[Bro] Finer detail on mime types
christian at corelight.com
Mon Jul 10 23:33:00 PDT 2017
On 07/10/2017 01:09 PM, Seth Hall wrote:
> That is a bit of an overloaded mime-type I'm afraid. We did build the
> files framework in Bro so that it could be extended to provide quite a
> bit of extra information when the file is "sniffed". The primary
> problem that we'd have with providing that information at the moment
> is lack of a way to analyze excel files.
Once you know you're dealing with an OOXML archive, in my experience the
following works well: take the presence of a vbaproject.bin file in the
archive as a prerequisite for macro-enabledness, then leverage a
.docm/.pptm/.xlsm filename suffix to distinguish application, and fall
back to Word for others.
I'd be interested to hear what approaches others have used.
More information about the Bro