[Bro-Dev] [JIRA] (BIT-465) Fix up the MIME analyzer

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Tue Mar 17 10:02:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19995#comment-19995 ] 

Jon Siwek commented on BIT-465:

Related to BIT-698 (maybe some duplicates, didn't check closely).

> Fix up the MIME analyzer
> ------------------------
>                 Key: BIT-465
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-465
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Seth Hall
>              Labels: analyzer
>             Fix For: 2.5
> The mime analyzer has a lot of inconsistency issues and is broken in a few places.
> * mime_all_headers loops and could potentially be a bad idea. More prone to DoS as well.  Delete it?
> * mime_all_data is probably also a bad idea.  Especially for large files.  Delete it?
> * mime_entity_data seems very similar to mime_all_data and is not chunked as the similarity to the http_entity_data would imply.  The current mime_entity_data should be removed and the current mime_all_data should be renamed to mime_entity_data.
> * mime_next_entity is never generated by the core or policy scripts and should either be fixed or deleted.
> * mime_one_header should probably be renamed to mime_header for consistency.
> * I have no clue what mime_event is for.  Is it necessary?
> * mime_content_hash gives a non printable hash value and it could be removed since hash generation is done in the script now and eventually will be done in the file analyzer.
> * The wrong ifdef is used in the source: #ifdef DEBUG_BRO used instead of #ifdef DEBUG
> * mime_end_entity is generated generated multiple times in some cases when it shouldn't be.  It's something to keep an eye out for, I never dug into it enough to find out what caused it.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list