[Bro-Dev] [JIRA] (BIT-1257) Same file id generated for potentially different files

[Seth Hall (JIRA)]

    [ https://bro-tracker.atlassian.net/browse/BIT-1257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18204#comment-18204 ] 

Seth Hall commented on BIT-1257:
--------------------------------

Do you have any suggestions on what our default file identification code should look like for HTTP?  It's something that you have the ability to change without making any core changes in Bro as I pointed out in my previous comment.

> Same file id generated for potentially different files
> ------------------------------------------------------
>
>                 Key: BIT-1257
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1257
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.3
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: fa.bro, sample-samefileid.pcap
>
>
> Attached sample contains two HTTP downloads of the same URL from the same client, but there are no guarantees that the files is actually the same (no Etags etc - in this case it actually is the same, but lets pretend they were different...). However the file analysis framework seems to give the same file ID in file_name and file_chunk for both downloads.
> Think this is something to do with Range requests as doesn't happen if do "normal" HTTP requests.



--
This message was sent by Atlassian JIRA
(v6.4-OD-05-009#64003)