[Bro] ZWS File Magic Inclusion

Jason Batchelor jxbatchelor at gmail.com
Wed Mar 18 10:59:20 PDT 2015


Hello all:

I needed to extract from PCAP a malicious SWF that was compressed using LZMA,
and thusly gave the SWF a 'ZWS' header instead of the normal 'CWS' you
typically observe in a compressed SWF.

While the general.sig file has signatures for CWS and FWS magic for SWF
files, I did not see the presence of ZWF. I went ahead and created the
following entry in libmagic.sig.

signature file-magic-swf-zws {
        file-mime "application/x-shockwave-flash/lzma", 60
        file-magic /(ZWS)/
}
Then ran bro along side my extraction script on the PCAP and out the LZMA
compressed SWF came. Just wanted to pass this along. It might be worth
adding it to the sig files for a future release possibly?

Thanks,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150318/d7702c3c/attachment.html 


More information about the Bro mailing list