction file-extraction

echo "@load file-extraction" >> local.zeek

Configuration

The package installs with the extract-common-exploit-types.zeek policy, however, additional functionality may be desired.

Configuration must always be done within the config.zeek file. Failure to isolate configuration to config.zeek will result in your configuration being overwritten.

Advanced Configuration

For advanced configuration of file extraction, the best option available is to hook the FileExtraction::extract hook. For examples of this, look at the scripts in the plugins directory.

Plugins

extract-all-files.zeek

Attaches the extract files analyzer to every file that has a mime_type detected.

extract-java.zeek

Attaches the extract files analyzer to every JNLP and Java Archive file detected.

extract-pe.zeek

Attaches the extract files analyzer to every PE file detected.

extract-ms-office.zeek

Attaches the extract files analyzer to every ms office file detected.

extract-pdf.zeek

Attaches the extract files analyzer to every PDF file detected.

extract-common-exploit-types.zeek

Loads the following plugins:

  • extract-java.zeek
  • extract-pe.zeek
  • extract-ms-office.zeek
  • extract-pdf.zeek

store-files-by-md5.zeek

Uses file_state_remove to rename extracted files based on the md5 checksum whenever it is available.

store-files-by-sha1.zeek

Uses file_state_remove to rename extracted files based on the sha1 checksum whenever it is available.

store-files-by-sha256.zeek

Uses file_state_remove to rename extracted files based on the sha256 checksum whenever it is available.

file-extraction's People

Contributors

evoxco avatar hosom avatar jeffgeiger avatar justinazoff avatar unusedphd avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.