[Bro] Bro Cannot Get ‘Resp_mime_types' properly in http.log

Seth Hall seth at icir.org
Mon Oct 6 08:05:29 PDT 2014

On Oct 4, 2014, at 10:00 PM, 赵芮元 <zryzregister at 163.com> wrote:

>     As shown above Bro-2.3 parses the 'Resp_mime_types'  as '-'. But in fact, when I use wireshark to parse this stream, the type is ''application/x-shockwave-flash'.

What you're seeing there is what the server declared the content to be.  Bro ignores that value and sniffs the content to try and identify it.

You have found a weakness in our shockwave detection fingerprint though.  I'm going to be doing a commit into master soon that improves on our Flash detection (our signatures don't detect LZMA compressed flash files).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list