extract.zeek script error #12024
Replies: 3 comments
-
|
To remedy, i simply removed the "/" on line 60. |
Beta Was this translation helpful? Give feedback.
-
|
Apologies, please disregard for now, I'm still receiving the above ERROR. |
Beta Was this translation helpful? Give feedback.
-
2.3.130 is quite old: Please update to the latest version of 2.3 or migrate to 2.4 since 2.3 reaches End Of Life in less than 4 months: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I as troubleshooting my 2.3.130 instance and noticed a syntax error in the extract.zeek file.
line 60
local cmd = fmt("cp %s/%s %s && rm %s/%s", FileExtract::prefix, orig, dest, FileExtract::prefix, orig);
FileExtract::prefix was defined with "/nsm/zeek/extracted/"
the cp command on line 60 has a slash in its filepath so it comes out as
cp /nsm/zeek/extracted//FILE, causing a READER_RAW input error that gets reported in the reporter.log.
Files also will not move to the complete directory.
Reporter.log error line
{"ts":1702582401.774393,"level":"Reporter::ERROR","message":cp /nsm/extracted//SMB-FlFQbG3U4eflhNHzlg.doc /nsm/zeek/extracted/complete/SMB-FlFQbG3U4eflhNHzlg.doc-1c76cd2848e916d667c112fd7f439be4.doc && rm /nsm/extracted//SMB-FlFQbG3U4eflhNHzlg.doc |/Input::READER_RAW: Child process exited with non-zero return code 1","location":""}
I saw this line was still not fixed in the master branch so I wanted to let you know. I'm unsure of the implications of this bug in a production environment right now.
Beta Was this translation helpful? Give feedback.
All reactions