Additional filter for file extraction.

[palichx]

In basic configuration zeek extract file based on mime type. in some case need to add protocol filter(source: HTTP/SMB/SMTP).
For example i want to extract text/plain. but HTTP traffic contains a lot of text/plain files :).

I understand that i can tune zeek script, but will be good manage it in salt config.

Thanks!

[weslambert]

This can be modified by adjusting the values for the file_extraction pillar shown here:

https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/salt/zeek/fileextraction_defaults.yaml

zeek:
  policy:
    file_extraction:

[palichx]

Hi,
i speak about network protocol filter(not about mime type).
Example: extract "text/plain" from SMB traffic and ignoring this files in HTTP.
working for me:

of course i added "text/plain" into fileextraction_defaults.yaml.