[Bro-Dev] [JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Thu Feb 20 07:59:38 PST 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15568#comment-15568 ] 

Robin Sommer commented on BIT-1143:

Agree with Seth on the verbose descriptions. While they are nice having (it's kind of cool to look at the logs and see what level of detail Bro has figured out), they don't seem worth the trouble.

However I remain torn on completely replacing the MIME type detection with our own signatures. I'm concerned that we loose valuable information that way: right now, we can detect a variety of MIME types. While we don't use many of them further, even the more obscure ones get logged at least, and that seems useful. If we switch to signatures, we either have to limit the set significantly to the main cases, or we'd need to write tons of rarely used signatures that will be hard to test and maintain.

Could we do a middle way: try our own signatures first and if they yield something, that's what we take. If not, use whatever libmagic reports (potentially also filtering out those cases for which we do have signatures so that libmagic won't overrule them).  

> Investigate replacing libmagic w/ signatures for file identificaiton
> --------------------------------------------------------------------
>                 Key: BIT-1143
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1143
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Jon Siwek
>             Fix For: 2.3
> I think it makes sense to try to make the switch from libmagic to using Bro's own signature engine for file identification before the next release.  Don't want people getting used to magic file format for their own custom file identification rules.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list