[Bro] MD5 Hashing
sconzo at visiblerisk.com
Tue Mar 13 12:54:27 PDT 2012
Will the changes in 2.1 allow for passing of data to an MD5 function?
Or will it (the file analysis policy) use protocol knowledge + magic
number to determine if it should be MD5'd or not?
I only ask because seeing an exe downloaded with a mime type of
image/jpg is not completely uncommon.
On Tue, Mar 13, 2012 at 2:30 PM, Seth Hall <seth at icir.org> wrote:
> On Mar 13, 2012, at 3:24 PM, Chris Crawford wrote:
>> So, hypothetically, if I wanted SMTP to MD5 hash all mime types that
>> are image.* or application.*, I would add the lines below to my
>> redef SMTP::generate_md5 += /image.*/;
>> redef SMTP::generate_md5 += /application.*/;
> Yep, just keeping in mind that the PDF mime type falls within application/ too (and a number of others).
>> I'm assuming that the += operator appends new regular expressions. Is
>> that correct?
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
cat ~/.bash_history > documentation.txt
More information about the Bro