[Bro] http.log mime_type miss match
Josh Liburdi
liburdi.joshua at gmail.com
Wed Jun 11 04:59:37 PDT 2014
I'm not familiar with how Wireshark determines mime type, but that
version of Bro uses the libmagic database and primarily determines
mime type by searching for a magic number in the first 1024 bytes of
the file. It's possible that Bro incorrectly determined the mime type.
Changes were made in Bro 2.3 to move away from the libmagic db.
Hopefully this means that, in the future, mime type determination will
be more accurate / extensible. Check the release notes for more info
on that: http://www.bro.org/sphinx-git/install/release-notes.html
-Josh
On Wed, Jun 11, 2014 at 4:58 AM, 김희철 <hckim at narusec.com> wrote:
> Hi every one
>
> I am testing some of the music streaming service and found one of them miss
> matching mime_type compare to Wireshark.
>
> wireshark's type is audio/mpeg but bro http.log is text/plain
>
> is it bro2.1 is outputting wrong type or do I have to write custom bro
> script?
>
>
>
> this is the bro 2.1 http.log :
>
> Jun 10 09:20:29 6a7HgNEZlOb 192.X.X.X 53796 8.20.213.33 80 1 POST
> stream66c-he.grooveshark.com /stream.php
> http://grooveshark.com/static/JSQueue_20140421162423.swf Mozilla/5.0
> (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/35.0.1916.114 Safari/537.36 104 10296924 200 OK - - - (empty) - - -
> text/plain - -
>
>
> this is the Wireshark screenshot link
>
> http://ex.narusec.com/data/public/2b0474.php
>
>
> and this is the pcap file (it's about 733MB)
>
> http://ex.narusec.com/data/public/23fac8.php
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list