base/files/extract/main.zeek

FileExtract
Namespace:FileExtract
Imports:base/frameworks/files, base/utils/paths.zeek

Summary

Runtime Options

FileExtract::default_limit: count &redef The default max size for extracted files (they won’t exceed this number of bytes).

Redefinable Options

FileExtract::prefix: string &redef The prefix where files are extracted to.

Redefinitions

Files::AnalyzerArgs: record &redef
New Fields:

Files::AnalyzerArgs

extract_filename: string &optional

The local filename to which to write an extracted file.

extract_limit: count &default = FileExtract::default_limit &optional

The maximum allowed file size in bytes of extract_filename.

Files::Info: record &redef
New Fields:

Files::Info

extracted: string &optional &log

Local filename of extracted file.

extracted_cutoff: bool &optional &log

Set to true if the file being extracted was cut off so the whole file was not logged.

extracted_size: count &optional &log

The number of bytes extracted to disk.

Functions

FileExtract::set_limit: function Sets the maximum allowed extracted file size.

Detailed Interface

Runtime Options

FileExtract::default_limit
Type:

count

Attributes:

&redef

Default:

0

Redefinition:

from policy/tuning/defaults/extracted_file_limits.zeek

=:

104857600

The default max size for extracted files (they won’t exceed this number of bytes). A value of zero means unlimited.

Redefinable Options

FileExtract::prefix
Type:string
Attributes:&redef
Default:"./extract_files/"

The prefix where files are extracted to.

Functions

FileExtract::set_limit
Type:function (f: fa_file, args: Files::AnalyzerArgs, n: count) : bool

Sets the maximum allowed extracted file size.

F:A file that’s being extracted.
Args:Arguments that identify a file extraction analyzer.
N:Allowed number of bytes to be extracted.
Returns:false if a file extraction analyzer wasn’t active for the file, else true.