base/files/extract/main.zeek

FileExtract
Namespace

FileExtract

Imports

base/frameworks/files, base/utils/paths.zeek

Summary

Runtime Options

FileExtract::default_limit: count &redef

The default max size for extracted files (they won’t exceed this number of bytes).

FileExtract::default_limit_includes_missing: bool &redef

This setting configures if the file extract limit is inclusive of missing bytes.

Redefinable Options

FileExtract::prefix: string &redef

The prefix where files are extracted to.

Redefinitions

Files::AnalyzerArgs: record &redef

New Fields

Files::AnalyzerArgs

extract_filename: string &optional

The local filename to which to write an extracted file.

extract_limit: count &default = FileExtract::default_limit &optional

The maximum allowed file size in bytes of extract_filename.

extract_limit_includes_missing: bool &default = FileExtract::default_limit_includes_missing &optional

By default, missing bytes in files count towards the extract file size.

Files::Info: record &redef

New Fields

Files::Info

extracted: string &optional &log

Local filename of extracted file.

extracted_cutoff: bool &optional &log

Set to true if the file being extracted was cut off so the whole file was not logged.

extracted_size: count &optional &log

The number of bytes extracted to disk.

Functions

FileExtract::set_limit: function

Sets the maximum allowed extracted file size.

Detailed Interface

Runtime Options

FileExtract::default_limit
Type

count

Attributes

&redef

Default

0

Redefinition

from policy/tuning/defaults/extracted_file_limits.zeek

=:

104857600

The default max size for extracted files (they won’t exceed this number of bytes). A value of zero means unlimited.

FileExtract::default_limit_includes_missing
Type

bool

Attributes

&redef

Default

T

This setting configures if the file extract limit is inclusive of missing bytes. By default, missing bytes do count towards the limit. Setting this option to false changes this behavior so that missing bytes no longer count towards these limits. Files with missing bytes are created as sparse files on disk. Their apparent size can exceed this file size limit.

Redefinable Options

FileExtract::prefix
Type

string

Attributes

&redef

Default

"./extract_files/"

The prefix where files are extracted to.

Functions

FileExtract::set_limit
Type

function (f: fa_file, args: Files::AnalyzerArgs, n: count) : bool

Sets the maximum allowed extracted file size.

Parameters
  • f – A file that’s being extracted.

  • args – Arguments that identify a file extraction analyzer.

  • n – Allowed number of bytes to be extracted.

Returns

false if a file extraction analyzer wasn’t active for the file, else true.