[Bro] file identification modification

erik clark philosnef at gmail.com
Tue Oct 18 12:16:47 PDT 2016


I see that:

scripts/base/protocols/http/file-ident.sig

lets me create magic byte signatures for filetypes I have an interest in.
This seems to be specific to http.

My problem is that I want to detect files sent via smtp. Right now,
files.log does NOT have filenames for things I am sending as attachments,
such as mytext.ext. When I send this as attachment, there is no filename
*.ext... As such, I would like to attach this to the file analyzer so that
I can get notices for files that have the magic byte headers I am concerned
with. Is there an easy way to do this for smtp and ftp?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161018/456e2892/attachment.html 


More information about the Bro mailing list