[Bro] File log

Hosom, Stephen M hosom at battelle.org
Wed Oct 1 06:44:31 PDT 2014 

This is normal. Filename is used for protocols that identify the file name when it is in transit on the network (like HTTP). Generally though… you don’t actually want the filename, so this doesn’t have much impact on Bro’s ability to do cool stuff with files (how would you deal with a trillion copies of index.html, for example?).

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Paul Halliday
Sent: Wednesday, October 01, 2014 9:33 AM
To: bro at bro.org
Subject: [Bro] File log

Is it normal for the 'filename' field to always be empty? The mime_type is almost always identified but the filename field is always '-'

application/vnd.ms-cab-compressed -
application/x-dosexec -
text/plain -
application/x-dosexec -
text/plain -
application/vnd.ms-fontobject -
application/vnd.ms-fontobject -
application/vnd.ms-fontobject -
application/octet-stream -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/x-dosexec -
application/vnd.ms-cab-compressed -
image/jpeg -
image/jpeg -
image/jpeg -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/x-dosexec -
application/vnd.ms-cab-compressed -
text/plain -
text/html -
text/html -
application/x-dosexec -
application/vnd.ms-cab-compressed -
application/x-dosexec -
application/vnd.ms-cab-compressed -
application/x-dosexec -
image/jpeg -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/x-dosexec -
text/plain -
image/jpeg -
application/vnd.ms-cab-compressed -
application/octet-stream -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
image/jpeg -
image/jpeg -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
image/jpeg -
application/x-dosexec -
application/x-dosexec -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
text/html -
text/html -

Thanks.

--
Paul Halliday
http://www.pintumbler.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141001/4b59c515/attachment.html

More information about the Bro mailing list