base/files/extract/main.zeek

FileExtract
Namespace

FileExtract

Imports

base/frameworks/files, base/utils/paths.zeek

Summary

Runtime Options

FileExtract::default_limit: count &redef

The default max size for extracted files (they won’t exceed this number of bytes).

Redefinable Options

FileExtract::prefix: string &redef

The prefix where files are extracted to.

Redefinitions

Files::AnalyzerArgs: record &redef
New Fields

Files::AnalyzerArgs

extract_filename: string &optional

The local filename to which to write an extracted file.

extract_limit: count &default = FileExtract::default_limit &optional

The maximum allowed file size in bytes of extract_filename.

Files::Info: record &redef
New Fields

Files::Info

extracted: string &optional &log

Local filename of extracted file.

extracted_cutoff: bool &optional &log

Set to true if the file being extracted was cut off so the whole file was not logged.

extracted_size: count &optional &log

The number of bytes extracted to disk.

Functions

FileExtract::set_limit: function

Sets the maximum allowed extracted file size.

Detailed Interface

Runtime Options

FileExtract::default_limit
Type

count

Attributes

&redef

Default

0

Redefinition

from policy/tuning/defaults/extracted_file_limits.zeek

=:

104857600

The default max size for extracted files (they won’t exceed this number of bytes). A value of zero means unlimited.

Redefinable Options

FileExtract::prefix
Type

string

Attributes

&redef

Default

"./extract_files/"

The prefix where files are extracted to.

Functions

FileExtract::set_limit
Type

function (f: fa_file, args: Files::AnalyzerArgs, n: count) : bool

Sets the maximum allowed extracted file size.

F

A file that’s being extracted.

Args

Arguments that identify a file extraction analyzer.

N

Allowed number of bytes to be extracted.

Returns

false if a file extraction analyzer wasn’t active for the file, else true.