Zeek/strelka File Extraction

[masedira]

Hi All,
I just installed security onion and starting to send some live traffic to it.
I can see in the zeek logs that files are getting extracted but I cannot find the actual extracted file anywhere:

[admin@securityonion-1 ~]$ cat  /nsm/zeek/logs/current/files.log  | jq
{
  "ts": 1666120642.710228,
  "fuid": "F0zdAKkd57V08Bto2",
  "tx_hosts": [
    "184.87.203.2"
  ],
  "rx_hosts": [
    "192.168.201.100"
  ],
  "conn_uids": [
    "CRkDCb2iCKFcfhUxwk"
  ],
  "source": "HTTP",
  "depth": 0,
  "analyzers": [
    "SHA1",
    "MD5",
    "EXTRACT"
  ],
  "mime_type": "application/pdf",
  "duration": 0.4877331256866455,
  "local_orig": false,
  "is_orig": false,
  "seen_bytes": 783572,
  "total_bytes": 785794,
  "missing_bytes": 2222,
  "overflow_bytes": 0,
  "timedout": false,
  "extracted": "HTTP-F0zdAKkd57V08Bto2.pdf",
  "extracted_cutoff": false
}
[admin@securityonion-1 ~]$ ls -l   /nsm/zeek/extracted/complete/
total 0
[admin@securityonion-1 ~]$

Also, I cannot see the extracted file in suricata:
[admin@securityonion-1 ~]$ ls -ltrh /nsm/suricata/extracted/
total 0

============================

Any tips would be greatly appreciated.

[reyesj2]

You should be able to correlate off the zeek files log. Strelka is the file analyzer, so when a file is extracted from network data Strelka pulls that file and analyzes using Yara rules.

You can find analyzed files in /nsm/strelka/processed/

There is a good Strelka dashboard built in the SOC for quick overview along with a Zeek files dashboard for viewing files extracted by Zeek before being processed by strelka

[masedira]

Hi @reyesj2

thanks a lot for the reply. I was able to find some files in the strelka directory you mentioned: /nsm/strelka/processed/

Also, I was able to see the zeek and dashboards in kibana.

One thing I noticed is that not all files extracted by zeek are available in the strelka directory, for example the PDF files are there while the text files are not. Is this normal? Is there any setting to make stralke keep all files?