[Bro] File Extraction Related Scripting Questions

Jason Batchelor jxbatchelor at gmail.com
Thu Sep 25 10:16:58 PDT 2014

Just FYI to the group, I created the following after having spent some time
looking at magic.sig. I placed them in general.sig and so far they seem to
do the trick on identifying OLECF (legacy MS Office) and OOXML (modern MS
Office) documents.

Seth indicated to me offline this would be reviewed and folded into the
next release.

For your immediate use.
# Jason Batchelor Edits, 9/19/2014
# Signatures informed by the following resource
# http://www.garykessler.net/library/file_sigs.html
signature file-olecf {
file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/
file-mime "application/olecf", 150
signature file-ooxml {
file-magic /(\x50\x4b\x03\x04\x14\x00\x06\x00)/
file-mime "application/vnd.openxmlformats-officedocument", 100

On Fri, Sep 19, 2014 at 1:50 PM, Seth Hall <seth at icir.org> wrote:

> On Sep 19, 2014, at 1:41 PM, Jason Batchelor <jxbatchelor at gmail.com>
> wrote:
> > I would be :).
> Woo!
> > Would you mind pointing me in the right direction to how I might make
> type signatures and indicators as you describe.
> https://github.com/bro/bro/tree/master/scripts/base/frameworks/files/magic
> Any attention to those file detections would be great.  I would also like
> to start getting some tests in place that verify we are detecting these
> files correctly going into the future.  Feel free to ask if you have any
> questions.
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140925/139bcfcb/attachment.html 

More information about the Bro mailing list