[Bro] File Scanning Capability
Seth Hall
seth at icir.org
Mon Mar 21 13:22:10 PDT 2011
On Mar 21, 2011, at 2:49 PM, Seth Hall wrote:
> On Mar 21, 2011, at 2:16 PM, Will wrote:
>
>> I will without a doubt eventually incorporate "http-ext-identified-files.sig" instead of what I am currently using, but I am having trouble determining where to integrate the logic for handling each file type. As it currently works, I am saving off every pdf and word doc, which would be unnecessary if I used bro to call the external tools and evaluate the results.
>
> That won't actually work quite right. The http-ext-identified-files.sig file uses special signature keywords that the http analyzer provides to detect file types. It's not directly applicable to SMTP/MIME transfers.
I forgot to mention here that you can do the file detection fully at the script layer with the identify_data data function. It takes a string which is the data at the beginning of a file and a boolean argument. If the boolean is true, it means you want the mime type (from libmagic), otherwise it returns the description of the file (again, from libmagic).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list