Malcolm can leverage Zeek’s knowledge of network protocols to automatically detect file transfers and extract those files from PCAPs as Zeek processes them. This behavior can be enabled globally by modifying the
ZEEK_EXTRACTOR_MODE variable in
zeek.env, or on a per-upload basis for PCAP files uploaded via the browser-based upload form when Analyze with Zeek is selected.
To specify which files should be extracted, the following values are acceptable in
none: no file extraction
interesting: extraction of files with mime types of common attack vectors
notcommtxt: extraction of all files except common plain text files
mapped: extraction of files with recognized mime types
known: extraction of files for which any mime type can be determined
all: extract all files
Extracted files can be examined through any of the following methods:
VTOT_API2_KEY environment variable in
EXTRACTED_FILE_ENABLE_CLAMAV environment variable in
EXTRACTED_FILE_ENABLE_YARA environment variable in
EXTRACTED_FILE_ENABLE_CAPA environment variable in
Files flagged via any of these methods will be logged as Zeek
signatures.log entries, and can be viewed in the Signatures dashboard in OpenSearch Dashboards.
EXTRACTED_FILE_PRESERVATION environment variable in
zeek.env determines the behavior for preservation of Zeek-extracted files:
quarantined: preserve only flagged files in
all: preserve flagged files in
./zeek-logs/extract_files/quarantine and all other extracted files in
none: preserve no extracted files
EXTRACTED_FILE_HTTP_SERVER_… environment variables in
zeek-secret.env configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server accessible at https://localhost/extracted-files/ if connecting locally. Beware that Zeek-extracted files may contain malware. As such, these files may be optionally ZIP archived (without a password or password-protected according to the WinZip AES encryption specification) or encrypted (to be decrypted using
openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe) upon download. In other words:
The files extracted by Zeek and the data about those files can be accessed through several of Malcolm’s user interfaces.
event.provider == zeek && event.dataset == files), the Arkime session detail’s Extracted Filename field can be clicked for a context menu item to Download the extracted file, if it was preserved as described above.
fuid values associated with these files and the sessions from which they were extracted are listed in the IDs column as filter links back into Dashboards.