[Bro] Mime-type issues (text/plain and application/x-msdownload)

[Seth Hall]

> On Jan 4, 2017, at 4:32 AM, Beyaz Şapka <siberkartal at gmail.com> wrote:
> 
> Yes, I talk about the response for the first HTTP request.
> signature file-html is good but still could be better.
> The signature only check for the starting of the file for particular patterns, the problem originates from that.

We accept patches if you have improvements to be made on our file type detection.

> From where, you are not able to find any information about what application/x-msdownload is?
> If you are talking about *.sig files in bro directories, of course it does not exist.
> However google says much: https://msdn.microsoft.com/en-us/library/ms775147(v=vs.85).aspx

That link doesn't actually describe what the purpose of that mime type is or what exactly the file format should look like.  It's just more of the same stuff that I already found that makes references to the mime type and places some relation to windows executables but we already identify windows executables as application/x-dosexec as you discovered.

> In addition, sure, they are unrecognized binary data, since they are encrypted.
> I think, file-magic-auto433 flags plain ones correctly, but gives its mime type as application/x-dosexec
> I will duplicate it and add an additional check (http-reply-header /Content-type: application/x-msdownload/) for a workaround.

Our file type detection is is meant to detect file types by inspecting the file content.  What you want to do is just something different from the way Bro works and you are already doing the right thing by writing your own script to do something extra with that header.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/