File extraction tweaks.

- Default extraction limit of 100MB now provided via a tuning script loaded in local.bro so that command-line Bro is unlimited by default. - Extraction directory is now created on request of file extraction rather than unconditionally in bro_init().
2025-10-02 14:48:21 +00:00 · 2013-08-23 11:53:58 -05:00 · 2013-08-23 11:53:58 -05:00 · 17d0ecd388
commit 17d0ecd388
parent 927f534833
5 changed files with 11 additions and 6 deletions
--- a/doc/scripts/DocSourcesList.cmake
+++ b/doc/scripts/DocSourcesList.cmake
@ -266,6 +266,7 @@ rest_target(${psd} policy/protocols/ssl/extract-certs-pem.bro)
 rest_target(${psd} policy/protocols/ssl/known-certs.bro)
 rest_target(${psd} policy/protocols/ssl/notary.bro)
 rest_target(${psd} policy/protocols/ssl/validate-certs.bro)
+rest_target(${psd} policy/tuning/defaults/extracted_file_limits.bro)
 rest_target(${psd} policy/tuning/defaults/packet-fragments.bro)
 rest_target(${psd} policy/tuning/defaults/warnings.bro)
 rest_target(${psd} policy/tuning/logs-to-elasticsearch.bro)
--- a/scripts/base/files/extract/main.bro
+++ b/scripts/base/files/extract/main.bro
@ -8,8 +8,8 @@ export {
 	const prefix = "./extract_files/" &redef;

 	## The default max size for extracted files (they won't exceed this
-	## number of bytes), 100MB.
-	const default_limit = 104857600;
+	## number of bytes), unlimited.
+	const default_limit = 0 &redef;

 	redef record Files::Info += {
 		## Local filenames of extracted file.
@ -54,12 +54,10 @@ function on_add(f: fa_file, args: Files::AnalyzerArgs)

 	f$info$extracted = args$extract_filename;
 	args$extract_filename = build_path_compressed(prefix, args$extract_filename);
+	mkdir(prefix);
 	}

 event bro_init() &priority=10
 	{
 	Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);
-
-	# Create the extraction directory.
-	mkdir(prefix);
 	}
--- a/scripts/policy/tuning/defaults/load.bro
+++ b/scripts/policy/tuning/defaults/load.bro
@ -1,2 +1,3 @@
@load ./packet-fragments
@load ./warnings
+@load ./extracted_file_limits.bro
--- a/scripts/policy/tuning/defaults/extracted_file_limits.bro
+++ b/scripts/policy/tuning/defaults/extracted_file_limits.bro
@ -0,0 +1,4 @@
+@load base/files/extract
+
+# 100 MB.
+redef FileExtract::default_limit = 104857600;
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@ -89,6 +89,7 @@
@load protocols/ssl/validate-certs.bro
@load tuning/__load__.bro
@load tuning/defaults/__load__.bro
+@load tuning/defaults/extracted_file_limits.bro
@load tuning/defaults/packet-fragments.bro
@load tuning/defaults/warnings.bro
@load tuning/logs-to-elasticsearch.bro