[Bro] File Extraction Related Scripting Questions

Jason Batchelor jxbatchelor at gmail.com
Fri Sep 19 10:41:14 PDT 2014


> I view this as the opportunity. We can make type signatures and
indicators that fit our use case. Are you interested in leading an effort
to clean up the MS Office document identification? That's a nice, tightly
defined problem scope and it sounds like it's in an area that you need to
address for yourself anyway.

I would be :). Would you mind pointing me in the right direction to how I
might make type signatures and indicators as you describe. If it is as
simple as adding more detailed content to an existing file or library,
could you point me to the file I should be tinkering with? I've done this
sort of stuff before with Yara but have not explored doing so with Bro.

Thanks,
Jason

On Fri, Sep 19, 2014 at 12:06 PM, Seth Hall <seth at icir.org> wrote:

>
> On Sep 19, 2014, at 11:57 AM, Jason Batchelor <jxbatchelor at gmail.com>
> wrote:
>
> > It may be purposeful, since all OLECF files have the same magic (D0 CF
> 11 E0 A1 B1 1A E1). Is this the case? Would it be more appropriate/clear to
> have a MIME type such as 'application/ole'? Additionally, if you look 512
> bytes in you can determine the type of file for older office documents. Is
> this an opportunity to create clearer, more specific file type signatures?
>
> I view this as the opportunity.  We can make type signatures and
> indicators that fit our use case.  Are you interested in leading an effort
> to clean up the MS Office document identification?  That's a nice, tightly
> defined problem scope and it sounds like it's in an area that you need to
> address for yourself anyway.
>
> >  I am certainly not an authority on this matter, but would appreciate
> any insight into the topic as it will help drive the direction of a
> solution I am developing.
>
> The general problem with this stuff is that everyone ends up saying that
> same thing.  I'm sure that even libmagic developers would say the same
> thing because they are just trying to show mime types that are defined and
> allocated by IANA.  This is an area where we're just going to have to let
> ourselves be free to extend and expand beyond libmagic or even IANA in some
> cases (they have a mechanism for unallocated extensions that we should
> evaluate closely).
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140919/d4379bb3/attachment.html 


More information about the Bro mailing list