[Bro] Finer detail on mime types

James Lay jlay at slave-tothe-box.net
Mon Jul 10 15:04:13 PDT 2017


Understood and thanks Seth.  At this point an analysis of the Macro 
enabled Excel/Word file is secondary to bro just being able to read and 
report the "macroeanbled" mime type.  Lemme see if I can get protosigs 
to do something exciting....thank you!

James

On 2017-07-10 14:09, Seth Hall wrote:
> That is a bit of an overloaded mime-type I'm afraid.  We did build the
> files framework in Bro so that it could be extended to provide quite a
> bit of extra information when the file is "sniffed".  The primary
> problem that we'd have with providing that information at the moment
> is lack of a way to analyze excel files.
> 
>   .Seth
> 
> On Fri, Jul 7, 2017 at 4:11 PM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>> So in looking at xlsm/docm files I noticed this...where bro says:
>> 
>> application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
>> 
>> but the pcap says:
>> 
>> application/vnd.ms-excel.sheet.macroenabled.12
>> 
>> Is there a way to fine tune this in bro?  Identifying files flying
>> around with macros would be wonderful...thank you.
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list