Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Various minor changes related to file mime type detection.

Browse source 
- Improve or just remove some file magic signatures ported from libmagic
  that were too general and matched incorrectly too often.

- Fix MHR script's use of fa_file$mime_type before checking if it's
  initialized.  It may be uninitialized if no signatures match.

- The "fa_file" record now contains a "mime_types" field that contains
  all magic signatures that matched the file content (where the
  "mime_type" field is just a shortcut for the strongest match).
This commit is contained in:
Jon Siwek 2014-03-06 11:41:10 -06:00
parent 0865b152bb
commit 095a68b2ec
15 changed files with 187 additions and 143 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/policy/frameworks/files/detect-MHR.bro
View file

@ -37,7 +37,7 @@ export {
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind=="sha1" && match_file_types in f$mime_type )
if ( kind=="sha1" && f?$mime_type && match_file_types in f$mime_type )
{
local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
when ( local MHR_result = lookup_hostname_txt(hash_domain) )