[Bro-Dev] [JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Wed Feb 19 09:51:37 PST 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15566#comment-15566 ] 

Jon Siwek commented on BIT-1143:

A question about requirements.

Bro currently uses libmagic for two types of file information -- simple mime type identification and also more verbose descriptions.  E.g. "image/png" versus "PNG image data, 1435 x 170, 8-bit/color RGB, non-interlaced".

Both types are exposed to users via the {{identify_data}} BIF.  The generic file-over-tcp analyzer also can raise a {{file_transferred}} event that contains both types of info.  Finally, the files framework only relies on the mime type.

How necessary is it to keep the verbose file description functionality in absence of libmagic?  The way to support it seems like it would be for the file signature regexes to include capture groups to extract all the variable info, but is that possible with Bro's regular expressions?

> Investigate replacing libmagic w/ signatures for file identificaiton
> --------------------------------------------------------------------
>                 Key: BIT-1143
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1143
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Jon Siwek
>             Fix For: 2.3
> I think it makes sense to try to make the switch from libmagic to using Bro's own signature engine for file identification before the next release.  Don't want people getting used to magic file format for their own custom file identification rules.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list