[Bro-Dev] ASCII response filetype
Seth Hall
seth at corelight.com
Mon Sep 18 13:59:31 PDT 2017
On 18 Sep 2017, at 16:43, Keith Lehigh wrote:
> Hi Folks,
> I’ve been mulling over an addition to the file mime type
> signature that consists of “1 to 16 ASCII readable characters”.
> 16 is an arbitrary length cutoff. The purpose of this signature would
> be to log instances where a short status code is returned by a web
> service. I see lots of responses like “[]” or “OK” or
> “Success” and currently these are logged in files.log as unknown
> file types. I think Bro would be improved by logging a filetype for
> these responses.
What about creating a mime type for an enumerated list of all of the
ones you find? With a pattern like /^(OK|Success|0|1)$/
That was you could avoid other short responses from getting caught up in
the net. I also suspect that [] should be something different because
if you see that over HTTP, it's probably in most cases just an empty
JSON array.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the bro-dev
mailing list