[Bro] File log

Paul Halliday paul.halliday at gmail.com
Wed Oct 1 07:27:26 PDT 2014


Good to know. Out of curiosity though, if the field is of little value then
why even have it? (I have to deal with a trillion copies of '-')

;)

On Wed, Oct 1, 2014 at 10:44 AM, Hosom, Stephen M <hosom at battelle.org>
wrote:

>  This is normal. Filename is used for protocols that identify the file
> name when it is in transit on the network (like HTTP). Generally though…
> you don’t actually want the filename, so this doesn’t have much impact on
> Bro’s ability to do cool stuff with files (how would you deal with a
> trillion copies of index.html, for example?).
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Paul
> Halliday
> *Sent:* Wednesday, October 01, 2014 9:33 AM
> *To:* bro at bro.org
> *Subject:* [Bro] File log
>
>
>
> Is it normal for the 'filename' field to always be empty? The mime_type is
> almost always identified but the filename field is always '-'
>
>
>
> application/vnd.ms-cab-compressed -
>
> application/x-dosexec -
>
> text/plain -
>
> application/x-dosexec -
>
> text/plain -
>
> application/vnd.ms-fontobject -
>
> application/vnd.ms-fontobject -
>
> application/vnd.ms-fontobject -
>
> application/octet-stream -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/x-dosexec -
>
> application/vnd.ms-cab-compressed -
>
> image/jpeg -
>
> image/jpeg -
>
> image/jpeg -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/x-dosexec -
>
> application/vnd.ms-cab-compressed -
>
> text/plain -
>
> text/html -
>
> text/html -
>
> application/x-dosexec -
>
> application/vnd.ms-cab-compressed -
>
> application/x-dosexec -
>
> application/vnd.ms-cab-compressed -
>
> application/x-dosexec -
>
> image/jpeg -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/x-dosexec -
>
> text/plain -
>
> image/jpeg -
>
> application/vnd.ms-cab-compressed -
>
> application/octet-stream -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> image/jpeg -
>
> image/jpeg -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> image/jpeg -
>
> application/x-dosexec -
>
> application/x-dosexec -
>
> application/vnd.ms-cab-compressed -
>
> application/vnd.ms-cab-compressed -
>
> text/html -
>
> text/html -
>
>
>
> Thanks.
>
>
>
> --
> Paul Halliday
> http://www.pintumbler.org/
>



-- 
Paul Halliday
http://www.pintumbler.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141001/522c3a7b/attachment.html 


More information about the Bro mailing list