[Bro-Dev] [JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Thu Feb 20 14:59:37 PST 2014


    [ https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15572#comment-15572 ] 

Jon Siwek commented on BIT-1143:
--------------------------------

{quote}
Could we do a middle way: try our own signatures first and if they yield something, that's what we take. If not, use whatever libmagic reports (potentially also filtering out those cases for which we do have signatures so that libmagic won't overrule them).
{quote}

In that case, what's gained from Bro having it's own file magic signatures instead of just using libmagic by itself?

If Bro did completely switch to its own magic sigs, I think we have to do a best effort approach to porting all the current MIME magics.  Tests for everything would be nice, but I don't think a test per MIME is a requirement for now.  libmagic isn't exactly thoroughly tested at the moment either.  We could probably just test have tests for common cases first and do obscure ones later.  And I actually see keeping the dependence on libmagic as a somewhat higher maintainability cost than switching to signatures.

The effort to port the magics is still unknown, but hopefully it could be done systematically or at least go fast once one understands the process of manually converting them.

> Investigate replacing libmagic w/ signatures for file identificaiton
> --------------------------------------------------------------------
>
>                 Key: BIT-1143
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1143
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Jon Siwek
>             Fix For: 2.3
>
>
> I think it makes sense to try to make the switch from libmagic to using Bro's own signature engine for file identification before the next release.  Don't want people getting used to magic file format for their own custom file identification rules.



--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)


More information about the bro-dev mailing list