File extraction configuration conflicts with zeek default extraction #650
-
|
I am based on https://idaholab.github.io/Malcolm/docs/file-scanning.html#ZeekFileExtraction I have configured the extraction, for example, when I set the 'notcommtxt' mode, I expect to generate files without text/plain, but the zeek files.log file still records many text/plain types. It seems that zeek has extracted these files by default. I have checked the zeek source code opt/zeek/share/zeek/base/frameworks/files/main.zeek, and this code will also be recorded in files.log. Does this conflict with Malcolm's configuration? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Configuring file extraction doesn't change which files are seen by Zeek and recorded in files.log, only which files are extracted to disk, scanned, and potentially preserved for later analysis. Configuring this feature doesn't change files.log at all, only if further actions are taken on the files (like scanning them with ClamAV, capa, YARA) after they are detected. |
Beta Was this translation helpful? Give feedback.
-
|
I see, thank you. In that case, I should modify Zeek's source code to align its behavior with Malcolm's, as Zeek extracts many files by default that are meaningless. |
Beta Was this translation helpful? Give feedback.
-
|
Zeek is not "extracting" those files, as in extracting them to disk. It's just observing that the files are present in situ in traffic. |
Beta Was this translation helpful? Give feedback.
Configuring file extraction doesn't change which files are seen by Zeek and recorded in files.log, only which files are extracted to disk, scanned, and potentially preserved for later analysis. Configuring this feature doesn't change files.log at all, only if further actions are taken on the files (like scanning them with ClamAV, capa, YARA) after they are detected.