Merge pull request #7830 from Security-Onion-Solutions/dougburks-patch-1

FIX: Improve Zeek file extraction #7829
2025-12-06 09:12:45 +01:00 · 2022-04-20 14:13:13 -04:00
parent 40d9335573 15ef0968d9
commit 3aac644da5
1 changed files with 6 additions and 6 deletions
--- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -38,12 +38,12 @@ event file_state_remove(f: fa_file)
        if ( !f$info?$extracted || FileExtract::prefix == "" ) {
                return;
        }
-        # Check some conditions so we know the file is intact:
-        # Check for MD5
-        # Check for total_bytes
-        # Check for missing bytes
-        # Check if timed out
-        if ( !f$info?$md5 || !f?$total_bytes || f$missing_bytes > 0 || f$info$timedout) {
+        # Check if any of the following conditions exist:
+        # - missing MD5
+        # - total_bytes exists (some protocols aren't populating this field) but is 0
+        # - missing bytes
+        # - timed out
+        if ( !f$info?$md5 || (f?$total_bytes && f$total_bytes == 0) || f$missing_bytes > 0 || f$info$timedout) {
          # Delete the file if it didn't pass our requirements check.

          local nuke = fmt("rm %s/%s", FileExtract::prefix, f$info$extracted);