[Bro-Dev] [JIRA] (BIT-1257) Same file id generated for potentially different files

Jimmy Jones (JIRA) jira at bro-tracker.atlassian.net
Mon Sep 22 13:02:07 PDT 2014 

    [ https://bro-tracker.atlassian.net/browse/BIT-1257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18205#comment-18205 ] 

Jimmy Jones edited comment on BIT-1257 at 9/22/14 3:01 PM:
-----------------------------------------------------------

scripts/base/protocols/http/files.bro:
{code}
# Any multipart responses from the server are pieces of same file
# that correspond to range requests, so don't use mime depth to
# identify the file.
{code}
Might be true for multipart responses, however this code is also catching completely separate HTTP sessions, where the URL could be dynamically generated content, so would merge different pieces of content into a corrupt output, which I don't think is a safe default.

Possibly should be (same as non-range case, but without mime depth - so is limited to merging a single response):
{code}
return cat(Analyzer::ANALYZER_HTTP, c$start_time, is_orig,
		           c$http$trans_depth, id_string(c$id));
{code}


was (Author: jimmyjones2):
scripts/base/protocols/http/files.bro:
{quote}
Any multipart responses from the server are pieces of same file
that correspond to range requests, so don't use mime depth to
identify the file.
{quote}
Might be true for multipart responses, however this code is also catching completely separate HTTP sessions, where the URL could be dynamically generated content, so would merge different pieces of content into a corrupt output, which I don't think is a safe default.

> Same file id generated for potentially different files
> ------------------------------------------------------
>
>                 Key: BIT-1257
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1257
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.3
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: fa.bro, sample-samefileid.pcap
>
>
> Attached sample contains two HTTP downloads of the same URL from the same client, but there are no guarantees that the files is actually the same (no Etags etc - in this case it actually is the same, but lets pretend they were different...). However the file analysis framework seems to give the same file ID in file_name and file_chunk for both downloads.
> Think this is something to do with Range requests as doesn't happen if do "normal" HTTP requests.



--
This message was sent by Atlassian JIRA
(v6.4-OD-05-009#64003)

More information about the bro-dev mailing list