Various minor changes related to file mime type detection.

- Improve or just remove some file magic signatures ported from libmagic that were too general and matched incorrectly too often. - Fix MHR script's use of fa_file$mime_type before checking if it's initialized. It may be uninitialized if no signatures match. - The "fa_file" record now contains a "mime_types" field that contains all magic signatures that matched the file content (where the "mime_type" field is just a shortcut for the strongest match).
2025-10-03 23:28:20 +00:00 · 2014-03-06 11:41:10 -06:00 · 2014-03-06 11:41:10 -06:00 · 095a68b2ec
commit 095a68b2ec
parent 0865b152bb
15 changed files with 187 additions and 143 deletions
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -53,6 +53,7 @@ int File::timeout_interval_idx = -1;
 int File::bof_buffer_size_idx = -1;
 int File::bof_buffer_idx = -1;
 int File::mime_type_idx = -1;
+int File::mime_types_idx = -1;

 void File::StaticInit()
 	{
@ -73,6 +74,7 @@ void File::StaticInit()
 	bof_buffer_size_idx = Idx("bof_buffer_size");
 	bof_buffer_idx = Idx("bof_buffer");
 	mime_type_idx = Idx("mime_type");
+	mime_types_idx = Idx("mime_types");
 	}

 File::File(const string& file_id, Connection* conn, analyzer::Tag tag,
@ -280,12 +282,15 @@ bool File::BufferBOF(const u_char* data, uint64 len)

 bool File::DetectMIME(const u_char* data, uint64 len)
 	{
-	string strongest_match = file_mgr->DetectMIME(data, len);
+	RuleMatcher::MIME_Matches matches;
+	file_mgr->DetectMIME(data, len, &matches);

-	if ( strongest_match.empty() )
+	if ( matches.empty() )
 		return false;

-	val->Assign(mime_type_idx, new StringVal(strongest_match));
+	val->Assign(mime_type_idx,
+	            new StringVal(*(matches.begin()->second.begin())));
+	val->Assign(mime_types_idx, file_analysis::GenMIMEMatchesVal(matches));
 	return true;
 	}