[Bro-Dev] [JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Thu Feb 20 16:03:38 PST 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15573#comment-15573 ] 

Robin Sommer commented on BIT-1143:

I was thinking better control over the matching, but I guess there's
not really that much to gain in addition.

Can this be (semi-)automated, i.e., converting the magic mime db into
Bro regular expressions?

Also, we should investigate performance: Bro's signature engine
doesn't have a reputation for being the fastest in the world. :) Hard
to predict how it performs compared to libmagic; but then I also don't
know if it mattered much if the file type detection got slower.

One more caveat, something I actually didn't think about so far: the
signature engine has some depenedencies on connection state, not sure
if using files as the analysis units goes without pain.


So if we can basically keep detecting all the MIME types we currently
find, without hurting performance in a significant way, I'm fine fully

> Investigate replacing libmagic w/ signatures for file identificaiton
> --------------------------------------------------------------------
>                 Key: BIT-1143
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1143
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Jon Siwek
>             Fix For: 2.3
> I think it makes sense to try to make the switch from libmagic to using Bro's own signature engine for file identification before the next release.  Don't want people getting used to magic file format for their own custom file identification rules.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list