[Bro] File Scanning Capability

Seth Hall seth at icir.org
Mon Mar 21 13:22:10 PDT 2011

On Mar 21, 2011, at 2:49 PM, Seth Hall wrote:

> On Mar 21, 2011, at 2:16 PM, Will wrote:
>> I will without a doubt eventually incorporate "http-ext-identified-files.sig" instead of what I am currently using, but I am having trouble determining where to integrate the logic for handling each file type. As it currently works, I am saving off every pdf and word doc, which would be unnecessary if I used bro to call the external tools and evaluate the results. 
> That won't actually work quite right.  The http-ext-identified-files.sig file uses special signature keywords that the http analyzer provides to detect file types.  It's not directly applicable to SMTP/MIME transfers.

I forgot to mention here that you can do the file detection fully at the script layer with the identify_data data function.  It takes a string which is the data at the beginning of a file and a boolean argument.  If the boolean is true, it means you want the mime type (from libmagic), otherwise it returns the description of the file (again, from libmagic).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list