[Bro] Mime-type issues (text/plain and application/x-msdownload)
Beyaz Şapka
siberkartal at gmail.com
Wed Dec 28 06:11:44 PST 2016
Hi all,
I have two questions for the following pcap.
Bro says the mime-type as "text/plain" for the response of first HTTP GET
request.
However, at least, wireshark (and also CapTipper) says it is "text/html".
The correct one is text/html, it is clear.
I think, bro does not look only Content-Type (maybe due to malicious
manipulation), but makes some heuristics. But there should be some issues
for this case.
The other one is that, there are 3 binary files in this pcap.
Bro extracts them pretty fine.
However again there are some issues about content-type.
While their content type is application/x-msdownload, the http.log and
files.log says dash dash (not found).
In relation to this issue, I have a local file extract bro script, although
I have definition for application/x-msdownload extension, I am not able to
set its extension as exe. Since meta$mime_type returns empty.
The sample:
http://www.malware-traffic-analysis.net/2016/12/13/2016-12-13-pseudoDarkleech-Rig-V-sends-Cerber-ransomware.pcap.zip
Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161228/6a1a8733/attachment.html
More information about the Bro
mailing list