Logo

A powerful, easily deployable network traffic analysis tool suite

Quick Start

Documentation

Components

Supported Protocols

Configuring

Arkime

Dashboards

Hedgehog Linux

Contribution Guide

Automatic file extraction and scanning

Malcolm can leverage Zeek’s knowledge of network protocols to automatically detect file transfers and extract those files from PCAPs as Zeek processes them. This behavior can be enabled globally by modifying the ZEEK_EXTRACTOR_MODE variable in zeek.env, or on a per-upload basis for PCAP files uploaded via the browser-based upload form when Analyze with Zeek is selected.

To specify which files should be extracted, the following values are acceptable in ZEEK_EXTRACTOR_MODE:

Extracted files can be examined through any of the following methods:

Files flagged via any of these methods will be logged as Zeek signatures.log entries, and can be viewed in the Signatures dashboard in OpenSearch Dashboards.

The EXTRACTED_FILE_PRESERVATION environment variable in zeek.env determines the behavior for preservation of Zeek-extracted files:

The EXTRACTED_FILE_HTTP_SERVER_… environment variables in zeek.env and zeek-secret.env configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server accessible at https://localhost/extracted-files/ if connecting locally. Beware that Zeek-extracted files may contain malware. As such, these files may be optionally ZIP archived (without a password or password-protected according to the WinZip AES encryption specification) or encrypted (to be decrypted using openssl, e.g., openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe) upon download. In other words:

User interface

The files extracted by Zeek and the data about those files can be accessed through several of Malcolm’s user interfaces.

The files dashboard displays metrics about the files transferred over the network

Arkime's session details for files.log entries

The extracted files directory interface