[Bro] Bro Cannot Get ‘Resp_mime_types' properly in http.log
seth at icir.org
Mon Oct 6 08:05:29 PDT 2014
On Oct 4, 2014, at 10:00 PM, 赵芮元 <zryzregister at 163.com> wrote:
> As shown above Bro-2.3 parses the 'Resp_mime_types' as '-'. But in fact, when I use wireshark to parse this stream, the type is ''application/x-shockwave-flash'.
What you're seeing there is what the server declared the content to be. Bro ignores that value and sniffs the content to try and identify it.
You have found a weakness in our shockwave detection fingerprint though. I'm going to be doing a commit into master soon that improves on our Flash detection (our signatures don't detect LZMA compressed flash files).
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro