[Bro] Empty mime type in http.log

[Zainab Abaid]

Hi,

I'm trying to use Bro to identify content types in http traces - so I'm
looking at the orig_mime_types and resp_mime_types columns in http.log.
Now, I captured a trace where I blocked all applications except Google
chrome, and then used Chrome to play a bunch of videos on Dailymotion. Then
I ran Bro over this trace and then ran the following command over the
output:

cat http.log | bro-cut orig_mime_types resp_mime_types | sort | uniq -c

This is the output I got:

     88 -    -
     35 -    application/octet-stream
     12 -    application/xml
     25 -    image/gif
    188 -    image/jpeg
      1 -    image/png
     13 -    text/html
     59 -    text/plain
     24 text/plain    text/plain

I can't figure out why blanks are appearing in so many of the lines. There
are 88 lines where the content type (in both resp and orig columns) is
empty - what does that signify? I did see that Bro uses signature matching
to correct missing or incorrect file types. Does a "-" mean Bro wasn't able
to match any signature to the content being transferred? Or that it found
nothing in the HTTP header's content type field?

Thanks,
Zainab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131223/ae0fcff4/attachment.html