updated documentation for carved file download (idaholab#288)

mmguero-dev · Dec 21, 2023 · 575bc38 · 575bc38
1 parent 4667291
commit 575bc38
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/docs/file-scanning.md b/docs/file-scanning.md
@@ -25,4 +25,21 @@ The `EXTRACTED_FILE_PRESERVATION` [environment variable in `zeek.env`](malcolm-c
 * `all`: preserve flagged files in `./zeek-logs/extract_files/quarantine` and all other extracted files in `./zeek-logs/extract_files/preserved`
 * `none`: preserve no extracted files
 
-The `EXTRACTED_FILE_HTTP_SERVER_…` [environment variables in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars) configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server. Beware that Zeek-extracted files may contain malware. As such, these files may be optionally ZIP archived (with or without a password) or encrypted (to be decrypted using `openssl`, e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`) upon download.
+The `EXTRACTED_FILE_HTTP_SERVER_…` [environment variables in `zeek.env`](malcolm-config.md#MalcolmConfigEnvVars) configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server accessible at **https://localhost/extracted-files/** if connecting locally. Beware that Zeek-extracted files may contain malware. As such, these files may be optionally ZIP archived (with or without a password) or encrypted (to be decrypted using `openssl`, e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`) upon download. In other words:
+
+* to disable the extracted files server:
+    - `EXTRACTED_FILE_HTTP_SERVER_ENABLE=false`
+* to enable the extracted file server:
+    - `EXTRACTED_FILE_HTTP_SERVER_ZIP=true`
+    - downloaded files are zipped, without a password:
+        + `EXTRACTED_FILE_HTTP_SERVER_ZIP=true`
+        + `EXTRACTED_FILE_HTTP_SERVER_KEY=`
+    - downloaded files are zipped, with a password:
+        + `EXTRACTED_FILE_HTTP_SERVER_ZIP=true`
+        + `EXTRACTED_FILE_HTTP_SERVER_KEY=xxxxxxxxxxxxx`
+    - downloaded files are OpenSSL AES-256-CBC-compatibly encrypted:
+        + `EXTRACTED_FILE_HTTP_SERVER_ZIP=false`
+        + `EXTRACTED_FILE_HTTP_SERVER_KEY=xxxxxxxxxxxxx`
+    - downloaded files are downloaded as-is, without archival or compression:
+        + `EXTRACTED_FILE_HTTP_SERVER_ZIP=false`
+        + `EXTRACTED_FILE_HTTP_SERVER_KEY=`