base/files/extract/main.zeek

FileExtract

Namespace

FileExtract

Imports

base/frameworks/files, base/utils/paths.zeek

Summary

Runtime Options

FileExtract::default_limit: count &redef

The default max size for extracted files (they won’t exceed this number of bytes).

Redefinable Options

FileExtract::prefix: string &redef

The prefix where files are extracted to.

Redefinitions

Files::AnalyzerArgs: record &redef	New Fields Files::AnalyzerArgs extract_filename: string &optional The local filename to which to write an extracted file. extract_limit: count &default = FileExtract::default_limit &optional The maximum allowed file size in bytes of extract_filename.
Files::Info: record &redef	New Fields Files::Info extracted: string &optional &log Local filename of extracted file. extracted_cutoff: bool &optional &log Set to true if the file being extracted was cut off so the whole file was not logged. extracted_size: count &optional &log The number of bytes extracted to disk.

Functions

FileExtract::set_limit: function

Sets the maximum allowed extracted file size.

Detailed Interface

Runtime Options

FileExtract::default_limit

Type

count

Attributes

&redef

Default

0

Redefinition

from policy/tuning/defaults/extracted_file_limits.zeek

=:

104857600

The default max size for extracted files (they won’t exceed this number of bytes). A value of zero means unlimited.

Redefinable Options

FileExtract::prefix

Type

string

Attributes

&redef

Default

"./extract_files/"

The prefix where files are extracted to.

Functions

FileExtract::set_limit

Type

function (f: fa_file, args: Files::AnalyzerArgs, n: count) : bool

Sets the maximum allowed extracted file size.

Parameters

• f – A file that’s being extracted.

• args – Arguments that identify a file extraction analyzer.

• n – Allowed number of bytes to be extracted.

Returns

false if a file extraction analyzer wasn’t active for the file, else true.