[Bro-Dev] #982: topic/jsiwek/file-analysis

Bro Tracker bro at tracker.bro.org
Wed Apr 24 12:51:49 PDT 2013

#982: topic/jsiwek/file-analysis
  Reporter:  jsiwek         |      Owner:
      Type:  Merge Request  |     Status:  new
  Priority:  Low            |  Milestone:  Bro2.2
 Component:  Bro            |    Version:  git/master
Resolution:                 |   Keywords:

Comment (by seth):

 There is an oversight in the file_analysis.log right now.  The "analyzers"
 field is redundant and a huge log space hog.  The best analogy to
 connections is the "service" field in conn.log.  Differences are that it
 uses short names and only represents analyzers that successfully analyzed
 the file.  Here's an example from a file_analysis.log I have right now:


 I don't know what the field should be named, but I think it should only
 have "pe" in it in this case.  I'm not terribly concerned that the hash
 analyzers and the extract analyzer were attached.  Currently the hash
 analyzers and the extract analyzer add fields to the file_analysis.log
 already so you actually know when those were used anyway.

 This is where we're starting to bump into potential DFD (dynamic file
 detection) features too since the analyzer being present would indicate
 some degree of successful analysis.  It's also likely that we may need to
 add FileConfirmation and FileViolation methods to the file analyzer base

Ticket URL: <http://tracker.bro.org/bro/ticket/982#comment:2>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list