[Bro] file identification modification

Seth Hall seth at icir.org
Fri Oct 21 06:42:36 PDT 2016

> On Oct 21, 2016, at 9:04 AM, erik clark <philosnef at gmail.com> wrote:
> /\x21\x42\x44\x4E/
> but the sig doesnt fire. However when I do
> /!BDN/
> it does. What gives? :)

I'm not sure offhand why that wouldn't work.

> Also, whats the number after the mimetype association mean? My mimetype is
> application/outlook, 5

That's a priority.  Since multiple matches can happen, we've tried to make the signatures that should be more specific and reliable be higher priority.  The current numbers are a bit haphazard though.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list