From a8a93260a9b90df32434c2e504a62ea4403a5e39 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 3 Mar 2020 22:40:06 +0000
Subject: [PATCH 1/2] add file extraction

---
 salt/zeek/files/local.zeek | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
index b902eee32..bbb4a78be 100644
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -124,3 +124,6 @@ redef LogAscii::json_timestamps = JSON::TS_ISO8601;
 
 # BPF Configuration
 @load securityonion/bpfconf
+
+# Extracted files
+@load securityonion/file-extraction

From a0522943f73ce404943b4aa7e85e6464e33aba99 Mon Sep 17 00:00:00 2001
From: Wes Lambert <wlambertts@gmail.com>
Date: Tue, 3 Mar 2020 22:40:46 +0000
Subject: [PATCH 2/2] fix path

---
 salt/zeek/policy/securityonion/file-extraction/extract.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/zeek/policy/securityonion/file-extraction/extract.zeek b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
index 7f0f1c902..b8e8478bd 100644
--- a/salt/zeek/policy/securityonion/file-extraction/extract.zeek
+++ b/salt/zeek/policy/securityonion/file-extraction/extract.zeek
@@ -16,6 +16,6 @@ event file_sniff(f: fa_file, meta: fa_metadata)
     if ( meta?$mime_type )
         ext = ext_map[meta$mime_type];
 
-    local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
+    local fname = fmt("/nsm/zeek/extracted/%s-%s.%s", f$source, f$id, ext);
     Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
     }