[Bro] File Extraction Related Scripting Questions

Seth Hall seth at icir.org
Fri Sep 19 10:06:34 PDT 2014


On Sep 19, 2014, at 11:57 AM, Jason Batchelor <jxbatchelor at gmail.com> wrote:

> It may be purposeful, since all OLECF files have the same magic (D0 CF 11 E0 A1 B1 1A E1). Is this the case? Would it be more appropriate/clear to have a MIME type such as 'application/ole'? Additionally, if you look 512 bytes in you can determine the type of file for older office documents. Is this an opportunity to create clearer, more specific file type signatures?

I view this as the opportunity.  We can make type signatures and indicators that fit our use case.  Are you interested in leading an effort to clean up the MS Office document identification?  That's a nice, tightly defined problem scope and it sounds like it's in an area that you need to address for yourself anyway.

>  I am certainly not an authority on this matter, but would appreciate any insight into the topic as it will help drive the direction of a solution I am developing.

The general problem with this stuff is that everyone ends up saying that same thing.  I'm sure that even libmagic developers would say the same thing because they are just trying to show mime types that are defined and allocated by IANA.  This is an area where we're just going to have to let ourselves be free to extend and expand beyond libmagic or even IANA in some cases (they have a mechanism for unallocated extensions that we should evaluate closely).

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list