[Bro] Finer detail on mime types
James Lay
jlay at slave-tothe-box.net
Mon Jul 10 15:04:13 PDT 2017
Understood and thanks Seth. At this point an analysis of the Macro
enabled Excel/Word file is secondary to bro just being able to read and
report the "macroeanbled" mime type. Lemme see if I can get protosigs
to do something exciting....thank you!
James
On 2017-07-10 14:09, Seth Hall wrote:
> That is a bit of an overloaded mime-type I'm afraid. We did build the
> files framework in Bro so that it could be extended to provide quite a
> bit of extra information when the file is "sniffed". The primary
> problem that we'd have with providing that information at the moment
> is lack of a way to analyze excel files.
>
> .Seth
>
> On Fri, Jul 7, 2017 at 4:11 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>> So in looking at xlsm/docm files I noticed this...where bro says:
>>
>> application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
>>
>> but the pcap says:
>>
>> application/vnd.ms-excel.sheet.macroenabled.12
>>
>> Is there a way to fine tune this in bro? Identifying files flying
>> around with macros would be wonderful...thank you.
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list