[Bro-Dev] #982: topic/jsiwek/file-analysis
Bro Tracker
bro at tracker.bro.org
Wed Apr 24 12:51:49 PDT 2013
#982: topic/jsiwek/file-analysis
----------------------------+------------------------
Reporter: jsiwek | Owner:
Type: Merge Request | Status: new
Priority: Low | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords:
----------------------------+------------------------
Comment (by seth):
There is an oversight in the file_analysis.log right now. The "analyzers"
field is redundant and a huge log space hog. The best analogy to
connections is the "service" field in conn.log. Differences are that it
uses short names and only represents analyzers that successfully analyzed
the file. Here's an example from a file_analysis.log I have right now:
{{{
FileAnalysis::ANALYZER_PE,FileAnalysis::ANALYZER_EXTRACT,FileAnalysis::ANALYZER_MD5,FileAnalysis::ANALYZER_SHA1
}}}
I don't know what the field should be named, but I think it should only
have "pe" in it in this case. I'm not terribly concerned that the hash
analyzers and the extract analyzer were attached. Currently the hash
analyzers and the extract analyzer add fields to the file_analysis.log
already so you actually know when those were used anyway.
This is where we're starting to bump into potential DFD (dynamic file
detection) features too since the analyzer being present would indicate
some degree of successful analysis. It's also likely that we may need to
add FileConfirmation and FileViolation methods to the file analyzer base
class.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/982#comment:2>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list