[Bro] File Extraction Related Scripting Questions
Jason Batchelor
jxbatchelor at gmail.com
Thu Sep 25 10:16:58 PDT 2014
Just FYI to the group, I created the following after having spent some time
looking at magic.sig. I placed them in general.sig and so far they seem to
do the trick on identifying OLECF (legacy MS Office) and OOXML (modern MS
Office) documents.
Seth indicated to me offline this would be reviewed and folded into the
next release.
For your immediate use.
# Jason Batchelor Edits, 9/19/2014
# Signatures informed by the following resource
# http://www.garykessler.net/library/file_sigs.html
signature file-olecf {
file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/
file-mime "application/olecf", 150
}
signature file-ooxml {
file-magic /(\x50\x4b\x03\x04\x14\x00\x06\x00)/
file-mime "application/vnd.openxmlformats-officedocument", 100
}
On Fri, Sep 19, 2014 at 1:50 PM, Seth Hall <seth at icir.org> wrote:
>
> On Sep 19, 2014, at 1:41 PM, Jason Batchelor <jxbatchelor at gmail.com>
> wrote:
>
> > I would be :).
>
> Woo!
>
> > Would you mind pointing me in the right direction to how I might make
> type signatures and indicators as you describe.
>
> https://github.com/bro/bro/tree/master/scripts/base/frameworks/files/magic
>
> Any attention to those file detections would be great. I would also like
> to start getting some tests in place that verify we are detecting these
> files correctly going into the future. Feel free to ask if you have any
> questions.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140925/139bcfcb/attachment.html
More information about the Bro
mailing list