[Bro] Bro Cannot Get ‘Resp_mime_types' properly in http.log
赵芮元
zryzregister at 163.com
Sat Oct 4 19:00:54 PDT 2014
Hi Brolist,
I run some interesting pcaps using Bro-2.3, but there are some HTTP sessions that Bro-2.3 cannot tackle properly.
For example, this pcap file from the malware-traffic-analysis.net. http://malware-traffic-analysis.net/2014/10/03/2014-10-03-Sweet-Orange-EK-traffic.pcap This is a exploit traffic and Bro cannot get 'Resp_mime_types' in the request to 'b.epavers.com/alterra/lLWZm'.
As shown above Bro-2.3 parses the 'Resp_mime_types' as '-'. But in fact, when I use wireshark to parse this stream, the type is ''application/x-shockwave-flash'.
In fact I have encountered this problem for quite several times, so I wonder why this happened and how to solve it !
Thanks a lot if anyone can answer my question!
Yours,
Rui-Yuan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141005/35809765/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QQ??20141005095216.png
Type: image/png
Size: 19022 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141005/35809765/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: QQ??20141005095541.png
Type: image/png
Size: 16072 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141005/35809765/attachment-0001.bin
More information about the Bro
mailing list