[Bro-Dev] [JIRA] (BIT-959) Issue with HTTP POST file extraction
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Fri Nov 8 12:06:31 PST 2013
[ https://bro-tracker.atlassian.net/browse/BIT-959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Seth Hall updated BIT-959:
--------------------------
Resolution: Fixed
Status: Closed (was: Open)
This feature has been replace by the file analysis framework.
> Issue with HTTP POST file extraction
> ------------------------------------
>
> Key: BIT-959
> URL: https://bro-tracker.atlassian.net/browse/BIT-959
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Reporter: gregoire.moreau
> Priority: Low
> Fix For: 2.2
>
>
> I've had a problem with the extraction of HTTP POST file content with bro2.1 stable, there's no problem with incoming content. I use a modified http/file-extract.bro script.
> My tests were mainly done with PDF content.
> The problem is whenever a 0x0d is found in the content, it is replaced with 0x0d0a.
> I've found a little workaround, but I'm not sure about all the borders effects it could have. Also, it may not be the good way to correct the problem...
> The workaround is as follow in HTTP.cc :
> *************** HTTP_Analyzer::HTTP_Analyzer(Connection*
> *** 808,813 ****
> \--\- 808,814 \---\-
> reply_reason_phrase = 0;
> content_line_orig = new ContentLine_Analyzer(conn, true);
> + content_line_orig->SetCRLFAsEOL(CR_as_EOL & LF_as_EOL);
> AddSupportAnalyzer(content_line_orig);
> With the workaround it still add one CRLF at the end of some PDF files.
> As I wish to keep the hashes of the files it does matter :)
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
More information about the bro-dev
mailing list