先簡單記一下zeek file extraction

zkg install zeek/hosom/file-extraction

# you must separately load the package for it to actually do anything

zkg load zeek/hosom/file-extraction

mkdir /opt/extract_files

vi /opt/zeek/share/zeek/base/files/extract/main.zeek

#const prefix = "./extract_files/" &redef;

        const prefix = "/opt/extract_files/" &redef;

        

        

        

vi /opt/zeek/share/zeek/site/local.zeek

加上

@load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

root@zeek:~# /opt/zeek/bin/zeekctl

Warning: zeekctl node config has changed (run the zeekctl “deploy” command)

Welcome to ZeekControl 2.2.0

Type “help” for help.

[ZeekControl] > start

starting zeek …

creating crash report for previously crashed nodes: zeek

[ZeekControl] > deploy

[ZeekControl] >quit

https://chanfs.medium.com/file-extraction-with-zeek-2c1a0bb1aa98

https://github.com/hosom/file-extraction

https://www.ericooi.com/zeekurity-zen-part-vi-zeek-file-analysis-framework/