[Bro-Dev] [JIRA] (BIT-988) Bug in HTTP body extraction

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Thu Nov 7 07:32:31 PST 2013

     [ https://bro-tracker.atlassian.net/browse/BIT-988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Seth Hall updated BIT-988:

    Resolution: Fixed
        Status: Closed  (was: Open)

Functionality removed in favor of FAF

> Bug in HTTP body extraction
> ---------------------------
>                 Key: BIT-988
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-988
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Matthias Vallentin
>            Assignee: Seth Hall
>              Labels: file-analysis
>             Fix For: 2.2
> There exists a bug in HTTP body extraction that prevents certain bodies from being dumped, even though having set
> {noformat}
> redef extract_file_types = /.*/;
> {noformat}
> This happens presumably because Bro does not figure out the correct MIME type and does not set {{c$http$mime_type}}. It results in this check failing:
> {noformat}
>     if ( c$http?$mime_type && extract_file_types in c$http$mime_type )
>       {
>       c$http$extract_file = T;
>       }
> {noformat}
> On a related note, I also find missing responses to HTTP POST requests which I assume come from the same issues.
> I have a trace that I could attach, but wanted to make sure it's worth the effort in face of the upcoming file analysis framework, or if we plan on pushing a 2.1 hotfix for this.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list