[Bro-Dev] [JIRA] (BIT-988) Bug in HTTP body extraction
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Thu Nov 7 07:32:31 PST 2013
[ https://bro-tracker.atlassian.net/browse/BIT-988?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Seth Hall updated BIT-988:
--------------------------
Resolution: Fixed
Status: Closed (was: Open)
Functionality removed in favor of FAF
> Bug in HTTP body extraction
> ---------------------------
>
> Key: BIT-988
> URL: https://bro-tracker.atlassian.net/browse/BIT-988
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Matthias Vallentin
> Assignee: Seth Hall
> Labels: file-analysis
> Fix For: 2.2
>
>
> There exists a bug in HTTP body extraction that prevents certain bodies from being dumped, even though having set
> {noformat}
> redef extract_file_types = /.*/;
> {noformat}
> This happens presumably because Bro does not figure out the correct MIME type and does not set {{c$http$mime_type}}. It results in this check failing:
> {noformat}
> if ( c$http?$mime_type && extract_file_types in c$http$mime_type )
> {
> c$http$extract_file = T;
> }
> {noformat}
> On a related note, I also find missing responses to HTTP POST requests which I assume come from the same issues.
> I have a trace that I could attach, but wanted to make sure it's worth the effort in face of the upcoming file analysis framework, or if we plan on pushing a 2.1 hotfix for this.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
More information about the bro-dev
mailing list