[Bro] File name from fa_file

Pigott, Nathan Nathan.Pigott at parsons.com
Tue Sep 29 10:56:38 PDT 2015

I see.  My goal is to check each file's filename against its given mime type to ensure they match.  Since f$info$filename is frequently non-existent, is there any more reliable way to get filenames besides parsing them out of the URL?  Is this a fruitless/unnecessary pursuit since mime type can also be spoofed?

From: Hosom, Stephen M [hosom at battelle.org]
Sent: Tuesday, September 29, 2015 1:26 PM
To: Pigott, Nathan; bro at bro.org
Subject: RE: File name from fa_file

Filename does not always exist. That field is only created under circumstances where the protocol has a portion that would tell the server or client receiving the file what the name should be—most commonly that applies to HTTP. What is it that you’re trying to do with filenames, or what information are you attempting to derive from them? Generally it isn’t wise to trust filenames that you see on the wire for a whole lot.

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Pigott, Nathan
Sent: Tuesday, September 29, 2015 1:08 PM
To: bro at bro.org
Subject: [Bro] File name from fa_file


I'm having problems getting file names from fa_file - the field f$info$filename is showing up uninitialized on every single fa_file in all my tests.  Is there a known reason why this would be happening?  I'm using Bro 2.3, but I tested on 2.4 as well and got the same results.

Are there any alternative ways to get file names?  For now I'm parsing the URL returned by Files::describe(f), but this does not work if the URL doesn't contain the file name, or if the file was transferred with a protocol other than HTTP.

Nathan Pigott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150929/eef110c4/attachment-0001.html 

More information about the Bro mailing list