[Bro] Empty mime type in http.log
Zainab Abaid
zainab.abaid at gmail.com
Mon Dec 23 03:28:03 PST 2013
Hi,
I'm trying to use Bro to identify content types in http traces - so I'm
looking at the orig_mime_types and resp_mime_types columns in http.log.
Now, I captured a trace where I blocked all applications except Google
chrome, and then used Chrome to play a bunch of videos on Dailymotion. Then
I ran Bro over this trace and then ran the following command over the
output:
cat http.log | bro-cut orig_mime_types resp_mime_types | sort | uniq -c
This is the output I got:
88 - -
35 - application/octet-stream
12 - application/xml
25 - image/gif
188 - image/jpeg
1 - image/png
13 - text/html
59 - text/plain
24 text/plain text/plain
I can't figure out why blanks are appearing in so many of the lines. There
are 88 lines where the content type (in both resp and orig columns) is
empty - what does that signify? I did see that Bro uses signature matching
to correct missing or incorrect file types. Does a "-" mean Bro wasn't able
to match any signature to the content being transferred? Or that it found
nothing in the HTTP header's content type field?
Thanks,
Zainab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131223/ae0fcff4/attachment.html
More information about the Bro
mailing list