[Bro] Finer detail on mime types

Christian Kreibich christian at corelight.com
Mon Jul 10 23:33:00 PDT 2017


On 07/10/2017 01:09 PM, Seth Hall wrote:
> That is a bit of an overloaded mime-type I'm afraid.  We did build the
> files framework in Bro so that it could be extended to provide quite a
> bit of extra information when the file is "sniffed".  The primary
> problem that we'd have with providing that information at the moment
> is lack of a way to analyze excel files.

Once you know you're dealing with an OOXML archive, in my experience the 
following works well: take the presence of a vbaproject.bin file in the 
archive as a prerequisite for macro-enabledness, then leverage a 
.docm/.pptm/.xlsm filename suffix to distinguish application, and fall 
back to Word for others.

I'd be interested to hear what approaches others have used.

Thanks,
-C.


More information about the Bro mailing list