[Bro-Dev] [JIRA] (BIT-465) Fix up the MIME analyzer
Jon Siwek (JIRA)
jira at bro-tracker.atlassian.net
Tue Mar 17 10:02:00 PDT 2015
[ https://bro-tracker.atlassian.net/browse/BIT-465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19995#comment-19995 ]
Jon Siwek commented on BIT-465:
Related to BIT-698 (maybe some duplicates, didn't check closely).
> Fix up the MIME analyzer
> Key: BIT-465
> URL: https://bro-tracker.atlassian.net/browse/BIT-465
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Seth Hall
> Labels: analyzer
> Fix For: 2.5
> The mime analyzer has a lot of inconsistency issues and is broken in a few places.
> * mime_all_headers loops and could potentially be a bad idea. More prone to DoS as well. Delete it?
> * mime_all_data is probably also a bad idea. Especially for large files. Delete it?
> * mime_entity_data seems very similar to mime_all_data and is not chunked as the similarity to the http_entity_data would imply. The current mime_entity_data should be removed and the current mime_all_data should be renamed to mime_entity_data.
> * mime_next_entity is never generated by the core or policy scripts and should either be fixed or deleted.
> * mime_one_header should probably be renamed to mime_header for consistency.
> * I have no clue what mime_event is for. Is it necessary?
> * mime_content_hash gives a non printable hash value and it could be removed since hash generation is done in the script now and eventually will be done in the file analyzer.
> * The wrong ifdef is used in the source: #ifdef DEBUG_BRO used instead of #ifdef DEBUG
> * mime_end_entity is generated generated multiple times in some cases when it shouldn't be. It's something to keep an eye out for, I never dug into it enough to find out what caused it.
This message was sent by Atlassian JIRA
More information about the bro-dev