[Bro] Mime-type issues (text/plain and application/x-msdownload)

Beyaz Şapka siberkartal at gmail.com
Wed Dec 28 06:11:44 PST 2016

Hi all,

I have two questions for the following pcap.

Bro says the mime-type as "text/plain" for the response of first HTTP GET
However, at least,  wireshark (and also CapTipper) says it is "text/html".
The correct one is text/html, it is clear.

I think, bro does not look only Content-Type (maybe due to malicious
manipulation), but makes some heuristics. But there should be some issues
for this case.

The other one is that, there are 3 binary files in this pcap.
Bro extracts them pretty fine.
However again there are some issues about content-type.
While their content type is application/x-msdownload, the http.log and
files.log says dash dash (not found).
In relation to this issue, I have a local file extract bro script, although
I have definition for application/x-msdownload extension, I am not able to
set its extension as exe. Since meta$mime_type returns empty.

The sample:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161228/6a1a8733/attachment.html 

More information about the Bro mailing list