[Bro] Mime-type issues (text/plain and application/x-msdownload)
siberkartal at gmail.com
Wed Dec 28 06:11:44 PST 2016
I have two questions for the following pcap.
Bro says the mime-type as "text/plain" for the response of first HTTP GET
However, at least, wireshark (and also CapTipper) says it is "text/html".
The correct one is text/html, it is clear.
I think, bro does not look only Content-Type (maybe due to malicious
manipulation), but makes some heuristics. But there should be some issues
for this case.
The other one is that, there are 3 binary files in this pcap.
Bro extracts them pretty fine.
However again there are some issues about content-type.
While their content type is application/x-msdownload, the http.log and
files.log says dash dash (not found).
In relation to this issue, I have a local file extract bro script, although
I have definition for application/x-msdownload extension, I am not able to
set its extension as exe. Since meta$mime_type returns empty.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro