[Bro] Mime-type issues (text/plain and application/x-msdownload)
Seth Hall
seth at icir.org
Tue Jan 3 19:23:13 PST 2017
> On Dec 28, 2016, at 9:11 AM, Beyaz Şapka <siberkartal at gmail.com> wrote:
>
> Bro says the mime-type as "text/plain" for the response of first HTTP GET request.
> However, at least, wireshark (and also CapTipper) says it is "text/html".
> The correct one is text/html, it is clear.
Are you referring to the first request in the "10.12.13.102 49192 195.133.48.182 80" connection? It's showing as text/html for me in Bro 2.5.
> I think, bro does not look only Content-Type (maybe due to malicious manipulation), but makes some heuristics. But there should be some issues for this case.
We have a fairly large set of signatures that identify file types. In HTTP traffic, the Content-Type header doesn't factor in at all.
> The other one is that, there are 3 binary files in this pcap.
> Bro extracts them pretty fine.
> However again there are some issues about content-type.
> While their content type is application/x-msdownload, the http.log and files.log says dash dash (not found).
Due to the fact that we detect mime type with signatures and I don't seem to be able to find any information about what application/x-msdownload is, I don't think we'll be able to make that detection. The files that are transferred are unrecognizable binary data too (at least I was unable to see anything recognizable there).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list