[Bro] http-ext-identified-files

Will baxterw3232 at gmail.com
Fri Apr 1 11:20:33 PDT 2011

Hey Seth,

I recently updated one of our bro boxes focusing on http traffic with your
'ext' scripts. I am drawing blank on a few things.

1. The old way of flagging via 'HTTP_WatchedMIMEType' appears to have gone
away in lieu of 'add si$tags["identified-files"];'
The new 'redef signature_files += "http-ext-identified-files.sig";' looks to
have replaced the magic_mime. I see that by default, file type in that
signature file are ignored.

For the time being, I have added the 'NOTICE' and 'HTTP_WatchedMIMEType'
back in because I really want email alerts for any watched_mime_types not
coming from a whitelisted location.

So, what is the correct way to generate alerts? My botched version is below.

2.  By adding the 'NOTICE' back in below, I think I botched the 'add
si$tags["identified-files"];', because none of the files are getting logged
to identified files.

Thanks in advance!



/trun/bro/site]# cat http-ext-identified-files.bro

@load global-ext

@load http-ext

@load http-reply

@load http-body

@load signatures

redef signature_files += "http-ext-identified-files.sig";

module HTTP;

export {

        redef enum Notice += {

                # This notice is thrown when the file extension doesn't

                # seem to match the file contents.


                # Generated when we see a MIME type we flagged for watching.



        # MIME types that you'd like this script to identify and log.

        const watched_mime_types = /application\/x-dosexec/

                                | /application\/x-executable/

                                | /application\/octet-stream/

                                | /application\/x-compressed/

                                | /application\/x-gzip/  &redef;

        # URLs included here are not logged and notices are not thrown.

        # Take care when defining regexes to not be overly broad.

        const ignored_urls =

                                | /^http:\/\/.*\.sun\.com\//

                                | /^http:\/\/.*\.macromedia\.com\//

                                | /^http:\/\/download\.microsoft\.com\//

/^http:\/\/(platformdl\.|ardownload\.|fpdownload\.)adobe\.com\// &redef;

        # Create regexes that *should* in be in the urls for specifics mime

        # Notices are thrown if the pattern doesn't match the url for the
file type.

        const mime_types_extensions: table[string] of pattern = {

                ["application/x-dosexec"] = /\.([eE][xX][eE]|[dD][lL][lL])/,

        } &redef;


# Don't delete the http sessions at the end of the request!

redef watch_reply=T;

# Ignore the signatures used to match files

redef ignored_signatures += /^matchfile-/;

# This script uses the file tagging method to create a separate file.

event bro_init()


        # Add the tag for log file splitting.

        LOG::define_tag("http-ext", "identified-files");


event signature_match(state: signature_state, msg: string, data: string)


        # Only signatures matching file types are dealt with here.

        if ( /^matchfile/ !in state$id ) return;

        # Not much point in any of this if we don't know about the

        # HTTP-ness of the connection.

        if ( state$conn$id !in conn_info ) return;

        local si = conn_info[state$conn$id];

        # Set the mime type seen.

        si$mime_type = msg;

        local message = fmt("%s %s %s", msg, si$method, si$url);

        if ( ignored_urls !in si$url )


                if ( watched_mime_types in msg )


                        NOTICE([$note=HTTP_WatchedMIMEType, $msg=message,
$conn=state$conn, $method=si$method, $URL=si$url]);

                        # Add a tag for logging purposes.

                        add si$tags["identified-files"];


                if ( msg in mime_types_extensions &&

                     mime_types_extensions[msg] !in si$url )


                        NOTICE([$note=HTTP_IncorrectFileType, $msg=message,
$conn=state$conn, $method=si$method, $URL=si$url]);


                event file_transferred(state$conn, data, "", msg);


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110401/b124f25d/attachment.html 

More information about the Bro mailing list