diff --git a/.gitmodules b/.gitmodules index 87826d2ef6..4998cc6b80 100644 --- a/.gitmodules +++ b/.gitmodules @@ -16,9 +16,6 @@ [submodule "cmake"] path = cmake url = git://git.bro.org/cmake -[submodule "magic"] - path = magic - url = git://git.bro.org/bromagic [submodule "src/3rdparty"] path = src/3rdparty url = git://git.bro.org/bro-3rdparty diff --git a/CHANGES b/CHANGES index 582694a79a..68beb70ada 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,721 @@ +2.2-425 | 2014-05-08 16:34:44 -0700 + + * Fix reassembly of data w/ sizes beyond 32-bit capacities. (Jon Siwek) + + Reassembly code (e.g. for TCP) now uses int64/uint64 (signedness + is situational) data types in place of int types in order to + support delivering data to analyzers that pass 2GB thresholds. + There's also changes in logic that accompany the change in data + types, e.g. to fix TCP sequence space arithmetic inconsistencies. + + Another significant change is in the Analyzer API: the *Packet and + *Undelivered methods now use a uint64 in place of an int for the + relative sequence space offset parameter. + + Addresses BIT-348. + + * Fixing compiler warnings. (Robin Sommer) + + * Update SNMP analyzer's DeliverPacket method signature. (Jon Siwek) + +2.2-417 | 2014-05-07 10:59:22 -0500 + + * Change handling of atypical OpenSSL error case in x509 verification. (Jon Siwek) + + * Fix memory leaks in X509 certificate parsing/verification. (Jon Siwek) + + * Fix new []/delete mismatch in input::reader::Raw::DoClose(). (Jon Siwek) + + * Fix buffer over-reads in file_analysis::Manager::Terminate() (Jon Siwek) + + * Fix buffer overlows in IP address masking logic. (Jon Siwek) + + That could occur either in taking a zero-length mask on an IPv6 address + (e.g. [fe80::]/0) or a reverse mask of length 128 on any address (e.g. + via the remask_addr BuiltIn Function). + + * Fix new []/delete mismatch in ~Base64Converter. (Jon Siwek) + +2.2-410 | 2014-05-02 12:49:53 -0500 + + * Replace an unneeded OPENSSL_malloc call. (Jon Siwek) + +2.2-409 | 2014-05-02 12:09:06 -0500 + + * Clean up and documentation for base SNMP script. (Jon Siwek) + + * Update base SNMP script to now produce a snmp.log. (Seth Hall) + + * Add DH support to SSL analyzer. When using DHE or DH-Anon, sever + key parameters are now available in scriptland. Also add script to + alert on weak certificate keys or weak dh-params. (Bernhard Amann) + + * Add a few more ciphers Bro did not know at all so far. (Bernhard Amann) + + * Log chosen curve when using ec cipher suite in TLS. (Bernhard Amann) + +2.2-397 | 2014-05-01 20:29:20 -0700 + + * Fix reference counting for lookup_ID() usages. (Jon Siwek) + +2.2-395 | 2014-05-01 20:25:48 -0700 + + * Fix missing "irc-dcc-data" service field from IRC DCC connections. + (Jon Siwek) + + * Correct a notice for heartbleed. The notice is thrown correctly, + just the message conteined wrong values. (Bernhard Amann) + + * Improve/standardize some malloc/realloc return value checks. (Jon + Siwek) + + * Improve file analysis manager shutdown/cleanup. (Jon Siwek) + +2.2-388 | 2014-04-24 18:38:07 -0700 + + * Fix decoding of MIME quoted-printable. (Mareq) + +2.2-386 | 2014-04-24 18:22:29 -0700 + + * Do a Intel::ADDR lookup for host field if we find an IP address + there. (jshlbrd) + +2.2-381 | 2014-04-24 17:08:45 -0700 + + * Add Java version to software framework. (Brian Little) + +2.2-379 | 2014-04-24 17:06:21 -0700 + + * Remove unused Val::attribs member. (Jon Siwek) + +2.2-377 | 2014-04-24 16:57:54 -0700 + + * A larger set of SSL improvements and extensions. Addresses + BIT-1178. (Bernhard Amann) + + - Fixes TLS protocol version detection. It also should + bail-out correctly on non-tls-connections now + + - Adds support for a few TLS extensions, including + server_name, alpn, and ec-curves. + + - Adds support for the heartbeat events. + + - Add Heartbleed detector script. + + - Adds basic support for OCSP stapling. + + * Fix parsing of DNS TXT RRs w/ multiple character-strings. + Addresses BIT-1156. (Jon Siwek) + +2.2-353 | 2014-04-24 16:12:30 -0700 + + * Adapt HTTP partial content to cache file analysis IDs. (Jon Siwek) + + * Adapt SSL analyzer to generate file analysis handles itself. (Jon + Siwek) + + * Adapt more of HTTP analyzer to use cached file analysis IDs. (Jon + Siwek) + + * Adapt IRC/FTP analyzers to cache file analysis IDs. (Jon Siwek) + + * Refactor regex/signature AcceptingSet data structure and usages. + (Jon Siwek) + + * Enforce data size limit when checking files for MIME matches. (Jon + Siwek) + + * Refactor file analysis file ID lookup. (Jon Siwek) + +2.2-344 | 2014-04-22 20:13:30 -0700 + + * Refactor various hex escaping code. (Jon Siwek) + +2.2-341 | 2014-04-17 18:01:41 -0500 + + * Fix duplicate DNS log entries. (Robin Sommer) + +2.2-341 | 2014-04-17 18:01:01 -0500 + + * Refactor initialization of ASCII log writer options. (Jon Siwek) + + * Fix a memory leak in ASCII log writer. (Jon Siwek) + +2.2-338 | 2014-04-17 17:48:17 -0500 + + * Disable input/logging threads setting their names on every + heartbeat. (Jon Siwek) + + * Fix bug when clearing Bloom filter contents. Reported by + @colonelxc. (Matthias Vallentin) + +2.2-335 | 2014-04-10 15:04:57 -0700 + + * Small logic fix for main SSL script. (Bernhard Amann) + + * Update DPD signatures for detecting TLS 1.2. (Bernhard Amann) + + * Remove unused data member of SMTP_Analyzer to silence a Coverity + warning. (Jon Siwek) + + * Fix missing @load dependencies in some scripts. Also update the + unit test which is supposed to catch such errors. (Jon Siwek) + +2.2-326 | 2014-04-08 15:21:51 -0700 + + * Add SNMP datagram parsing support.This supports parsing of SNMPv1 + (RFC 1157), SNMPv2 (RFC 1901/3416), and SNMPv2 (RFC 3412). An + event is raised for each SNMP PDU type, though there's not + currently any event handlers for them and not a default snmp.log + either. However, simple presence of SNMP is currently visible now + in conn.log service field and known_services.log. (Jon Siwek) + +2.2-319 | 2014-04-03 15:53:25 -0700 + + * Improve __load__.bro creation for .bif.bro stubs. (Jon Siwek) + +2.2-317 | 2014-04-03 10:51:31 -0400 + + * Add a uid field to the signatures.log. Addresses BIT-1171 + (Anthony Verez) + +2.2-315 | 2014-04-01 16:50:01 -0700 + + * Change logging's "#types" description of sets to "set". Addresses + BIT-1163 (Bernhard Amann) + +2.2-313 | 2014-04-01 16:40:19 -0700 + + * Fix a couple nits reported by Coverity.(Jon Siwek) + + * Fix potential memory leak in IP frag reassembly reported by + Coverity. (Jon Siwek) + +2.2-310 | 2014-03-31 18:52:22 -0700 + + * Fix memory leak and unchecked dynamic cast reported by Coverity. + (Jon Siwek) + + * Fix potential memory leak in x509 parser reported by Coverity. + (Bernhard Amann) + +2.2-304 | 2014-03-30 23:05:54 +0200 + + * Replace libmagic w/ Bro signatures for file MIME type + identification. Addresses BIT-1143. (Jon Siwek) + + Includes: + + - libmagic is no longer used at all. All MIME type detection is + done through new Bro signatures, and there's no longer a means + to get verbose file type descriptions. The majority of the + default file magic signatures are derived from the default magic + database of libmagic ~5.17. + + - File magic signatures consist of two new constructs in the + signature rule parsing grammar: "file-magic" gives a regular + expression to match against, and "file-mime" gives the MIME type + string of content that matches the magic and an optional strength + value for the match. + + - Modified signature/rule syntax for identifiers: they can no + longer start with a '-', which made for ambiguous syntax when + doing negative strength values in "file-mime". Also brought + syntax for Bro script identifiers in line with reality (they + can't start with numbers or include '-' at all). + + - A new built-in function, "file_magic", can be used to get all + file magic matches and their corresponding strength against a + given chunk of data. + + - The second parameter of the "identify_data" built-in function + can no longer be used to get verbose file type descriptions, + though it can still be used to get the strongest matching file + magic signature. + + - The "file_transferred" event's "descr" parameter no longer + contains verbose file type descriptions. + + - The BROMAGIC environment variable no longer changes any behavior + in Bro as magic databases are no longer used/installed. + + - Removed "binary" and "octet-stream" mime type detections. They + don' provide any more information than an uninitialized + mime_type field which implicitly means no magic signature + matches and so the media type is unknown to Bro. + + - The "fa_file" record now contains a "mime_types" field that + contains all magic signatures that matched the file content + (where the "mime_type" field is just a shortcut for the + strongest match). + + - Reverted back to minimum requirement of CMake 2.6.3 from 2.8.0. + + * The logic for adding file ids to {orig,resp}_fuids fields of the + http.log incorrectly depended on the state of + {orig,resp}_mime_types fields, so sometimes not all file ids + associated w/ the session were logged. (Jon Siwek) + + * Fix MHR script's use of fa_file$mime_type before checking if it's + initialized. (Jon Siwek) + +2.2-294 | 2014-03-30 22:08:25 +0200 + + * Rework and move X509 certificate processing from the SSL protocol + analyzer to a dedicated file analyzer. This will allow us to + examine X509 certificates from sources other than SSL in the + future. Furthermore, Bro now parses more fields and extensions + from the certificates (e.g. elliptic curve information, subject + alternative names, basic constraints). Certificate validation also + was improved, should be easier to use and exposes information like + the full verified certificate chain. (Bernhard Amann) + + This update changes the format of ssl.log and adds a new x509.log + with certificate information. Furthermore all x509 events and + handling functions have changed. + +2.2-271 | 2014-03-30 20:25:17 +0200 + + * Add unit tests covering vector/set/table ctors/inits. (Jon Siwek) + + * Fix parsing of "local" named table constructors. (Jon Siwek) + + * Improve type checking of records. Addresses BIT-1159. (Jon Siwek) + +2.2-267 | 2014-03-30 20:21:43 +0200 + + * Improve documentation of Bro clusters. Addresses BIT-1160. + (Daniel Thayer) + +2.2-263 | 2014-03-30 20:19:05 +0200 + + * Don't include locations into serialization when cloning values. + (Robin Sommer) + +2.2-262 | 2014-03-30 20:12:47 +0200 + + * Refactor SerializationFormat::EndWrite and ChunkedIO::Chunk memory + management. (Jon Siwek) + + * Improve SerializationFormat's write buffer growth strategy. (Jon + Siwek) + + * Add --parse-only option to exit after parsing scripts. May be + useful for syntax-checking tools. (Jon Siwek) + +2.2-256 | 2014-03-30 19:57:28 +0200 + + * For the summary statistics framewirk, change all &create_expire + attributes to &read_expire in the cluster part. (Bernhard Amann) + +2.2-254 | 2014-03-30 19:55:22 +0200 + + * Update instructions on how to build Bro docs. (Daniel Thayer) + +2.2-251 | 2014-03-28 08:37:37 -0400 + + * Quick fix to the ElasticSearch writer. (Seth Hall) + +2.2-250 | 2014-03-19 17:20:55 -0400 + + * Improve performance of MHR script by reducing cloned Vals in + a "when" scope. (Jon Siwek) + +2.2-248 | 2014-03-19 14:47:40 -0400 + + * Make SumStats work incrementally and non-blocking in non-cluster + mode, but force it to operate by blocking if Bro is shutting + down. (Seth Hall) + +2.2-244 | 2014-03-17 08:24:17 -0700 + + * Fix compile errror on FreeBSD caused by wrong include file order. + (Bernhard Amann) + +2.2-240 | 2014-03-14 10:23:54 -0700 + + * Derive results of DNS lookups from from input when in BRO_DNS_FAKE + mode. Addresses BIT-1134. (Jon Siwek) + + * Fixing a few cases of undefined behaviour introduced by recent + formatter work. + + * Fixing compiler error. (Robin Sommer) + + * Fixing (very unlikely) double delete in HTTP analyzer when + decapsulating CONNECTs. (Robin Sommer) + +2.2-235 | 2014-03-13 16:21:19 -0700 + + * The Ascii writer has a new option LogAscii::use_json for writing + out logs as JSON. (Seth Hall) + + * Ascii input reader now supports all config options as per-input + stream "config" values. (Seth Hall) + + * Refactored formatters and updated the the writers a bit. (Seth + Hall) + +2.2-229 | 2014-03-13 14:58:30 -0700 + + * Refactoring analyzer manager code to reuse + ApplyScheduledAnalyzers(). (Robin Sommer) + +2.2-228 | 2014-03-13 14:25:53 -0700 + + * Teach async DNS lookup builtin-functions about BRO_DNS_FAKE. + Addresses BIT-1134. (Jon Siwek) + + * Enable fake DNS mode for test suites. + + * Improve analysis of TCP SYN/SYN-ACK reversal situations. (Jon + Siwek) + + - Since it's just the handshake packets out of order, they're no + longer treated as partial connections, which some protocol analyzers + immediately refuse to look at. + + - The TCP_Reassembler "is_orig" state failed to change, which led to + protocol analyzers sometimes using the wrong value for that. + + - Add a unit test which exercises the Connection::FlipRoles() code + path (i.e. the SYN/SYN-ACK reversal situation). + + Addresses BIT-1148. + + * Fix bug in Connection::FlipRoles. It didn't swap address values + right and also didn't consider that analyzers might be scheduled + for the new connection tuple. Reported by Kevin McMahon. Addresses + BIT-1148. (Jon Siwek) + +2.2-221 | 2014-03-12 17:23:18 -0700 + + * Teach configure script --enable-jemalloc, --with-jemalloc. + Addresses BIT-1128. (Jon Siwek) + +2.2-218 | 2014-03-12 17:19:45 -0700 + + * Improve DBG_LOG macro (perf. improvement for --enable-debug mode). + (Jon Siwek) + + * Silences some documentation warnings from Sphinx. (Jon Siwek) + +2.2-215 | 2014-03-10 11:10:15 -0700 + + * Fix non-deterministic logging of unmatched DNS msgs. Addresses + BIT-1153 (Jon Siwek) + +2.2-213 | 2014-03-09 08:57:37 -0700 + + * No longer accidentally attempting to parse NBSTAT RRs as SRV RRs + in DNS analyzer. (Seth Hall) + + * Fix DNS SRV responses and a small issue with NBNS queries and + label length. (Seth Hall) + + - DNS SRV responses never had the code written to actually + generate the dns_SRV_reply event. Adding this required + extending the event a bit to add extra information. SRV responses + now appear in the dns.log file correctly. + + - Fixed an issue where some Microsoft NetBIOS Name Service lookups + would exceed the max label length for DNS and cause an incorrect + "DNS_label_too_long" weird. + +2.2-210 | 2014-03-06 22:52:36 -0500 + + * Improve SSL logging so that connections are logged even when the + ssl_established event is not generated as well as other small SSL + fixes. (Bernhard Amann) + +2.2-206 | 2014-03-03 16:52:28 -0800 + + * HTTP CONNECT proxy support. The HTTP analyzer now supports + handling HTTP CONNECT proxies. (Seth Hall) + + * Expanding the HTTP methods used in the DPD signature to detect + HTTP traffic. (Seth Hall) + + * Fixing removal of support analyzers. (Robin Sommer) + +2.2-199 | 2014-03-03 16:34:20 -0800 + + * Allow iterating over bif functions with result type vector of any. + This changes the internal type that is used to signal that a + vector is unspecified from any to void. Addresses BIT-1144 + (Bernhard Amann) + +2.2-197 | 2014-02-28 15:36:58 -0800 + + * Remove test code. (Robin Sommer) + +2.2-194 | 2014-02-28 14:50:53 -0800 + + * Remove packet sorter. Addresses BIT-700. (Bernhard Amann) + +2.2-192 | 2014-02-28 09:46:43 -0800 + + * Update Mozilla root bundle. (Bernhard Amann) + +2.2-190 | 2014-02-27 07:34:44 -0800 + + * Adjust timings of a few leak tests. (Bernhard Amann) + +2.2-187 | 2014-02-25 07:24:42 -0800 + + * More Google TLS extensions that are being actively used. (Bernhard + Amann) + + * Remove unused, and potentially unsafe, function + ListVal::IncludedInString. (Bernhard Amann) + +2.2-184 | 2014-02-24 07:28:18 -0800 + + * New TLS constants from + https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01. + (Bernhard Amann) + +2.2-180 | 2014-02-20 17:29:14 -0800 + + * New SSL alert descriptions from + https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04. + (Bernhard Amann) + + * Update SQLite. (Bernhard Amann) + +2.2-177 | 2014-02-20 17:27:46 -0800 + + * Update to libmagic version 5.17. Addresses BIT-1136. (Jon Siwek) + +2.2-174 | 2014-02-14 12:07:04 -0800 + + * Support for MPLS over VLAN. (Chris Kanich) + +2.2-173 | 2014-02-14 10:50:15 -0800 + + * Fix misidentification of SOCKS traffic that in particiular seemed + to happen a lot with DCE/RPC traffic. (Vlad Grigorescu) + +2.2-170 | 2014-02-13 16:42:07 -0800 + + * Refactor DNS script's state management to improve performance. + (Jon Siwek) + + * Revert "Expanding the HTTP methods used in the signature to detect + HTTP traffic." (Robin Sommer) + +2.2-167 | 2014-02-12 20:17:39 -0800 + + * Increase timeouts of some unit tests. (Jon Siwek) + + * Fix memory leak in modbus analyzer. Would happen if there's a + 'modbus_read_fifo_queue_response' event handler. (Jon Siwek) + + * Add channel_id TLS extension number. This number is not IANA + defined, but we see it being actively used. (Bernhard Amann) + + * Test baseline updates for DNS change. (Robin Sommer) + +2.2-158 | 2014-02-09 23:45:39 -0500 + + * Change dns.log to include only standard DNS queries. (Jon Siwek) + + * Improve DNS analysis. (Jon Siwek) + + - Fix parsing of empty question sections (when QDCOUNT == 0). In this + case, the DNS parser would extract two 2-byte fields for use in either + "dns_query_reply" or "dns_rejected" events (dependent on value of + RCODE) as qclass and qtype parameters. This is not correct, because + such fields don't actually exist in the DNS message format when + QDCOUNT is 0. As a result, these events are no longer raised when + there's an empty question section. Scripts that depends on checking + for an empty question section can do that in the "dns_message" event. + + - Add a new "dns_unknown_reply" event, for when Bro does not know how + to fully parse a particular resource record type. This helps fix a + problem in the default DNS scripts where the logic to complete + request-reply pair matching doesn't work because it's waiting on more + RR events to complete the reply. i.e. it expects ANCOUNT number of + dns_*_reply events and will wait until it gets that many before + completing a request-reply pair and logging it to dns.log. This could + cause bogus replies to match a previous request if they happen to + share a DNS transaction ID. (Jon Siwek) + + - The previous method of matching queries with replies was still + unreliable in cases where the reply contains no answers. The new code + also takes extra measures to avoid pending state growing too large in + cases where the condition to match a query with a corresponding reply is + never met, but yet DNS messages continue to be exchanged over the same + connection 5-tuple (preventing cleanup of the pending state). (Jon Siwek) + + * Updates to httpmonitor and mimestats documentation. (Jeannette Dopheide) + + * Updates to Logs and Cluster documentation (Jeannette Dopheide) + +2.2-147 | 2014-02-07 08:06:53 -0800 + + * Fix x509-extension test sometimes failing. (Bernhard Amann) + +2.2-144 | 2014-02-06 20:31:18 -0800 + + * Fixing bug in POP3 analyzer. With certain input the analyzer could + end up trying to write to non-writable memory. (Robin Sommer) + +2.2-140 | 2014-02-06 17:58:04 -0800 + + * Fixing memory leaks in input framework. (Robin Sommer) + + * Add script to detect filtered TCP traces. Addresses BIT-1119. (Jon + Siwek) + +2.2-137 | 2014-02-04 09:09:55 -0800 + + * Minor unified2 script documentation fix. (Jon Siwek) + +2.2-135 | 2014-01-31 11:09:36 -0800 + + * Added some grammar and spelling corrections to Installation and + Quick Start Guide. (Jeannette Dopheide) + +2.2-131 | 2014-01-30 16:11:11 -0800 + + * Extend file analysis API to allow file ID caching. This allows an + analyzer to either provide file IDs associated with some file + content or to cache a file ID that was already determined by + script-layer logic so that subsequent calls to the file analysis + interface can bypass costly detours through script-layer. This + can yield a decent performance improvement for analyzers that are + able to take advantage of it and deal with streaming content (like + HTTP, which has been adapted accordingly). (Jon Siwek) + +2.2-128 | 2014-01-30 15:58:47 -0800 + + * Add leak test for Exec module. (Bernhard Amann) + + * Fix file_over_new_connection event to trigger when entire file is + missed. (Jon Siwek) + + * Improve TCP connection size reporting for half-open connections. + (Jon Siwek) + + * Improve gap reporting in TCP connections that never see data. We + no longer accomodate SYN/FIN/RST-filtered traces by not reporting + missing data. The behavior can be reverted by redef'ing + "detect_filtered_trace". (Jon Siwek) + + * Improve TCP FIN retransmission handling. (Jon Siwek) + +2.2-120 | 2014-01-28 10:25:23 -0800 + + * Fix and extend x509_extension() event, which now actually returns + the extension. (Bernhard Amann) + + New event signauture: + + event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info) + +2.2-117 | 2014-01-23 14:18:19 -0800 + + * Fixing initialization context in anonymous functions. (Robin + Sommer) + +2.2-115 | 2014-01-22 12:11:18 -0800 + + * Add unit tests for new Bro Manual docs. (Jon Siwek) + + * New content for the "Using Bro" section of the manual. (Rafael + Bonilla/Jon Siwek) + +2.2-105 | 2014-01-20 12:16:48 -0800 + + * Support GRE tunnel decapsulation, including enhanced GRE headers. + GRE tunnels are treated just like IP-in-IP tunnels by parsing past + the GRE header in between the delivery and payload IP packets. + Addresses BIT-867. (Jon Siwek) + + * Simplify FragReassembler memory management. (Jon Siwek) + +2.2-102 | 2014-01-20 12:00:29 -0800 + + * Include file information (MIME type and description) into notice + emails if available. (Justin Azoff) + +2.2-100 | 2014-01-20 11:54:58 -0800 + + * Fix caching of recently validated SSL certifcates. (Justin Azoff) + +2.2-98 | 2014-01-20 11:50:32 -0800 + + * For notice suppresion, instead of storing the entire notice in + Notice::suppressing, just store the time the notice should be + suppressed until. This saves significant memory but can no longer + raise end_suppression, which has been removed. (Justin Azoff) + +2.2-96 | 2014-01-20 11:41:07 -0800 + + * Integrate libmagic 5.16. Bro now now always relies on + builtin/shipped magic library/database. (Jon Siwek) + + * Bro now requires a CMake 2.8.x, but no longer a pre-installed + libmagic. (Jon Siwek) + +2.2-93 | 2014-01-13 09:16:51 -0800 + + * Fixing compile problems with some versions of libc++. Reported by + Craig Leres. (Robin Sommer) + +2.2-91 | 2014-01-13 01:33:28 -0800 + + * Improve GeoIP City database support. When trying to open a city + database, it now considers both the "REV0" and "REV1" versions of + the city database instead of just the former. (Jon Siwek) + + * Broxygen init fixes. Addresses BIT-1110. (Jon Siwek) + + - Don't check mtime of bro binary if BRO_DISABLE_BROXYGEN env var set. + + - Fix failure to locate bro binary if invoking from a relative + path and '.' isn't in PATH. + + * Fix for packet writing to make it use the global snap length. + (Seth Hall) + + * Fix for traffic with TCP segmentation offloading with IP header + len field being set to zero. (Seth Hall) + + * Canonify output of a unit test. (Jon Siwek) + + * A set of documentation updates. (Daniel Thayer) + + - Fix typo in Bro 2.2 NEWS on string indexing. + - Fix typo in the Quick Start Guide, and clarified the + instructions about modifying crontab. + - Add/fix documentation for missing/misnamed event parameters. + - Fix typos in BIF documentation of hexstr_to_bytestring. + - Update the documentation of types and attributes. + - Documented the new substring extraction functionality. + - Clarified the description of "&priority" and "void". + +2.2-75 | 2013-12-18 08:36:50 -0800 + + * Fixing segfault with mismatching set &default in record fields. + (Robin Sommer) + +2.2-74 | 2013-12-16 08:49:55 -0800 + + * Improve warnings emitted from raw/execute input reader. (Jon + Siwek) + + * Further improve core.when-interpreter-exceptions unit test. (Jon + Siwek) + +2.2-72 | 2013-12-12 07:12:47 -0800 + + * Improve the core.when-interpreter-exceptions unit test to prevent + it from occasionally timing out. (Jon Siwek) + 2.2-70 | 2013-12-10 15:02:50 -0800 * Fix (harmless) uninitialized field in basename/dirname util diff --git a/CMakeLists.txt b/CMakeLists.txt index 88cee2ec29..87b99271c5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -16,17 +16,12 @@ endif () get_filename_component(BRO_SCRIPT_INSTALL_PATH ${BRO_SCRIPT_INSTALL_PATH} ABSOLUTE) -set(BRO_MAGIC_INSTALL_PATH ${BRO_ROOT_DIR}/share/bro/magic) -set(BRO_MAGIC_SOURCE_PATH ${CMAKE_CURRENT_SOURCE_DIR}/magic/database) - configure_file(bro-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev) file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.sh "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n" - "export BROMAGIC=\"${BRO_MAGIC_SOURCE_PATH}\"\n" "export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n") file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev`\n" - "setenv BROMAGIC \"${BRO_MAGIC_SOURCE_PATH}\"\n" "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n") file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1) @@ -57,7 +52,6 @@ FindRequiredPackage(BISON) FindRequiredPackage(PCAP) FindRequiredPackage(OpenSSL) FindRequiredPackage(BIND) -FindRequiredPackage(LibMagic) FindRequiredPackage(ZLIB) if (NOT BinPAC_ROOT_DIR AND @@ -66,6 +60,10 @@ if (NOT BinPAC_ROOT_DIR AND endif () FindRequiredPackage(BinPAC) +if (ENABLE_JEMALLOC) + find_package(JeMalloc) +endif () + if (MISSING_PREREQS) foreach (prereq ${MISSING_PREREQ_DESCS}) message(SEND_ERROR ${prereq}) @@ -73,19 +71,13 @@ if (MISSING_PREREQS) message(FATAL_ERROR "Configuration aborted due to missing prerequisites") endif () -set(libmagic_req 5.04) -if ( LibMagic_VERSION VERSION_LESS ${libmagic_req} ) - message(FATAL_ERROR "libmagic of at least version ${libmagic_req} required " - "(found ${LibMagic_VERSION})") -endif () - include_directories(BEFORE ${PCAP_INCLUDE_DIR} ${OpenSSL_INCLUDE_DIR} ${BIND_INCLUDE_DIR} ${BinPAC_INCLUDE_DIR} - ${LibMagic_INCLUDE_DIR} ${ZLIB_INCLUDE_DIR} + ${JEMALLOC_INCLUDE_DIR} ) # Optional Dependencies @@ -163,8 +155,8 @@ set(brodeps ${PCAP_LIBRARY} ${OpenSSL_LIBRARIES} ${BIND_LIBRARY} - ${LibMagic_LIBRARY} ${ZLIB_LIBRARY} + ${JEMALLOC_LIBRARIES} ${OPTLIBS} ) @@ -201,10 +193,6 @@ CheckOptionalBuildSources(aux/broctl Broctl INSTALL_BROCTL) CheckOptionalBuildSources(aux/bro-aux Bro-Aux INSTALL_AUX_TOOLS) CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI) -install(DIRECTORY ./magic/database/ - DESTINATION ${BRO_MAGIC_INSTALL_PATH} -) - ######################################################################## ## Packaging Setup @@ -249,6 +237,7 @@ message( "\ngperftools found: ${HAVE_PERFTOOLS}" "\n tcmalloc: ${USE_PERFTOOLS_TCMALLOC}" "\n debugging: ${USE_PERFTOOLS_DEBUG}" + "\njemalloc: ${ENABLE_JEMALLOC}" "\ncURL: ${USE_CURL}" "\n" "\nDataSeries: ${USE_DATASERIES}" diff --git a/NEWS b/NEWS index 524cac14e0..ac12931819 100644 --- a/NEWS +++ b/NEWS @@ -9,9 +9,42 @@ Bro 2.3 [In progress] +Dependencies +------------ + +- Bro no longer requires a pre-installed libmagic (because it now + ships its own). + +- Libmagic is no longer a dependency. + New Functionality ----------------- +- Support for GRE tunnel decapsulation, including enhanced GRE + headers. GRE tunnels are treated just like IP-in-IP tunnels by + parsing past the GRE header in between the delivery and payload IP + packets. + +- The DNS analyzer now actually generates the dns_SRV_reply() event. + It had been documented before, yet was never raised. + +- Bro now uses "file magic signatures" to identify file types. These + are defined via two new constructs in the signature rule parsing + grammar: "file-magic" gives a regular expression to match against, + and "file-mime" gives the MIME type string of content that matches + the magic and an optional strength value for the match. (See also + "Changed Functionality" below for changes due to switching from + using libmagic to such wsignatures.) + +- A new built-in function, "file_magic", can be used to get all file + magic matches and their corresponding strength against a given chunk + of data. + +- The SSL analyzer now has support heartbeats as well as for a few + extensions, including server_name, alpn, and ec-curves. + +- The SSL analyzer comes with Heartbleed detector script in + protocols/ssl/heartbleed.bro. Changed Functionality --------------------- @@ -22,6 +55,52 @@ Changed Functionality - ssl_client_hello() now receives a vector of ciphers, instead of a set, to preserve their order. +- Notice::end_suppression() has been removed. + +- Bro now parses X.509 extensions headers and, as a result, the + corresponding event got a new signature: + + event x509_extension(c: connection, is_orig: bool, cert: X509, ext: X509_extension_info); + +- Generally, all x509 events and handling functions have changed their + signatures. + +- Bro no longer special-cases SYN/FIN/RST-filtered traces by not + reporting missing data. The old behavior can be reverted by + redef'ing "detect_filtered_trace". + + TODO: Update if we add a detector for filtered traces. + +- We have removed the packet sorter component. + +- Bro no longer uses libmagic to identify file types but instead now + comes with its own signature library (which initially is still + derived from libmagic;s database). This leads to a number of further + changes with regards to MIME types: + + * The second parameter of the "identify_data" built-in function + can no longer be used to get verbose file type descriptions, + though it can still be used to get the strongest matching file + magic signature. + + * The "file_transferred" event's "descr" parameter no longer + contains verbose file type descriptions. + + * The BROMAGIC environment variable no longer changes any behavior + in Bro as magic databases are no longer used/installed. + + * Removed "binary" and "octet-stream" mime type detections. They + don' provide any more information than an uninitialized + mime_type field. + + * The "fa_file" record now contains a "mime_types" field that + contains all magic signatures that matched the file content + (where the "mime_type" field is just a shortcut for the + strongest match). + +- dns_TXT_reply() now supports more than one string entry by receiving + a vector of strings. + Bro 2.2 ======= @@ -198,9 +277,9 @@ New Functionality global s = MySet([$c=1], [$c=2]); - Strings now support the subscript operator to extract individual - characters and substrings (e.g., ``s[4]``, ``s[1,5]``). The index + characters and substrings (e.g., ``s[4]``, ``s[1:5]``). The index expression can take up to two indices for the start and end index of - the substring to return (e.g. ``mystring[1,3]``). + the substring to return (e.g. ``mystring[1:3]``). - Functions now support default parameters, e.g.:: diff --git a/VERSION b/VERSION index 066d37e8c2..ce1d2d112b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.2-70 +2.2-425 diff --git a/aux/binpac b/aux/binpac index 54b321009b..b0877edc68 160000 --- a/aux/binpac +++ b/aux/binpac @@ -1 +1 @@ -Subproject commit 54b321009b750268526419bdbd841f421c839313 +Subproject commit b0877edc68af6ae08face528fc411c8ce21f2e30 diff --git a/aux/bro-aux b/aux/bro-aux index ebf9c0d88a..6dfc648d22 160000 --- a/aux/bro-aux +++ b/aux/bro-aux @@ -1 +1 @@ -Subproject commit ebf9c0d88ae8230845b91f15755156f93ff21aa8 +Subproject commit 6dfc648d22d234d2ba4b1cb0fc74cda2eb023d1e diff --git a/aux/broccoli b/aux/broccoli index e02ccc0a27..561ccdd6ed 160000 --- a/aux/broccoli +++ b/aux/broccoli @@ -1 +1 @@ -Subproject commit e02ccc0a27e64b147f01e4c7deb5b897864d59d5 +Subproject commit 561ccdd6edec4ac5540f3d5565aefb59e7510634 diff --git a/aux/broctl b/aux/broctl index 2e07720b4f..c44ec9c13d 160000 --- a/aux/broctl +++ b/aux/broctl @@ -1 +1 @@ -Subproject commit 2e07720b4f129802e07ca99498e2aff4542c737a +Subproject commit c44ec9c13d87b8589d6f1549b9c523130fcc2a39 diff --git a/aux/btest b/aux/btest index 26c3136d56..4e2ec35917 160000 --- a/aux/btest +++ b/aux/btest @@ -1 +1 @@ -Subproject commit 26c3136d56493017bc33c5a2f22ae393d585c2d9 +Subproject commit 4e2ec35917acb883c7d2ab19af487f3863c687ae diff --git a/cmake b/cmake index e7a46cb82e..0f301aa08a 160000 --- a/cmake +++ b/cmake @@ -1 +1 @@ -Subproject commit e7a46cb82ee10aa522c4d88115baf10181277d20 +Subproject commit 0f301aa08a970150195a2ea5b3ed43d2d98b35b3 diff --git a/configure b/configure index ba9bf58301..5af2f25c8f 100755 --- a/configure +++ b/configure @@ -32,6 +32,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --enable-perftools force use of Google perftools on non-Linux systems (automatically on when perftools is present on Linux) --enable-perftools-debug use Google's perftools for debugging + --enable-jemalloc link against jemalloc --enable-ruby build ruby bindings for broccoli (deprecated) --disable-broccoli don't build or install the Broccoli library --disable-broctl don't install Broctl @@ -54,6 +55,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... Optional Packages in Non-Standard Locations: --with-geoip=PATH path to the libGeoIP install root --with-perftools=PATH path to Google Perftools install root + --with-jemalloc=PATH path to jemalloc install root --with-python=PATH path to Python interpreter --with-python-lib=PATH path to libpython --with-python-inc=PATH path to Python headers @@ -105,6 +107,7 @@ append_cache_entry BRO_ETC_INSTALL_DIR PATH $prefix/etc append_cache_entry ENABLE_DEBUG BOOL false append_cache_entry ENABLE_PERFTOOLS BOOL false append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false +append_cache_entry ENABLE_JEMALLOC BOOL false append_cache_entry BinPAC_SKIP_INSTALL BOOL true append_cache_entry BUILD_SHARED_LIBS BOOL true append_cache_entry INSTALL_AUX_TOOLS BOOL true @@ -160,6 +163,9 @@ while [ $# -ne 0 ]; do append_cache_entry ENABLE_PERFTOOLS BOOL true append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL true ;; + --enable-jemalloc) + append_cache_entry ENABLE_JEMALLOC BOOL true + ;; --disable-broccoli) append_cache_entry INSTALL_BROCCOLI BOOL false ;; @@ -214,6 +220,10 @@ while [ $# -ne 0 ]; do --with-perftools=*) append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg ;; + --with-jemalloc=*) + append_cache_entry JEMALLOC_ROOT_DIR PATH $optarg + append_cache_entry ENABLE_JEMALLOC BOOL true + ;; --with-python=*) append_cache_entry PYTHON_EXECUTABLE PATH $optarg ;; diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt index 9498556edc..414cf56b0c 100644 --- a/doc/CMakeLists.txt +++ b/doc/CMakeLists.txt @@ -14,8 +14,6 @@ if (NOT ${retval} EQUAL 0) message(FATAL_ERROR "Problem setting BROPATH") endif () -set(BROMAGIC ${BRO_MAGIC_SOURCE_PATH}) - # Configure the Sphinx config file (expand variables CMake might know about). configure_file(${CMAKE_CURRENT_SOURCE_DIR}/conf.py.in ${CMAKE_CURRENT_BINARY_DIR}/conf.py @@ -34,7 +32,6 @@ add_custom_target(sphinxdoc ${CMAKE_CURRENT_SOURCE_DIR}/ ${SPHINX_INPUT_DIR} # Use Bro/Broxygen to dynamically generate reST for all Bro scripts. COMMAND BROPATH=${BROPATH} - BROMAGIC=${BROMAGIC} ${CMAKE_BINARY_DIR}/src/bro -X ${CMAKE_CURRENT_BINARY_DIR}/broxygen.conf broxygen >/dev/null diff --git a/doc/README b/doc/README index 5104f79801..5d1b685d40 100644 --- a/doc/README +++ b/doc/README @@ -10,7 +10,7 @@ common/general documentation, style sheets, JavaScript, etc. The Sphinx config file is produced from ``conf.py.in``, and can be edited to change various Sphinx options. -There is also a custom Sphinx domain implemented in ``source/ext/bro.py`` +There is also a custom Sphinx domain implemented in ``ext/bro.py`` which adds some reST directives and roles that aid in generating useful index entries and cross-references. Other extensions can be added in a similar fashion. @@ -19,7 +19,8 @@ The ``make doc`` target in the top-level Makefile can be used to locally render the reST files into HTML. That target depends on: * Python interpreter >= 2.5 -* `Sphinx `_ >= 1.0.1 +* `Sphinx `_ >= 1.0.1 +* Doxygen (required only for building the Broccoli API doc) After completion, HTML documentation is symlinked in ``build/html``. diff --git a/doc/_static/basic.css b/doc/_static/basic.css index 1332c7b048..26e3450b65 100644 --- a/doc/_static/basic.css +++ b/doc/_static/basic.css @@ -439,8 +439,17 @@ td.linenos pre { color: #aaa; } +.highlight-guess { + overflow:auto; +} + +.highlight-none { + overflow:auto; +} + table.highlighttable { margin-left: 0.5em; + overflow:scroll; } table.highlighttable td { diff --git a/doc/broids/index.rst b/doc/broids/index.rst new file mode 100644 index 0000000000..96f50f8fa5 --- /dev/null +++ b/doc/broids/index.rst @@ -0,0 +1,79 @@ + +.. _bro-ids: + +======= +Bro IDS +======= + +An Intrusion Detection System (IDS) allows you to detect suspicious +activities happening on your network as a result of a past or active +attack. Because of its programming capabilities, Bro can easily be +configured to behave like traditional IDSs and detect common attacks +with well known patterns, or you can create your own scripts to detect +conditions specific to your particular case. + +In the following sections, we present a few examples of common uses of +Bro as an IDS. + +------------------------------------------------- +Detecting an FTP Brute-force Attack and Notifying +------------------------------------------------- + +For the purpose of this exercise, we define FTP brute-forcing as too many +rejected usernames and passwords occurring from a single address. We +start by defining a threshold for the number of attempts, a monitoring +interval (in minutes), and a new notice type. + +.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro + :lines: 9-25 + +Using the ftp_reply event, we check for error codes from the `500 +series `_ +for the "USER" and "PASS" commands, representing rejected usernames or +passwords. For this, we can use the :bro:see:`FTP::parse_ftp_reply_code` +function to break down the reply code and check if the first digit is a +"5" or not. If true, we then use the :ref:`Summary Statistics Framework +` to keep track of the number of failed attempts. + +.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro + :lines: 52-60 + +Next, we use the SumStats framework to raise a notice of the attack when +the number of failed attempts exceeds the specified threshold during the +measuring interval. + +.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro + :lines: 28-50 + +Below is the final code for our script. + +.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro + +.. btest:: ftp-bruteforce + + @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/ftp/bruteforce.pcap protocols/ftp/detect-bruteforcing.bro + @TEST-EXEC: btest-rst-include notice.log + +As a final note, the :doc:`detect-bruteforcing.bro +` script above is +included with Bro out of the box. Use this feature by loading this script +during startup. + +------------- +Other Attacks +------------- + +Detecting SQL Injection Attacks +------------------------------- + +Checking files against known malware hashes +------------------------------------------- + +Files transmitted on your network could either be completely harmless or +contain viruses and other threats. One possible action against this +threat is to compute the hashes of the files and compare them against a +list of known malware hashes. Bro simplifies this task by offering a +:doc:`detect-MHR.bro ` +script that creates and compares hashes against the `Malware Hash +Registry `_ maintained by Team +Cymru. Use this feature by loading this script during startup. diff --git a/doc/cluster/index.rst b/doc/cluster/index.rst index 6de70d38cc..544ca5e0f8 100644 --- a/doc/cluster/index.rst +++ b/doc/cluster/index.rst @@ -1,12 +1,19 @@ ======================== -Setting up a Bro Cluster +Bro Cluster Architecture ======================== -Intro ------- -Bro is not multithreaded, so once the limitations of a single processor core are reached, the only option currently is to spread the workload across many cores or even many physical computers. The cluster deployment scenario for Bro is the current solution to build these larger systems. The accompanying tools and scripts provide the structure to easily manage many Bro processes examining packets and doing correlation activities but acting as a singular, cohesive entity. +Bro is not multithreaded, so once the limitations of a single processor core +are reached the only option currently is to spread the workload across many +cores, or even many physical computers. The cluster deployment scenario for +Bro is the current solution to build these larger systems. The tools and +scripts that accompany Bro provide the structure to easily manage many Bro +processes examining packets and doing correlation activities but acting as +a singular, cohesive entity. This document describes the Bro cluster +architecture. For information on how to configure a Bro cluster, +see the documentation for +:doc:`BroControl <../components/broctl/README>`. Architecture --------------- @@ -17,42 +24,97 @@ The figure below illustrates the main components of a Bro cluster. Tap *** -This is a mechanism that splits the packet stream in order to make a copy -available for inspection. Examples include the monitoring port on a switch and -an optical splitter for fiber networks. +The tap is a mechanism that splits the packet stream in order to make a copy +available for inspection. Examples include the monitoring port on a switch +and an optical splitter on fiber networks. -Frontend +Frontend ******** -This is a discrete hardware device or on-host technique that will split your traffic into many streams or flows. The Bro binary does not do this job. There are numerous ways to accomplish this task, some of which are described below in `Frontend Options`_. +The frontend is a discrete hardware device or on-host technique that splits +traffic into many streams or flows. The Bro binary does not do this job. +There are numerous ways to accomplish this task, some of which are described +below in `Frontend Options`_. Manager ******* -This is a Bro process which has two primary jobs. It receives log messages and notices from the rest of the nodes in the cluster using the Bro communications protocol. The result is that you will end up with single logs for each log instead of many discrete logs that you have to later combine in some manner with post processing. The manager also takes the opportunity to de-duplicate notices and it has the ability to do so since it’s acting as the choke point for notices and how notices might be processed into actions such as emailing, paging, or blocking. +The manager is a Bro process that has two primary jobs. It receives log +messages and notices from the rest of the nodes in the cluster using the Bro +communications protocol. The result is a single log instead of many +discrete logs that you have to combine in some manner with post-processing. +The manager also takes the opportunity to de-duplicate notices, and it has the +ability to do so since it's acting as the choke point for notices and how +notices might be processed into actions (e.g., emailing, paging, or blocking). -The manager process is started first by BroControl and it only opens it’s designated port and waits for connections, it doesn’t initiate any connections to the rest of the cluster. Once the workers are started and connect to the manager, logs and notices will start arriving to the manager process from the workers. +The manager process is started first by BroControl and it only opens its +designated port and waits for connections, it doesn't initiate any +connections to the rest of the cluster. Once the workers are started and +connect to the manager, logs and notices will start arriving to the manager +process from the workers. Proxy ***** -This is a Bro process which manages synchronized state. Variables can be synchronized across connected Bro processes automatically in Bro and proxies will help the workers by alleviating the need for all of the workers to connect directly to each other. +The proxy is a Bro process that manages synchronized state. Variables can +be synchronized across connected Bro processes automatically. Proxies help +the workers by alleviating the need for all of the workers to connect +directly to each other. -Examples of synchronized state from the scripts that ship with Bro are things such as the full list of “known” hosts and services which are hosts or services which have been detected as performing full TCP handshakes or an analyzed protocol has been found on the connection. If worker A detects host 1.2.3.4 as an active host, it would be beneficial for worker B to know that as well so worker A shares that information as an insertion to a set which travels to the cluster’s proxy and the proxy then sends that same set insertion to worker B. The result is that worker A and worker B have shared knowledge about host and services that are active on the network being monitored. +Examples of synchronized state from the scripts that ship with Bro include +the full list of "known" hosts and services (which are hosts or services +identified as performing full TCP handshakes) or an analyzed protocol has been +found on the connection. If worker A detects host 1.2.3.4 as an active host, +it would be beneficial for worker B to know that as well. So worker A shares +that information as an insertion to a set which travels to the cluster's +proxy and the proxy sends that same set insertion to worker B. The result +is that worker A and worker B have shared knowledge about host and services +that are active on the network being monitored. -The proxy model extends to having multiple proxies as well if necessary for performance reasons, it only adds one additional step for the Bro processes. Each proxy connects to another proxy in a ring and the workers are shared between them as evenly as possible. When a proxy receives some new bit of state, it will share that with it’s proxy which is then shared around the ring of proxies and down to all of the workers. From a practical standpoint, there are no rules of thumb established yet for the number of proxies necessary for the number of workers they are serving. Best is to start with a single proxy and add more if communication performance problems are found. +The proxy model extends to having multiple proxies when necessary for +performance reasons. It only adds one additional step for the Bro processes. +Each proxy connects to another proxy in a ring and the workers are shared +between them as evenly as possible. When a proxy receives some new bit of +state it will share that with its proxy, which is then shared around the +ring of proxies, and down to all of the workers. From a practical standpoint, +there are no rules of thumb established for the number of proxies +necessary for the number of workers they are serving. It is best to start +with a single proxy and add more if communication performance problems are +found. -Bro processes acting as proxies don’t tend to be extremely intense to CPU or memory and users frequently run proxy processes on the same physical host as the manager. +Bro processes acting as proxies don't tend to be extremely hard on CPU +or memory and users frequently run proxy processes on the same physical +host as the manager. Worker ****** -This is the Bro process that sniffs network traffic and does protocol analysis on the reassembled traffic streams. Most of the work of an active cluster takes place on the workers and as such, the workers typically represent the bulk of the Bro processes that are running in a cluster. The fastest memory and CPU core speed you can afford is best here since all of the protocol parsing and most analysis will take place here. There are no particular requirements for the disks in workers since almost all logging is done remotely to the manager and very little is normally written to disk. +The worker is the Bro process that sniffs network traffic and does protocol +analysis on the reassembled traffic streams. Most of the work of an active +cluster takes place on the workers and as such, the workers typically +represent the bulk of the Bro processes that are running in a cluster. +The fastest memory and CPU core speed you can afford is recommended +since all of the protocol parsing and most analysis will take place here. +There are no particular requirements for the disks in workers since almost all +logging is done remotely to the manager, and normally very little is written +to disk. -The rule of thumb we have followed recently is to allocate approximately 1 core for every 80Mbps of traffic that is being analyzed, however this estimate could be extremely traffic mix specific. It has generally worked for mixed traffic with many users and servers. For example, if your traffic peaks around 2Gbps (combined) and you want to handle traffic at peak load, you may want to have 26 cores available (2048 / 80 == 25.6). If the 80Mbps estimate works for your traffic, this could be handled by 3 physical hosts dedicated to being workers with each one containing dual 6-core processors. +The rule of thumb we have followed recently is to allocate approximately 1 +core for every 80Mbps of traffic that is being analyzed. However, this +estimate could be extremely traffic mix-specific. It has generally worked +for mixed traffic with many users and servers. For example, if your traffic +peaks around 2Gbps (combined) and you want to handle traffic at peak load, +you may want to have 26 cores available (2048 / 80 == 25.6). If the 80Mbps +estimate works for your traffic, this could be handled by 3 physical hosts +dedicated to being workers with each one containing dual 6-core processors. -Once a flow based load balancer is put into place this model is extremely easy to scale as well so it’s recommended that you guess at the amount of hardware you will need to fully analyze your traffic. If it turns out that you need more, it’s relatively easy to increase the size of the cluster in most cases. +Once a flow-based load balancer is put into place this model is extremely +easy to scale. It is recommended that you estimate the amount of +hardware you will need to fully analyze your traffic. If more is needed it's +relatively easy to increase the size of the cluster in most cases. Frontend Options ---------------- -There are many options for setting up a frontend flow distributor and in many cases it may even be beneficial to do multiple stages of flow distribution on the network and on the host. +There are many options for setting up a frontend flow distributor. In many +cases it is beneficial to do multiple stages of flow distribution +on the network and on the host. Discrete hardware flow balancers ******************************** @@ -60,12 +122,24 @@ Discrete hardware flow balancers cPacket ^^^^^^^ -If you are monitoring one or more 10G physical interfaces, the recommended solution is to use either a cFlow or cVu device from cPacket because they are currently being used very successfully at a number of sites. These devices will perform layer-2 load balancing by rewriting the destination ethernet MAC address to cause each packet associated with a particular flow to have the same destination MAC. The packets can then be passed directly to a monitoring host where each worker has a BPF filter to limit its visibility to only that stream of flows or onward to a commodity switch to split the traffic out to multiple 1G interfaces for the workers. This can ultimately greatly reduce costs since workers can use relatively inexpensive 1G interfaces. +If you are monitoring one or more 10G physical interfaces, the recommended +solution is to use either a cFlow or cVu device from cPacket because they +are used successfully at a number of sites. These devices will perform +layer-2 load balancing by rewriting the destination Ethernet MAC address +to cause each packet associated with a particular flow to have the same +destination MAC. The packets can then be passed directly to a monitoring +host where each worker has a BPF filter to limit its visibility to only that +stream of flows, or onward to a commodity switch to split the traffic out to +multiple 1G interfaces for the workers. This greatly reduces +costs since workers can use relatively inexpensive 1G interfaces. OpenFlow Switches ^^^^^^^^^^^^^^^^^ -We are currently exploring the use of OpenFlow based switches to do flow based load balancing directly on the switch which can greatly reduce frontend costs for many users. This document will be updated when we have more information. +We are currently exploring the use of OpenFlow based switches to do flow-based +load balancing directly on the switch, which greatly reduces frontend +costs for many users. This document will be updated when we have more +information. On host flow balancing ********************** @@ -73,14 +147,26 @@ On host flow balancing PF_RING ^^^^^^^ -The PF_RING software for Linux has a “clustering” feature which will do flow based load balancing across a number of processes that are sniffing the same interface. This will allow you to easily take advantage of multiple cores in a single physical host because Bro’s main event loop is single threaded and can’t natively utilize all of the cores. More information about Bro with PF_RING can be found here: (someone want to write a quick Bro/PF_RING tutorial to link to here? document installing kernel module, libpcap wrapper, building Bro with the --with-pcap configure option) +The PF_RING software for Linux has a "clustering" feature which will do +flow-based load balancing across a number of processes that are sniffing the +same interface. This allows you to easily take advantage of multiple +cores in a single physical host because Bro's main event loop is single +threaded and can't natively utilize all of the cores. If you want to use +PF_RING, see the documentation on `how to configure Bro with PF_RING +`_. Netmap ^^^^^^ -FreeBSD has an in-progress project named Netmap which will enable flow based load balancing as well. When it becomes viable for real world use, this document will be updated. +FreeBSD has an in-progress project named Netmap which will enable flow-based +load balancing as well. When it becomes viable for real world use, this +document will be updated. Click! Software Router ^^^^^^^^^^^^^^^^^^^^^^ -Click! can be used for flow based load balancing with a simple configuration. (link to an example for the config). This solution is not recommended on Linux due to Bro’s PF_RING support and only as a last resort on other operating systems since it causes a lot of overhead due to context switching back and forth between kernel and userland several times per packet. +Click! can be used for flow based load balancing with a simple configuration. +This solution is not recommended on +Linux due to Bro's PF_RING support and only as a last resort on other +operating systems since it causes a lot of overhead due to context switching +back and forth between kernel and userland several times per packet. diff --git a/doc/frameworks/file-analysis.rst b/doc/frameworks/file-analysis.rst index 50fb89317c..e70b124af7 100644 --- a/doc/frameworks/file-analysis.rst +++ b/doc/frameworks/file-analysis.rst @@ -1,3 +1,6 @@ + +.. _file-analysis-framework: + ============= File Analysis ============= diff --git a/doc/frameworks/notice.rst b/doc/frameworks/notice.rst index fe94d7f2ca..2c20149ce5 100644 --- a/doc/frameworks/notice.rst +++ b/doc/frameworks/notice.rst @@ -1,4 +1,6 @@ +.. _notice-framework: + Notice Framework ================ diff --git a/doc/frameworks/signatures.rst b/doc/frameworks/signatures.rst index 884dcb8a47..1443f76ba1 100644 --- a/doc/frameworks/signatures.rst +++ b/doc/frameworks/signatures.rst @@ -64,8 +64,8 @@ expect that signature file in the same directory as the Bro script. The default extension of the file name is ``.sig``, and Bro appends that automatically when necessary. -Signature language -================== +Signature Language for Network Traffic +====================================== Let's look at the format of a signature more closely. Each individual signature has the format ``signature { }``. ```` @@ -286,6 +286,44 @@ two actions defined: connection (``"http"``, ``"ftp"``, etc.). This is used by Bro's dynamic protocol detection to activate analyzers on the fly. +Signature Language for File Content +=================================== + +The signature framework can also be used to identify MIME types of files +irrespective of the network protocol/connection over which the file is +transferred. A special type of signature can be written for this +purpose and will be used automatically by the :doc:`Files Framework +` or by Bro scripts that use the :bro:see:`file_magic` +built-in function. + +Conditions +---------- + +File signatures use a single type of content condition in the form of a +regular expression: + +``file-magic //`` + +This is analogous to the ``payload`` content condition for the network +traffic signature language described above. The difference is that +``payload`` signatures are applied to payloads of network connections, +but ``file-magic`` can be applied to any arbitrary data, it does not +have to be tied to a network protocol/connection. + +Actions +------- + +Upon matching a chunk of data, file signatures use the following action +to get information about that data's MIME type: + +``file-mime [, ]`` + +The arguments include the MIME type string associated with the file +magic regular expression and an optional "strength" as a signed integer. +Since multiple file magic signatures may match against a given chunk of +data, the strength value may be used to help choose a "winner". Higher +values are considered stronger. + Things to keep in mind when writing signatures ============================================== diff --git a/doc/frameworks/sumstats.rst b/doc/frameworks/sumstats.rst index 6ab2f43b35..aaed35be29 100644 --- a/doc/frameworks/sumstats.rst +++ b/doc/frameworks/sumstats.rst @@ -1,3 +1,6 @@ + +.. _sumstats-framework: + ================== Summary Statistics ================== diff --git a/doc/httpmonitor/file_extraction.bro b/doc/httpmonitor/file_extraction.bro new file mode 100644 index 0000000000..b2318c595e --- /dev/null +++ b/doc/httpmonitor/file_extraction.bro @@ -0,0 +1,24 @@ + +global mime_to_ext: table[string] of string = { + ["application/x-dosexec"] = "exe", + ["text/plain"] = "txt", + ["image/jpeg"] = "jpg", + ["image/png"] = "png", + ["text/html"] = "html", +}; + +event file_new(f: fa_file) + { + if ( f$source != "HTTP" ) + return; + + if ( ! f?$mime_type ) + return; + + if ( f$mime_type !in mime_to_ext ) + return; + + local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[f$mime_type]); + print fmt("Extracting file %s", fname); + Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]); + } diff --git a/doc/httpmonitor/http_proxy_01.bro b/doc/httpmonitor/http_proxy_01.bro new file mode 100644 index 0000000000..76555b6646 --- /dev/null +++ b/doc/httpmonitor/http_proxy_01.bro @@ -0,0 +1,5 @@ +event http_reply(c: connection, version: string, code: count, reason: string) + { + if ( /^[hH][tT][tT][pP]:/ in c$http$uri && c$http$status_code == 200 ) + print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); + } diff --git a/doc/httpmonitor/http_proxy_02.bro b/doc/httpmonitor/http_proxy_02.bro new file mode 100644 index 0000000000..cdbd722619 --- /dev/null +++ b/doc/httpmonitor/http_proxy_02.bro @@ -0,0 +1,26 @@ + +module HTTP; + +export { + + global success_status_codes: set[count] = { + 200, + 201, + 202, + 203, + 204, + 205, + 206, + 207, + 208, + 226, + 304 + }; +} + +event http_reply(c: connection, version: string, code: count, reason: string) + { + if ( /^[hH][tT][tT][pP]:/ in c$http$uri && + c$http$status_code in HTTP::success_status_codes ) + print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); + } diff --git a/doc/httpmonitor/http_proxy_03.bro b/doc/httpmonitor/http_proxy_03.bro new file mode 100644 index 0000000000..17bfdcb95b --- /dev/null +++ b/doc/httpmonitor/http_proxy_03.bro @@ -0,0 +1,31 @@ + +@load base/utils/site + +redef Site::local_nets += { 192.168.0.0/16 }; + +module HTTP; + +export { + + global success_status_codes: set[count] = { + 200, + 201, + 202, + 203, + 204, + 205, + 206, + 207, + 208, + 226, + 304 + }; +} + +event http_reply(c: connection, version: string, code: count, reason: string) + { + if ( Site::is_local_addr(c$id$resp_h) && + /^[hH][tT][tT][pP]:/ in c$http$uri && + c$http$status_code in HTTP::success_status_codes ) + print fmt("A local server is acting as an open proxy: %s", c$id$resp_h); + } diff --git a/doc/httpmonitor/http_proxy_04.bro b/doc/httpmonitor/http_proxy_04.bro new file mode 100644 index 0000000000..1f11be3670 --- /dev/null +++ b/doc/httpmonitor/http_proxy_04.bro @@ -0,0 +1,40 @@ +@load base/utils/site +@load base/frameworks/notice + +redef Site::local_nets += { 192.168.0.0/16 }; + +module HTTP; + +export { + + redef enum Notice::Type += { + Open_Proxy + }; + + global success_status_codes: set[count] = { + 200, + 201, + 202, + 203, + 204, + 205, + 206, + 207, + 208, + 226, + 304 + }; +} + +event http_reply(c: connection, version: string, code: count, reason: string) + { + if ( Site::is_local_addr(c$id$resp_h) && + /^[hH][tT][tT][pP]:/ in c$http$uri && + c$http$status_code in HTTP::success_status_codes ) + NOTICE([$note=HTTP::Open_Proxy, + $msg=fmt("A local server is acting as an open proxy: %s", + c$id$resp_h), + $conn=c, + $identifier=cat(c$id$resp_h), + $suppress_for=1day]); + } diff --git a/doc/httpmonitor/index.rst b/doc/httpmonitor/index.rst new file mode 100644 index 0000000000..5a4f28ebfe --- /dev/null +++ b/doc/httpmonitor/index.rst @@ -0,0 +1,162 @@ + +.. _http-monitor: + +================================ +Monitoring HTTP Traffic with Bro +================================ + +Bro can be used to log the entire HTTP traffic from your network to the +http.log file. This file can then be used for analysis and auditing +purposes. + +In the sections below we briefly explain the structure of the http.log +file, then we show you how to perform basic HTTP traffic monitoring and +analysis tasks with Bro. Some of these ideas and techniques can later be +applied to monitor different protocols in a similar way. + +---------------------------- +Introduction to the HTTP log +---------------------------- + +The http.log file contains a summary of all HTTP requests and responses +sent over a Bro-monitored network. Here are the first few columns of +``http.log``:: + + # ts uid orig_h orig_p resp_h resp_p + 1311627961.8 HSH4uV8KVJg 192.168.1.100 52303 192.150.187.43 80 + +Every single line in this log starts with a timestamp, a unique +connection identifier (UID), and a connection 4-tuple (originator +host/port and responder host/port). The UID can be used to identify all +logged activity (possibly across multiple log files) associated with a +given connection 4-tuple over its lifetime. + +The remaining columns detail the activity that's occurring. For +example, the columns on the line below (shortened for brevity) show a +request to the root of Bro website:: + + # method host uri referrer user_agent + GET bro.org / - <...>Chrome/12.0.742.122<...> + +Network administrators and security engineers, for instance, can use the +information in this log to understand the HTTP activity on the network +and troubleshoot network problems or search for anomalous activities. We must +stress that there is no single right way to perform an analysis. It will +depend on the expertise of the person performing the analysis and the +specific details of the task. + +For more information about how to handle the HTTP protocol in Bro, +including a complete list of the fields available in http.log, go to +Bro's :doc:`HTTP script reference +`. + +------------------------ +Detecting a Proxy Server +------------------------ + +A proxy server is a device on your network configured to request a +service on behalf of a third system; one of the most common examples is +a Web proxy server. A client without Internet access connects to the +proxy and requests a web page, the proxy sends the request to the web +server, which receives the response, and passes it to the original +client. + +Proxies were conceived to help manage a network and provide better +encapsulation. Proxies by themselves are not a security threat, but a +misconfigured or unauthorized proxy can allow others, either inside or +outside the network, to access any web site and even conduct malicious +activities anonymously using the network's resources. + +What Proxy Server traffic looks like +------------------------------------- + +In general, when a client starts talking with a proxy server, the +traffic consists of two parts: (i) a GET request, and (ii) an HTTP/ +reply:: + + Request: GET http://www.bro.org/ HTTP/1.1 + Reply: HTTP/1.0 200 OK + +This will differ from traffic between a client and a normal Web server +because GET requests should not include "http" on the string. So we can +use this to identify a proxy server. + +We can write a basic script in Bro to handle the http_reply event and +detect a reply for a ``GET http://`` request. + +.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_01.bro + +.. btest:: http_proxy_01 + + @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_01.bro + +Basically, the script is checking for a "200 OK" status code on a reply +for a request that includes "http:" (case insensitive). In reality, the +HTTP protocol defines several success status codes other than 200, so we +will extend our basic script to also consider the additional codes. + +.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_02.bro + +.. btest:: http_proxy_02 + + @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_02.bro + +Next, we will make sure that the responding proxy is part of our local +network. + +.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_03.bro + +.. btest:: http_proxy_03 + + @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_03.bro + +.. note:: + + The redefinition of :bro:see:`Site::local_nets` is only done inside + this script to make it a self-contained example. It's typically + redefined somewhere else. + +Finally, our goal should be to generate an alert when a proxy has been +detected instead of printing a message on the console output. For that, +we will tag the traffic accordingly and define a new ``Open_Proxy`` +``Notice`` type to alert of all tagged communications. Once a +notification has been fired, we will further suppress it for one day. +Below is the complete script. + +.. btest-include:: ${DOC_ROOT}/httpmonitor/http_proxy_04.bro + +.. btest:: http_proxy_04 + + @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/proxy.pcap ${DOC_ROOT}/httpmonitor/http_proxy_04.bro + @TEST-EXEC: btest-rst-include notice.log + +Note that this script only logs the presence of the proxy to +``notice.log``, but if an additional email is desired (and email +functionality is enabled), then that's done simply by redefining +:bro:see:`Notice::emailed_types` to add the ``Open_proxy`` notice type +to it. + +---------------- +Inspecting Files +---------------- + +Files are often transmitted on regular HTTP conversations between a +client and a server. Most of the time these files are harmless, just +images and some other multimedia content, but there are also types of +files, specially executable files, that can damage your system. We can +instruct Bro to create a copy of all files of certain types that it sees +using the :ref:`File Analysis Framework ` +(introduced with Bro 2.2): + +.. btest-include:: ${DOC_ROOT}/httpmonitor/file_extraction.bro + +.. btest:: file_extraction + + @TEST-EXEC: btest-rst-cmd -n 5 bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/httpmonitor/file_extraction.bro + +Here, the ``mime_to_ext`` table serves two purposes. It defines which +mime types to extract and also the file suffix of the extracted files. +Extracted files are written to a new ``extract_files`` subdirectory. +Also note that the first conditional in the :bro:see:`file_new` event +handler can be removed to make this behavior generic to other protocols +besides HTTP. diff --git a/doc/index.rst b/doc/index.rst index 34096694b3..bab3d49204 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -1,23 +1,51 @@ .. Bro documentation master file -================= -Bro Documentation -================= +========== +Bro Manual +========== + +Introduction Section +==================== .. toctree:: :maxdepth: 2 intro/index.rst + cluster/index.rst install/index.rst quickstart/index.rst - using/index.rst + +.. + +.. _using-bro: + +Using Bro Section +================= + +.. toctree:: + :maxdepth: 2 + + logs/index.rst + httpmonitor/index.rst + broids/index.rst + mimestats/index.rst + +.. + +Reference Section +================= + +.. toctree:: + :maxdepth: 2 + scripting/index.rst frameworks/index.rst - cluster/index.rst script-reference/index.rst components/index.rst +.. + * :ref:`General Index ` * :ref:`search` diff --git a/doc/install/guidelines.rst b/doc/install/guidelines.rst index 7835c83716..af33b8fee1 100644 --- a/doc/install/guidelines.rst +++ b/doc/install/guidelines.rst @@ -1,43 +1,47 @@ .. _upgrade-guidelines: -================== -General Guidelines -================== +============== +How to Upgrade +============== If you're doing an upgrade install (rather than a fresh install), there's two suggested approaches: either install Bro using the same installation prefix directory as before, or pick a new prefix and copy -local customizations over. In the following we summarize general -guidelines for upgrading, see the :ref:`release-notes` for -version-specific information. +local customizations over. Regardless of which approach you choose, +if you are using BroControl, then after upgrading Bro you will need to +run "broctl check" (to verify that your new configuration is OK) +and "broctl install" to complete the upgrade process. -Re-Using Previous Install Prefix +In the following we summarize general guidelines for upgrading, see +the :ref:`release-notes` for version-specific information. + + +Reusing Previous Install Prefix ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you choose to configure and install Bro with the same prefix directory as before, local customization and configuration to files in ``$prefix/share/bro/site`` and ``$prefix/etc`` won't be overwritten (``$prefix`` indicating the root of where Bro was installed). Also, logs -generated at run-time won't be touched by the upgrade. (But making -a backup of local changes before upgrading is still recommended.) +generated at run-time won't be touched by the upgrade. Backing up local +changes before upgrading is still recommended. After upgrading, remember to check ``$prefix/share/bro/site`` and -``$prefix/etc`` for ``.example`` files, which indicate the -distribution's version of the file differs from the local one, which may -include local changes. Review the differences, and make adjustments -as necessary (for differences that aren't the result of a local change, -use the new version's). +``$prefix/etc`` for ``.example`` files, which indicate that the +distribution's version of the file differs from the local one, and therefore, +may include local changes. Review the differences and make adjustments +as necessary. Use the new version for differences that aren't a result of +a local change. -Using a New Install prefix +Using a New Install Prefix ~~~~~~~~~~~~~~~~~~~~~~~~~~ -If you want to install the newer version in a different prefix -directory than before, you can just copy local customization and -configuration files from ``$prefix/share/bro/site`` and ``$prefix/etc`` -to the new location (``$prefix`` indicating the root of where Bro was -originally installed). Make sure to review the files for difference -before copying and make adjustments as necessary (for differences that -aren't the result of a local change, use the new version's). Of -particular note, the copied version of ``$prefix/etc/broctl.cfg`` is -likely to need changes to the ``SpoolDir`` and ``LogDir`` settings. +To install the newer version in a different prefix directory than before, +copy local customization and configuration files from ``$prefix/share/bro/site`` +and ``$prefix/etc`` to the new location (``$prefix`` indicating the root of +where Bro was originally installed). Review the files for differences +before copying and make adjustments as necessary (use the new version for +differences that aren't a result of a local change). Of particular note, +the copied version of ``$prefix/etc/broctl.cfg`` is likely to need changes +to the ``SpoolDir`` and ``LogDir`` settings. diff --git a/doc/install/install.rst b/doc/install/install.rst index 7532a82cea..4450e842e3 100644 --- a/doc/install/install.rst +++ b/doc/install/install.rst @@ -3,7 +3,7 @@ .. _Xcode: https://developer.apple.com/xcode/ .. _MacPorts: http://www.macports.org .. _Fink: http://www.finkproject.org -.. _Homebrew: http://mxcl.github.com/homebrew +.. _Homebrew: http://brew.sh .. _bro downloads page: http://bro.org/download/index.html .. _installing-bro: @@ -29,7 +29,6 @@ before you begin: * Libpcap (http://www.tcpdump.org) * OpenSSL libraries (http://www.openssl.org) * BIND8 library - * Libmagic 5.04 or greater * Libz * Bash (for BroControl) * Python (for BroControl) @@ -44,7 +43,6 @@ To build Bro from source, the following additional dependencies are required: * Flex (Fast Lexical Analyzer) * Libpcap headers (http://www.tcpdump.org) * OpenSSL headers (http://www.openssl.org) - * libmagic headers * zlib headers * Perl @@ -55,13 +53,13 @@ that ``bash`` and ``python`` are in your ``PATH``): .. console:: - sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel file-devel + sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel * DEB/Debian-based Linux: .. console:: - sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev + sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev * FreeBSD: @@ -78,15 +76,11 @@ that ``bash`` and ``python`` are in your ``PATH``): then going through its "Preferences..." -> "Downloads" menus to install the "Command Line Tools" component. - Lion (10.7) and Mountain Lion (10.8) come with all required - dependencies except for CMake_, SWIG_, and ``libmagic``. - + OS X comes with all required dependencies except for CMake_ and SWIG_. Distributions of these dependencies can likely be obtained from your preferred Mac OS X package management system (e.g. MacPorts_, Fink_, - or Homebrew_). - - Specifically for MacPorts, the ``cmake``, ``swig``, - ``swig-python`` and ``file`` packages provide the required dependencies. + or Homebrew_). Specifically for MacPorts, the ``cmake``, ``swig``, + and ``swig-python`` packages provide the required dependencies. Optional Dependencies @@ -95,7 +89,7 @@ Optional Dependencies Bro can make use of some optional libraries and tools if they are found at build time: - * LibGeoIP (for geo-locating IP addresses) + * LibGeoIP (for geolocating IP addresses) * sendmail (enables Bro and BroControl to send mail) * gawk (enables all features of bro-cut) * curl (used by a Bro script that implements active HTTP) @@ -143,14 +137,14 @@ The primary install prefix for binary packages is ``/opt/bro``. Non-MacOS packages that include BroControl also put variable/runtime data (e.g. Bro logs) in ``/var/opt/bro``. -Installing From Source +Installing from Source ========================== -Bro releases are bundled into source packages for convenience and -available from the `bro downloads page`_. Alternatively, the latest +Bro releases are bundled into source packages for convenience and are +available on the `bro downloads page`_. Alternatively, the latest Bro development version can be obtained through git repositories hosted at ``git.bro.org``. See our `git development documentation -`_ for comprehensive +`_ for comprehensive information on Bro's use of git revision control, but the short story for downloading the full source code experience for Bro via git is: @@ -190,6 +184,11 @@ OpenBSD users, please see our `FAQ `_ if you are having problems installing Bro. +Finally, if you want to build the Bro documentation (not required, because +all of the documentation for the latest Bro release is available on the +Bro web site), there are instructions in ``doc/README`` in the source +distribution. + Configure the Run-Time Environment ================================== diff --git a/doc/using/index.rst b/doc/logs/index.rst similarity index 68% rename from doc/using/index.rst rename to doc/logs/index.rst index 1ad05d74f8..ced9a78faa 100644 --- a/doc/using/index.rst +++ b/doc/logs/index.rst @@ -1,9 +1,9 @@ -.. _using-bro: +.. _bro-logging: -========= -Using Bro -========= +=========== +Bro Logging +=========== .. contents:: @@ -24,17 +24,17 @@ Working with Log Files Generally, all of Bro's log files are produced by a corresponding script that defines their individual structure. However, as each log -file flows through the Logging Framework, there share a set of +file flows through the Logging Framework, they share a set of structural similarities. Without breaking into the scripting aspect of -Bro here, a bird's eye view of how the log files are produced would -progress as follows. The script's author defines the kinds of data, +Bro here, a bird's eye view of how the log files are produced +progresses as follows. The script's author defines the kinds of data, such as the originating IP address or the duration of a connection, which will make up the fields (i.e., columns) of the log file. The author then decides what network activity should generate a single log -file entry (i.e., one line); that could, e.g., be a connection having -been completed or an HTTP ``GET`` method being issued by an +file entry (i.e., one line). For example, this could be a connection +having been completed or an HTTP ``GET`` request being issued by an originator. When these behaviors are observed during operation, the -data is passed to the Logging Framework which, in turn, adds the entry +data is passed to the Logging Framework which adds the entry to the appropriate log file. As the fields of the log entries can be further customized by the @@ -57,7 +57,7 @@ data, the string ``(empty)`` as the indicator for an empty field and the ``-`` character as the indicator for a field that hasn't been set. The timestamp for when the file was created is included under ``#open``. The header then goes on to detail the fields being listed -in the file and the data types of those fields in ``#fields`` and +in the file and the data types of those fields, in ``#fields`` and ``#types``, respectively. These two entries are often the two most significant points of interest as they detail not only the field names but the data types used. When navigating through the different log @@ -66,12 +66,12 @@ definitions readily available saves the user some mental leg work. The field names are also a key resource for using the :ref:`bro-cut ` utility included with Bro, see below. -Next to the header follows the main content; in this example we see 7 +Next to the header follows the main content. In this example we see 7 connections with their key properties, such as originator and -responder IP addresses (note how Bro transparely handles both IPv4 and -IPv6), transport-layer ports, application-layer services - the -``service`` field is filled ias Bro determines a specific protocol to -be in use, independent of the connection's ports - payload size, and +responder IP addresses (note how Bro transparently handles both IPv4 and +IPv6), transport-layer ports, application-layer services ( - the +``service`` field is filled in as Bro determines a specific protocol to +be in use, independent of the connection's ports), payload size, and more. See :bro:type:`Conn::Info` for a description of all fields. In addition to ``conn.log``, Bro generates many further logs by @@ -87,8 +87,8 @@ default, including: A log of FTP session-level activity. ``files.log`` - Summaries of files transfered over the network. This information - is aggregrated from different protocols, including HTTP, FTP, and + Summaries of files transferred over the network. This information + is aggregated from different protocols, including HTTP, FTP, and SMTP. ``http.log`` @@ -106,7 +106,7 @@ default, including: ``weird.log`` A log of unexpected protocol-level activity. Whenever Bro's protocol analysis encounters a situation it would not expect - (e.g., an RFC violation) is logs it in this file. Note that in + (e.g., an RFC violation) it logs it in this file. Note that in practice, real-world networks tend to exhibit a large number of such "crud" that is usually not worth following up on. @@ -120,7 +120,7 @@ Using ``bro-cut`` The ``bro-cut`` utility can be used in place of other tools to build terminal commands that remain flexible and accurate independent of -possible changes to log file itself. It accomplishes this by parsing +possible changes to the log file itself. It accomplishes this by parsing the header in each file and allowing the user to refer to the specific columnar data available (in contrast to tools like ``awk`` that require the user to refer to fields referenced by their position). @@ -131,7 +131,7 @@ from a ``conn.log``: @TEST-EXEC: btest-rst-cmd -n 10 "cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration" -The correspding ``awk`` command would look like this: +The corresponding ``awk`` command will look like this: .. btest:: using_bro @@ -185,8 +185,8 @@ Working with Timestamps ``bro-cut`` accepts the flag ``-d`` to convert the epoch time values in the log files to human-readable format. The following command -includes the human readable time stamp, the unique identifier and the -HTTP ``Host`` and HTTP ``URI`` as extracted from the ``http.log`` +includes the human readable time stamp, the unique identifier, the +HTTP ``Host``, and HTTP ``URI`` as extracted from the ``http.log`` file: .. btest:: using_bro @@ -218,7 +218,7 @@ See ``man strfime`` for more options for the format string. Using UIDs ---------- -While Bro can do signature based analysis, its primary focus is on +While Bro can do signature-based analysis, its primary focus is on behavioral detection which alters the practice of log review from "reactionary review" to a process a little more akin to a hunting trip. A common progression of review includes correlating a session @@ -251,3 +251,43 @@ stream and Bro is able to extract and track that information for you, giving you an in-depth and structured view into HTTP traffic on your network. +----------------------- +Common Log Files +----------------------- +As a monitoring tool, Bro records a detailed view of the traffic inspected +and the events generated in a series of relevant log files. These files can +later be reviewed for monitoring, auditing and troubleshooting purposes. + +In this section we present a brief explanation of the most commonly used log +files generated by Bro including links to descriptions of some of the fields +for each log type. + ++-----------------+---------------------------------------+------------------------------+ +| Log File | Description | Field Descriptions | ++=================+=======================================+==============================+ +| http.log | Shows all HTTP requests and replies | :bro:type:`HTTP::Info` | ++-----------------+---------------------------------------+------------------------------+ +| ftp.log | Records FTP activity | :bro:type:`FTP::Info` | ++-----------------+---------------------------------------+------------------------------+ +| ssl.log | Records SSL sessions including | :bro:type:`SSL::Info` | +| | certificates used | | ++-----------------+---------------------------------------+------------------------------+ +| known_certs.log | Includes SSL certificates used | :bro:type:`Known::CertsInfo` | ++-----------------+---------------------------------------+------------------------------+ +| smtp.log | Summarizes SMTP traffic on a network | :bro:type:`SMTP::Info` | ++-----------------+---------------------------------------+------------------------------+ +| dns.log | Shows all DNS activity on a network | :bro:type:`DNS::Info` | ++-----------------+---------------------------------------+------------------------------+ +| conn.log | Records all connections seen by Bro | :bro:type:`Conn::Info` | ++-----------------+---------------------------------------+------------------------------+ +| dpd.log | Shows network activity on | :bro:type:`DPD::Info` | +| | non-standard ports | | ++-----------------+---------------------------------------+------------------------------+ +| files.log | Records information about all files | :bro:type:`Files::Info` | +| | transmitted over the network | | ++-----------------+---------------------------------------+------------------------------+ +| weird.log | Records unexpected protocol-level | :bro:type:`Weird::Info` | +| | activity | | ++-----------------+---------------------------------------+------------------------------+ + + diff --git a/doc/mimestats/index.rst b/doc/mimestats/index.rst new file mode 100644 index 0000000000..dd2e039e8a --- /dev/null +++ b/doc/mimestats/index.rst @@ -0,0 +1,71 @@ + +.. _mime-stats: + +==================== +MIME Type Statistics +==================== + +Files are constantly transmitted over HTTP on regular networks. These +files belong to a specific category (e.g., executable, text, image) +identified by a `Multipurpose Internet Mail Extension (MIME) +`_. Although MIME was originally +developed to identify the type of non-text attachments on email, it is +also used by a web browser to identify the type of files transmitted and +present them accordingly. + +In this tutorial, we will demonstrate how to use the Sumstats Framework +to collect statistical information based on MIME types; specifically, +the total number of occurrences, size in bytes, and number of unique +hosts transmitting files over HTTP per each type. For instructions on +extracting and creating a local copy of these files, visit :ref:`this +tutorial `. + +------------------------------------------------ +MIME Statistics with Sumstats +------------------------------------------------ + +When working with the :ref:`Summary Statistics Framework +`, you need to define three different pieces: (i) +Observations, where the event is observed and fed into the framework. +(ii) Reducers, where observations are collected and measured. (iii) +Sumstats, where the main functionality is implemented. + +We start by defining our observation along with a record to store +all statistical values and an observation interval. We are conducting our +observation on the :bro:see:`HTTP::log_http` event and are interested +in the MIME type, size of the file ("response_body_len"), and the +originator host ("orig_h"). We use the MIME type as our key and create +observers for the other two values. + +.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro + :lines: 6-29, 54-64 + +Next, we create the reducers. The first will accumulate file sizes +and the second will make sure we only store a host ID once. Below is +the partial code from a :bro:see:`bro_init` handler. + +.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro + :lines: 34-37 + +In our final step, we create the SumStats where we check for the +observation interval. Once it expires, we populate the record +(defined above) with all the relevant data and write it to a log. + +.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro + :lines: 38-51 + +After putting the three pieces together we end up with the following final code for +our script. + +.. btest-include:: ${DOC_ROOT}/mimestats/mimestats.bro + +.. btest:: mimestats + + @TEST-EXEC: btest-rst-cmd bro -r ${TRACES}/http/bro.org.pcap ${DOC_ROOT}/mimestats/mimestats.bro + @TEST-EXEC: btest-rst-include mime_metrics.log + +.. note:: + + The redefinition of :bro:see:`Site::local_nets` is only done inside + this script to make it a self-contained example. It's typically + redefined somewhere else. diff --git a/doc/mimestats/mimestats.bro b/doc/mimestats/mimestats.bro new file mode 100644 index 0000000000..b854b26c2d --- /dev/null +++ b/doc/mimestats/mimestats.bro @@ -0,0 +1,64 @@ +@load base/utils/site +@load base/frameworks/sumstats + +redef Site::local_nets += { 10.0.0.0/8 }; + +module MimeMetrics; + +export { + + redef enum Log::ID += { LOG }; + + type Info: record { + ## Timestamp when the log line was finished and written. + ts: time &log; + ## Time interval that the log line covers. + ts_delta: interval &log; + ## The mime type + mtype: string &log; + ## The number of unique local hosts that fetched this mime type + uniq_hosts: count &log; + ## The number of hits to the mime type + hits: count &log; + ## The total number of bytes received by this mime type + bytes: count &log; + }; + + ## The frequency of logging the stats collected by this script. + const break_interval = 5mins &redef; +} + +event bro_init() &priority=3 + { + Log::create_stream(MimeMetrics::LOG, [$columns=Info]); + local r1: SumStats::Reducer = [$stream="mime.bytes", + $apply=set(SumStats::SUM)]; + local r2: SumStats::Reducer = [$stream="mime.hits", + $apply=set(SumStats::UNIQUE)]; + SumStats::create([$name="mime-metrics", + $epoch=break_interval, + $reducers=set(r1, r2), + $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = + { + local l: Info; + l$ts = network_time(); + l$ts_delta = break_interval; + l$mtype = key$str; + l$bytes = double_to_count(floor(result["mime.bytes"]$sum)); + l$hits = result["mime.hits"]$num; + l$uniq_hosts = result["mime.hits"]$unique; + Log::write(MimeMetrics::LOG, l); + }]); + } + +event HTTP::log_http(rec: HTTP::Info) + { + if ( Site::is_local_addr(rec$id$orig_h) && rec?$resp_mime_types ) + { + local mime_type = rec$resp_mime_types[0]; + SumStats::observe("mime.bytes", [$str=mime_type], + [$num=rec$response_body_len]); + SumStats::observe("mime.hits", [$str=mime_type], + [$str=cat(rec$id$orig_h)]); + } + } diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst index df66eb36e8..a61d0cc71d 100644 --- a/doc/quickstart/index.rst +++ b/doc/quickstart/index.rst @@ -12,8 +12,10 @@ Quick Start Guide Bro works on most modern, Unix-based systems and requires no custom hardware. It can be downloaded in either pre-built binary package or source code forms. See :ref:`installing-bro` for instructions on how to -install Bro. Below, ``$PREFIX`` is used to reference the Bro -installation root directory, which by default is ``/usr/local/`` if +install Bro. + +In the examples below, ``$PREFIX`` is used to reference the Bro +installation root directory, which by default is ``/usr/local/bro`` if you install from source. Managing Bro with BroControl @@ -21,13 +23,16 @@ Managing Bro with BroControl BroControl is an interactive shell for easily operating/managing Bro installations on a single system or even across multiple systems in a -traffic-monitoring cluster. +traffic-monitoring cluster. This section explains how to use BroControl +to manage a stand-alone Bro installation. For instructions on how to +configure a Bro cluster, see the documentation for :doc:`BroControl +<../components/broctl/README>`. A Minimal Starting Configuration -------------------------------- -These are the basic configuration changes to make for a minimal BroControl installation -that will manage a single Bro instance on the ``localhost``: +These are the basic configuration changes to make for a minimal BroControl +installation that will manage a single Bro instance on the ``localhost``: 1) In ``$PREFIX/etc/node.cfg``, set the right interface to monitor. 2) In ``$PREFIX/etc/networks.cfg``, comment out the default settings and add @@ -72,7 +77,8 @@ You can leave it running for now, but to stop this Bro instance you would do: [BroControl] > stop -We also recommend to insert the following entry into `crontab`:: +We also recommend to insert the following entry into the crontab of the user +running BroControl:: 0-59/5 * * * * $PREFIX/bin/broctl cron @@ -154,7 +160,7 @@ changes we want to make: attempt looks like it may have been successful, and we want email when that happens, but only for certain servers. -So we've defined *what* we want to do, but need to know *where* to do it. +We've defined *what* we want to do, but need to know *where* to do it. The answer is to use a script written in the Bro programming language, so let's do a quick intro to Bro scripting. @@ -180,7 +186,7 @@ must explicitly choose if they want to load them. The main entry point for the default analysis configuration of a standalone Bro instance managed by BroControl is the ``$PREFIX/share/bro/site/local.bro`` -script. So we'll be adding to that in the following sections, but first +script. We'll be adding to that in the following sections, but first we have to figure out what to add. Redefining Script Option Variables @@ -196,7 +202,7 @@ A redefineable constant might seem strange, but what that really means is that the variable's value may not change at run-time, but whose initial value can be modified via the ``redef`` operator at parse-time. -So let's continue on our path to modify the behavior for the two SSL +Let's continue on our path to modify the behavior for the two SSL and SSH notices. Looking at :doc:`/scripts/base/frameworks/notice/main.bro`, we see that it advertises: @@ -210,7 +216,7 @@ we see that it advertises: const ignored_types: set[Notice::Type] = {} &redef; } -That's exactly what we want to do for the SSL notice. So add to ``local.bro``: +That's exactly what we want to do for the SSL notice. Add to ``local.bro``: .. code:: bro @@ -275,9 +281,9 @@ an email on the condition that the predicate function evaluates to true, which is whenever the notice type is an SSH login and the responding host stored inside the ``Info`` record's connection field is in the set of watched servers. -.. note:: record field member access is done with the '$' character +.. note:: Record field member access is done with the '$' character instead of a '.' as might be expected from other languages, in - order to avoid ambiguity with the builtin address type's use of '.' + order to avoid ambiguity with the built-in address type's use of '.' in IPv4 dotted decimal representations. Remember, to finalize that configuration change perform the ``check``, @@ -291,9 +297,10 @@ tweak the most basic options. Here's some suggestions on what to explore next: * We only looked at how to change options declared in the notice framework, there's many more options to look at in other script packages. -* Continue reading with :ref:`using-bro` chapter which goes into more - depth on working with Bro; then look at :ref:`writing-scripts` for - learning how to start writing your own scripts. +* Continue reading with :ref:`Using Bro ` chapter which goes + into more depth on working with Bro; then look at + :ref:`writing-scripts` for learning how to start writing your own + scripts. * Look at the scripts in ``$PREFIX/share/bro/policy`` for further ones you may want to load; you can browse their documentation at the :ref:`overview of script packages `. @@ -406,7 +413,7 @@ logging) and adds SSL certificate validation. You might notice that a script you load from the command line uses the ``@load`` directive in the Bro language to declare dependence on other scripts. This directive is similar to the ``#include`` of C/C++, except the semantics -are "load this script if it hasn't already been loaded". +are, "load this script if it hasn't already been loaded." .. note:: If one wants Bro to be able to load scripts that live outside the default directories in Bro's installation root, the ``BROPATH`` environment diff --git a/doc/script-reference/builtins.rst b/doc/script-reference/builtins.rst index aa1a097683..85e9cd14c8 100644 --- a/doc/script-reference/builtins.rst +++ b/doc/script-reference/builtins.rst @@ -23,7 +23,8 @@ The Bro scripting language supports the following built-in types. .. bro:type:: void - An internal Bro type representing the absence of a return type for a + An internal Bro type (i.e., "void" is not a reserved keyword in the Bro + scripting language) representing the absence of a return type for a function. .. bro:type:: bool @@ -132,10 +133,23 @@ The Bro scripting language supports the following built-in types. Strings support concatenation (``+``), and assignment (``=``, ``+=``). Strings also support the comparison operators (``==``, ``!=``, ``<``, - ``<=``, ``>``, ``>=``). Substring searching can be performed using - the "in" or "!in" operators (e.g., "bar" in "foobar" yields true). - The number of characters in a string can be found by enclosing the - string within pipe characters (e.g., ``|"abc"|`` is 3). + ``<=``, ``>``, ``>=``). The number of characters in a string can be + found by enclosing the string within pipe characters (e.g., ``|"abc"|`` + is 3). + + The subscript operator can extract an individual character or a substring + of a string (string indexing is zero-based, but an index of + -1 refers to the last character in the string, and -2 refers to the + second-to-last character, etc.). When extracting a substring, the + starting and ending index values are separated by a colon. For example:: + + local orig = "0123456789"; + local third_char = orig[2]; + local last_char = orig[-1]; + local first_three_chars = orig[0:2]; + + Substring searching can be performed using the "in" or "!in" + operators (e.g., "bar" in "foobar" yields true). Note that Bro represents strings internally as a count and vector of bytes rather than a NUL-terminated byte string (although string @@ -767,7 +781,7 @@ The Bro scripting language supports the following built-in types. .. bro:type:: hook A hook is another flavor of function that shares characteristics of - both a :bro:type:`function` and a :bro:type:`event`. They are like + both a :bro:type:`function` and an :bro:type:`event`. They are like events in that many handler bodies can be defined for the same hook identifier and the order of execution can be enforced with :bro:attr:`&priority`. They are more like functions in the way they @@ -856,14 +870,14 @@ scripting language supports the following built-in attributes. .. bro:attr:: &optional Allows a record field to be missing. For example the type ``record { - a: int, b: port &optional }`` could be instantiated both as + a: addr; b: port &optional; }`` could be instantiated both as singleton ``[$a=127.0.0.1]`` or pair ``[$a=127.0.0.1, $b=80/tcp]``. .. bro:attr:: &default Uses a default value for a record field, a function/hook/event parameter, or container elements. For example, ``table[int] of - string &default="foo" }`` would create a table that returns the + string &default="foo"`` would create a table that returns the :bro:type:`string` ``"foo"`` for any non-existing index. .. bro:attr:: &redef @@ -901,7 +915,7 @@ scripting language supports the following built-in attributes. Called right before a container element expires. The function's first parameter is of the same type of the container and the second parameter the same type of the container's index. The return - value is a :bro:type:`interval` indicating the amount of additional + value is an :bro:type:`interval` indicating the amount of additional time to wait before expiring the container element at the given index (which will trigger another execution of this function). @@ -925,7 +939,7 @@ scripting language supports the following built-in attributes. .. bro:attr:: &persistent - Makes a variable persistent, i.e., its value is writen to disk (per + Makes a variable persistent, i.e., its value is written to disk (per default at shutdown time). .. bro:attr:: &synchronized @@ -957,8 +971,9 @@ scripting language supports the following built-in attributes. .. bro:attr:: &priority - Specifies the execution priority of an event handler. Higher values - are executed before lower ones. The default value is 0. + Specifies the execution priority (as a signed integer) of a hook or + event handler. Higher values are executed before lower ones. The + default value is 0. .. bro:attr:: &group diff --git a/doc/scripting/connection_record_02.bro b/doc/scripting/connection_record_02.bro index 4459e47ef6..e4770069a9 100644 --- a/doc/scripting/connection_record_02.bro +++ b/doc/scripting/connection_record_02.bro @@ -1,5 +1,5 @@ @load base/protocols/conn -@load base/protocols/dns +@load base/protocols/http event connection_state_remove(c: connection) { diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index e42aa55e2c..b12330ceb4 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -232,7 +232,7 @@ overly populated. .. btest:: connection-record-01 - @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_01.bro + @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_01.bro As you can see from the output, the connection record is something of a jumble when printed on its own. Regularly taking a peek at a @@ -248,9 +248,9 @@ originating host is referenced by ``c$id$orig_h`` which if given a narrative relates to ``orig_h`` which is a member of ``id`` which is a member of the data structure referred to as ``c`` that was passed into the event handler." Given that the responder port -(``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base DNS scripts +(``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base HTTP scripts can further populate the connection record. Let's load the -``base/protocols/dns`` scripts and check the output of our script. +``base/protocols/http`` scripts and check the output of our script. Bro uses the dollar sign as its field delimiter and a direct correlation exists between the output of the connection record and the @@ -262,16 +262,16 @@ brackets, which would correspond to the ``$``-delimiter in a Bro script. .. btest:: connection-record-02 - @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/dns-session.trace ${DOC_ROOT}/scripting/connection_record_02.bro + @TEST-EXEC: btest-rst-cmd bro -b -r ${TRACES}/http/get.trace ${DOC_ROOT}/scripting/connection_record_02.bro -The addition of the ``base/protocols/dns`` scripts populates the -``dns=[]`` member of the connection record. While Bro is doing a +The addition of the ``base/protocols/http`` scripts populates the +``http=[]`` member of the connection record. While Bro is doing a massive amount of work in the background, it is in what is commonly called "scriptland" that details are being refined and decisions being made. Were we to continue running in "bare mode" we could slowly keep adding infrastructure through ``@load`` statements. For example, were we to ``@load base/frameworks/logging``, Bro would generate a -``conn.log`` and ``dns.log`` for us in the current working directory. +``conn.log`` and ``http.log`` for us in the current working directory. As mentioned above, including the appropriate ``@load`` statements is not only good practice, but can also help to indicate which functionalities are being used in a script. Take a second to run the @@ -345,13 +345,13 @@ keyword. Unlike globals, constants can only be set or altered at parse time if the ``&redef`` attribute has been used. Afterwards (in runtime) the constants are unalterable. In most cases, re-definable constants are used in Bro scripts as containers for configuration -options. For example, the configuration option to log password +options. For example, the configuration option to log passwords decrypted from HTTP streams is stored in -``HTTP::default_capture_password`` as shown in the stripped down +:bro:see:`HTTP::default_capture_password` as shown in the stripped down excerpt from :doc:`/scripts/base/protocols/http/main.bro` below. .. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/http/main.bro - :lines: 8-10,19-21,120 + :lines: 9-11,20-22,121 Because the constant was declared with the ``&redef`` attribute, if we needed to turn this option on globally, we could do so by adding the diff --git a/magic b/magic deleted file mode 160000 index e87fe13a7b..0000000000 --- a/magic +++ /dev/null @@ -1 +0,0 @@ -Subproject commit e87fe13a7b776182ffc8c75076d42702f5c28fed diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro index 870f9335ae..2f6ae79f4f 100644 --- a/scripts/base/files/unified2/main.bro +++ b/scripts/base/files/unified2/main.bro @@ -7,10 +7,10 @@ module Unified2; export { redef enum Log::ID += { LOG }; - ## Directory to watch for Unified2 files. + ## File to watch for Unified2 files. const watch_file = "" &redef; - ## File to watch for Unified2 records. + ## Directory to watch for Unified2 records. const watch_dir = "" &redef; ## The sid-msg.map file you would like to use for your alerts. diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README new file mode 100644 index 0000000000..8b50366cd2 --- /dev/null +++ b/scripts/base/files/x509/README @@ -0,0 +1 @@ +Support for X509 certificates with the file analysis framework. diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro new file mode 100644 index 0000000000..a10fe855df --- /dev/null +++ b/scripts/base/files/x509/__load__.bro @@ -0,0 +1 @@ +@load ./main diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro new file mode 100644 index 0000000000..10445ad846 --- /dev/null +++ b/scripts/base/files/x509/main.bro @@ -0,0 +1,77 @@ +@load base/frameworks/files +@load base/files/hash + +module X509; + +export { + redef enum Log::ID += { LOG }; + + type Info: record { + ## Current timestamp. + ts: time &log; + + ## File id of this certificate. + id: string &log; + + ## Basic information about the certificate. + certificate: X509::Certificate &log; + + ## The opaque wrapping the certificate. Mainly used + ## for the verify operations. + handle: opaque of x509; + + ## All extensions that were encountered in the certificate. + extensions: vector of X509::Extension &default=vector(); + + ## Subject alternative name extension of the certificate. + san: X509::SubjectAlternativeName &optional &log; + + ## Basic constraints extension of the certificate. + basic_constraints: X509::BasicConstraints &optional &log; + }; + + ## Event for accessing logged records. + global log_x509: event(rec: Info); +} + +event bro_init() &priority=5 + { + Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509]); + } + +redef record Files::Info += { + ## Information about X509 certificates. This is used to keep + ## certificate information until all events have been received. + x509: X509::Info &optional; +}; + +event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5 + { + f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref]; + } + +event x509_extension(f: fa_file, ext: X509::Extension) &priority=5 + { + if ( f$info?$x509 ) + f$info$x509$extensions[|f$info$x509$extensions|] = ext; + } + +event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5 + { + if ( f$info?$x509 ) + f$info$x509$basic_constraints = ext; + } + +event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &priority=5 + { + if ( f$info?$x509 ) + f$info$x509$san = ext; + } + +event file_state_remove(f: fa_file) &priority=5 + { + if ( ! f$info?$x509 ) + return; + + Log::write(LOG, f$info$x509); + } diff --git a/scripts/base/frameworks/files/__load__.bro b/scripts/base/frameworks/files/__load__.bro index 783797e17b..2177d81e25 100644 --- a/scripts/base/frameworks/files/__load__.bro +++ b/scripts/base/frameworks/files/__load__.bro @@ -1 +1,2 @@ @load ./main.bro +@load ./magic diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro new file mode 100644 index 0000000000..4a2de0926d --- /dev/null +++ b/scripts/base/frameworks/files/magic/__load__.bro @@ -0,0 +1,2 @@ +@load-sigs ./general +@load-sigs ./libmagic diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig new file mode 100644 index 0000000000..20276f69ac --- /dev/null +++ b/scripts/base/frameworks/files/magic/general.sig @@ -0,0 +1,11 @@ +# General purpose file magic signatures. + +signature file-plaintext { + file-magic /([[:print:][:space:]]{10})/ + file-mime "text/plain", -20 +} + +signature file-tar { + file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/ + file-mime "application/x-tar", 150 +} diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig new file mode 100644 index 0000000000..55486d411e --- /dev/null +++ b/scripts/base/frameworks/files/magic/libmagic.sig @@ -0,0 +1,4213 @@ +# These signatures were semi-automatically generated from libmagic's +# (~ v5.17) magic database rules that have an associated mime type. +# After generating, they were all manually reviewed and occassionally +# needed minor modifications by hand or were just ommited depending on +# the complexity of the original magic rules. +# +# The instrumented version of the `file` command used to generate these +# is located at: https://github.com/jsiwek/file/tree/bro-signatures. + +# >2080 string,=Foglio di lavoro Microsoft Exce (len=31), ["%s"], swap_endian=0 +signature file-magic-auto0 { + file-mime "application/vnd.ms-excel", 340 + file-magic /(.{2080})(Foglio di lavoro Microsoft Exce)/ +} + +# >2 string,=---BEGIN PGP PUBLIC KEY BLOCK- (len=30), ["PGP public key block"], swap_endian=0 +signature file-magic-auto1 { + file-mime "application/pgp-keys", 330 + file-magic /(.{2})(\x2d\x2d\x2dBEGIN PGP PUBLIC KEY BLOCK\x2d)/ +} + +# >2080 string,=Microsoft Excel 5.0 Worksheet (len=29), ["%s"], swap_endian=0 +signature file-magic-auto2 { + file-mime "application/vnd.ms-excel", 320 + file-magic /(.{2080})(Microsoft Excel 5\x2e0 Worksheet)/ +} + +# >11 string,=must be converted with BinHex (len=29), ["BinHex binary text"], swap_endian=0 +signature file-magic-auto3 { + file-mime "application/mac-binhex40", 320 + file-magic /(.{11})(must be converted with BinHex)/ +} + +# >2080 string,=Microsoft Word 6.0 Document (len=27), ["%s"], swap_endian=0 +signature file-magic-auto4 { + file-mime "application/msword", 300 + file-magic /(.{2080})(Microsoft Word 6\x2e0 Document)/ +} + +# >2080 string,=Documento Microsoft Word 6 (len=26), ["Spanish Microsoft Word 6 document data"], swap_endian=0 +signature file-magic-auto5 { + file-mime "application/msword", 290 + file-magic /(.{2080})(Documento Microsoft Word 6)/ +} + +# >0 string,=-----BEGIN PGP SIGNATURE- (len=25), ["PGP signature"], swap_endian=0 +signature file-magic-auto6 { + file-mime "application/pgp-signature", 280 + file-magic /(\x2d\x2d\x2d\x2d\x2dBEGIN PGP SIGNATURE\x2d)/ +} + +# >10 string,=# This is a shell archive (len=25), ["shell archive text"], swap_endian=0 +signature file-magic-auto7 { + file-mime "application/x-shar", 280 + file-magic /(.{10})(\x23 This is a shell archive)/ +} + +# >0 string,=-----BEGIN PGP MESSAGE- (len=23), ["PGP message"], swap_endian=0 +signature file-magic-auto8 { + file-mime "application/pgp", 260 + file-magic /(\x2d\x2d\x2d\x2d\x2dBEGIN PGP MESSAGE\x2d)/ +} + +# >0 string,=0 string,=>24 regex,=[0-9.]+ (len=7), [", version %s"], swap_endian=0 +signature file-magic-auto10 { + file-mime "text/x-php", 37 + file-magic /(\x3c\x3fphp \x2f\x2a Smarty version)(.{1})([0-9.]+)/ +} + +# >0 string/w,=0 string/wt,=#! /usr/local/bin/nawk (len=22), ["new awk script text executable"], swap_endian=0 +signature file-magic-auto12 { + file-mime "text/x-nawk", 250 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fnawk)/ +} + +# >0 string/wt,=#! /usr/local/bin/gawk (len=22), ["GNU awk script text executable"], swap_endian=0 +signature file-magic-auto13 { + file-mime "text/x-gawk", 250 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fgawk)/ +} + +# >0 string/wt,=#! /usr/local/bin/bash (len=22), ["Bourne-Again shell script text executable"], swap_endian=0 +signature file-magic-auto14 { + file-mime "text/x-shellscript", 250 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fbash)/ +} + +# >0 string/wt,=#! /usr/local/bin/tcsh (len=22), ["Tenex C shell script text executable"], swap_endian=0 +signature file-magic-auto15 { + file-mime "text/x-shellscript", 250 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcsh)/ +} + +# >0 string/wt,=#! /usr/local/bin/zsh (len=21), ["Paul Falstad's zsh script text executable"], swap_endian=0 +signature file-magic-auto16 { + file-mime "text/x-shellscript", 240 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fzsh)/ +} + +# >0 string/wt,=#! /usr/local/bin/ash (len=21), ["Neil Brown's ash script text executable"], swap_endian=0 +signature file-magic-auto17 { + file-mime "text/x-shellscript", 240 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fash)/ +} + +# >0 string/wt,=#! /usr/local/bin/ae (len=20), ["Neil Brown's ae script text executable"], swap_endian=0 +signature file-magic-auto18 { + file-mime "text/x-shellscript", 230 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fae)/ +} + +# >0 string,=# PaCkAgE DaTaStReAm (len=20), ["pkg Datastream (SVR4)"], swap_endian=0 +signature file-magic-auto19 { + file-mime "application/x-svr4-package", 230 + file-magic /(\x23 PaCkAgE DaTaStReAm)/ +} + +# >0 string,=Creative Voice File (len=19), ["Creative Labs voice data"], swap_endian=0 +signature file-magic-auto20 { + file-mime "audio/x-unknown", 220 + file-magic /(Creative Voice File)/ +} + +# >0 string/t,=[KDE Desktop Entry] (len=19), ["KDE desktop entry"], swap_endian=0 +signature file-magic-auto21 { + file-mime "application/x-kdelnk", 220 + file-magic /(\x5bKDE Desktop Entry\x5d)/ +} + +# >512 string,=R\000o\000o\000t\000 \000E\000n\000t\000r\000y (len=19), ["Microsoft Word Document"], swap_endian=0 +signature file-magic-auto22 { + file-mime "application/msword", 220 + file-magic /(.{512})(R\x00o\x00o\x00t\x00 \x00E\x00n\x00t\x00r\x00y)/ +} + +# >0 string,=!\n__________E (len=19), ["MIPS archive"], swap_endian=0 +signature file-magic-auto23 { + file-mime "application/x-archive", 220 + file-magic /(\x21\x3carch\x3e\x0a\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5fE)/ +} + +# >0 string/wt,=#! /usr/local/tcsh (len=18), ["Tenex C shell script text executable"], swap_endian=0 +signature file-magic-auto24 { + file-mime "text/x-shellscript", 210 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2ftcsh)/ +} + +# >0 string/wt,=#! /usr/local/bash (len=18), ["Bourne-Again shell script text executable"], swap_endian=0 +signature file-magic-auto25 { + file-mime "text/x-shellscript", 210 + file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbash)/ +} + +# >0 string/t,=# KDE Config File (len=17), ["KDE config file"], swap_endian=0 +signature file-magic-auto26 { + file-mime "application/x-kdelnk", 200 + file-magic /(\x23 KDE Config File)/ +} + +# >0 string,=RF64\377\377\377\377WAVEds64 (len=16), ["MBWF/RF64 audio"], swap_endian=0 +signature file-magic-auto27 { + file-mime "audio/x-wav", 190 + file-magic /(RF64\xff\xff\xff\xffWAVEds64)/ +} + +# >0 string,=riff.\221\317\021\245\326(\333\004\301\000\000 (len=16), ["Sony Wave64 RIFF data"], swap_endian=0 +# >>24 string,=wave\363\254\323\021\214\321\000\300O\216\333\212 (len=16), [", WAVE 64 audio"], swap_endian=0 +signature file-magic-auto28 { + file-mime "audio/x-w64", 190 + file-magic /(riff\x2e\x91\xcf\x11\xa5\xd6\x28\xdb\x04\xc1\x00\x00)(.{8})(wave\xf3\xac\xd3\x11\x8c\xd1\x00\xc0O\x8e\xdb\x8a)/ +} + +# >0 string/wt,=#! /usr/bin/nawk (len=16), ["new awk script text executable"], swap_endian=0 +signature file-magic-auto29 { + file-mime "text/x-nawk", 190 + file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fnawk)/ +} + +# >0 string/wt,=#! /usr/bin/tcsh (len=16), ["Tenex C shell script text executable"], swap_endian=0 +signature file-magic-auto30 { + file-mime "text/x-shellscript", 190 + file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2ftcsh)/ +} + +# >0 string/wt,=#! /usr/bin/gawk (len=16), ["GNU awk script text executable"], swap_endian=0 +signature file-magic-auto31 { + file-mime "text/x-gawk", 190 + file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fgawk)/ +} + +# >369 string,=MICROSOFT PIFEX\000 (len=16), ["Windows Program Information File"], swap_endian=0 +signature file-magic-auto32 { + file-mime "application/x-dosexec", 190 + file-magic /(.{369})(MICROSOFT PIFEX\x00)/ +} + +# >0 string/wt,=#! /usr/bin/bash (len=16), ["Bourne-Again shell script text executable"], swap_endian=0 +signature file-magic-auto33 { + file-mime "text/x-shellscript", 190 + file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fbash)/ +} + +# >0 string/w,=#VRML V1.0 ascii (len=16), ["VRML 1 file"], swap_endian=0 +signature file-magic-auto34 { + file-mime "model/vrml", 190 + file-magic /(\x23VRML ?V1\x2e0 ?ascii)/ +} + +# >0 string,=0 string,=Extended Module: (len=16), ["Fasttracker II module sound data"], swap_endian=0 +signature file-magic-auto36 { + file-mime "audio/x-mod", 190 + file-magic /(Extended Module\x3a)/ +} + +# >0 string/t,=0 string/t,=0 string,=0 string/t,=>20 search/wc/1000,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 +# >>>19 search/Wctb/4096,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 +# >>>19 search/Wctb/4096,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 +# >>>19 search/4096,=0 string,=>15 string,>\000 (len=1), [""], swap_endian=0 +# >>>19 search/4096,=0 string,=>15 string,>\000 (len=1), [""], swap_endian=0 +# >>>19 search/4096,=0 string/t,=>15 string,>\000 (len=1), [""], swap_endian=0 +# >>>19 search/Wctb/4096,=0 string/c,=BEGIN:VCALENDAR (len=15), ["vCalendar calendar file"], swap_endian=0 +signature file-magic-auto47 { + file-mime "text/calendar", 180 + file-magic /(BEGIN\x3aVCALENDAR)/ +} + +# >4 string,=Standard Jet DB (len=15), ["Microsoft Access Database"], swap_endian=0 +signature file-magic-auto48 { + file-mime "application/x-msaccess", 180 + file-magic /(.{4})(Standard Jet DB)/ +} + +# >4 string,=Standard ACE DB (len=15), ["Microsoft Access Database"], swap_endian=0 +signature file-magic-auto49 { + file-mime "application/x-msaccess", 180 + file-magic /(.{4})(Standard ACE DB)/ +} + +# >0 string/w,=#VRML V2.0 utf8 (len=15), ["ISO/IEC 14772 VRML 97 file"], swap_endian=0 +signature file-magic-auto50 { + file-mime "model/vrml", 180 + file-magic /(\x23VRML ?V2\x2e0 ?utf8)/ +} + +# >0 string/wt,=#! /usr/bin/awk (len=15), ["awk script text executable"], swap_endian=0 +signature file-magic-auto51 { + file-mime "text/x-awk", 180 + file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fawk)/ +} + +# >0 string/wt,=#! /usr/bin/zsh (len=15), ["Paul Falstad's zsh script text executable"], swap_endian=0 +signature file-magic-auto52 { + file-mime "text/x-shellscript", 180 + file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fzsh)/ +} + +# >0 string,=MAS_UTrack_V00 (len=14), [""], swap_endian=0 +# >>14 string,>/0 (len=2), ["ultratracker V1.%.1s module sound data"], swap_endian=0 +signature file-magic-auto53 { + file-mime "audio/x-mod", 20 + file-magic /(MAS\x5fUTrack\x5fV00)(\x2f0)/ +} + +# >0 string,=!\ndebian (len=14), [""], swap_endian=0 +signature file-magic-auto54 { + file-mime "application/x-debian-package", 171 + file-magic /(\x21\x3carch\x3e\x0adebian)/ +} + +# >0 string,=II\032\000\000\000HEAPCCDR (len=14), ["Canon CIFF raw image data"], swap_endian=0 +signature file-magic-auto55 { + file-mime "image/x-canon-crw", 170 + file-magic /(II\x1a\x00\x00\x00HEAPCCDR)/ +} + +# >0 string/t,=Relay-Version: (len=14), ["old news text"], swap_endian=0 +signature file-magic-auto56 { + file-mime "message/rfc822", 170 + file-magic /(Relay\x2dVersion\x3a)/ +} + +# >0 string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0 +# >>32 byte&,=0x00, [", Hash"], swap_endian=0 +signature file-magic-auto57 { + file-mime "application/x-tokyocabinet-hash", 40 + file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x00])/ +} + +# >0 string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0 +# >>32 byte&,=0x01, [", B+ tree"], swap_endian=0 +signature file-magic-auto58 { + file-mime "application/x-tokyocabinet-btree", 40 + file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x01])/ +} + +# >0 string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0 +# >>32 byte&,=0x02, [", Fixed-length"], swap_endian=0 +signature file-magic-auto59 { + file-mime "application/x-tokyocabinet-fixed", 40 + file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x02])/ +} + +# >0 string,=ToKyO CaBiNeT\n (len=14), ["Tokyo Cabinet"], swap_endian=0 +# >>32 byte&,=0x03, [", Table"], swap_endian=0 +signature file-magic-auto60 { + file-mime "application/x-tokyocabinet-table", 40 + file-magic /(ToKyO CaBiNeT\x0a)(.{18})([\x03])/ +} + +# >39 string,=0 string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0 +signature file-magic-auto62 { + file-mime "image/x-polar-monitor-bitmap", 160 + file-magic /(\x5bBitmapInfo2\x5d)/ +} + +# >0 string,=SplineFontDB: (len=13), ["Spline Font Database "], swap_endian=0 +signature file-magic-auto63 { + file-mime "application/vnd.font-fontforge-sfd", 160 + file-magic /(SplineFontDB\x3a)/ +} + +# >0 string/ct,=delivered-to: (len=13), ["SMTP mail text"], swap_endian=0 +signature file-magic-auto64 { + file-mime "message/rfc822", 160 + file-magic /([dD][eE][lL][iI][vV][eE][rR][eE][dD]\x2d[tT][oO]\x3a)/ +} + +# >0 string/ct,=return-path: (len=12), ["SMTP mail text"], swap_endian=0 +signature file-magic-auto65 { + file-mime "message/rfc822", 150 + file-magic /([rR][eE][tT][uU][rR][nN]\x2d[pP][aA][tT][hH]\x3a)/ +} + +# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 +# >>20 string,=jp2 (len=4), ["Part 1 (JP2)"], swap_endian=0 +signature file-magic-auto66 { + file-mime "image/jp2", 70 + file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(jp2 )/ +} + +# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 +# >>20 string,=jpx (len=4), ["Part 2 (JPX)"], swap_endian=0 +signature file-magic-auto67 { + file-mime "image/jpx", 70 + file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(jpx )/ +} + +# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 +# >>20 string,=jpm (len=4), ["Part 6 (JPM)"], swap_endian=0 +signature file-magic-auto68 { + file-mime "image/jpm", 70 + file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(jpm )/ +} + +# >0 string,=\000\000\000\fjP \r\n\207\n (len=12), ["JPEG 2000"], swap_endian=0 +# >>20 string,=mjp2 (len=4), ["Part 3 (MJ2)"], swap_endian=0 +signature file-magic-auto69 { + file-mime "video/mj2", 70 + file-magic /(\x00\x00\x00\x0cjP \x0d\x0a\x87\x0a)(.{8})(mjp2)/ +} + +# >0 string/w,=0 string/wt,=#! /bin/tcsh (len=12), ["Tenex C shell script text executable"], swap_endian=0 +signature file-magic-auto71 { + file-mime "text/x-shellscript", 150 + file-magic /(\x23\x21 ?\x2fbin\x2ftcsh)/ +} + +# >0 string/wt,=#! /bin/nawk (len=12), ["new awk script text executable"], swap_endian=0 +signature file-magic-auto72 { + file-mime "text/x-nawk", 150 + file-magic /(\x23\x21 ?\x2fbin\x2fnawk)/ +} + +# >0 string/wt,=#! /bin/gawk (len=12), ["GNU awk script text executable"], swap_endian=0 +signature file-magic-auto73 { + file-mime "text/x-gawk", 150 + file-magic /(\x23\x21 ?\x2fbin\x2fgawk)/ +} + +# >0 string/wt,=#! /bin/bash (len=12), ["Bourne-Again shell script text executable"], swap_endian=0 +signature file-magic-auto74 { + file-mime "text/x-shellscript", 150 + file-magic /(\x23\x21 ?\x2fbin\x2fbash)/ +} + +# >0 string/wt,=#! /bin/awk (len=11), ["awk script text executable"], swap_endian=0 +signature file-magic-auto75 { + file-mime "text/x-awk", 140 + file-magic /(\x23\x21 ?\x2fbin\x2fawk)/ +} + +# >0 string,=filedesc:// (len=11), ["Internet Archive File"], swap_endian=0 +signature file-magic-auto76 { + file-mime "application/x-ia-arc", 140 + file-magic /(filedesc\x3a\x2f\x2f)/ +} + +# >38 string,=Spreadsheet (len=11), ["sc spreadsheet file"], swap_endian=0 +signature file-magic-auto77 { + file-mime "application/x-sc", 140 + file-magic /(.{38})(Spreadsheet)/ +} + +# >0 string,=d8:announce (len=11), ["BitTorrent file"], swap_endian=0 +signature file-magic-auto78 { + file-mime "application/x-bittorrent", 140 + file-magic /(d8\x3aannounce)/ +} + +# >0 string/wt,=#! /bin/csh (len=11), ["C shell script text executable"], swap_endian=0 +signature file-magic-auto79 { + file-mime "text/x-shellscript", 140 + file-magic /(\x23\x21 ?\x2fbin\x2fcsh)/ +} + +# >0 string/wt,=#! /bin/ksh (len=11), ["Korn shell script text executable"], swap_endian=0 +signature file-magic-auto80 { + file-mime "text/x-shellscript", 140 + file-magic /(\x23\x21 ?\x2fbin\x2fksh)/ +} + +# >0 string/wt,=#! /bin/zsh (len=11), ["Paul Falstad's zsh script text executable"], swap_endian=0 +signature file-magic-auto81 { + file-mime "text/x-shellscript", 140 + file-magic /(\x23\x21 ?\x2fbin\x2fzsh)/ +} + +# >0 string/c,=BEGIN:VCARD (len=11), ["vCard visiting card"], swap_endian=0 +signature file-magic-auto82 { + file-mime "text/x-vcard", 140 + file-magic /(BEGIN\x3aVCARD)/ +} + +# >0 string,=HEADER (len=10), [""], swap_endian=0 +# >>&0 regex/1,=^.{40} (len=6), [""], swap_endian=0 +# >>>&0 regex/1,=[0-9]{2}-[A-Z]{3}-[0-9]{2} {3} (len=30), [""], swap_endian=0 +# >>>>&0 regex/s/1,=[A-Z0-9]{4}.{14}$ (len=17), [""], swap_endian=0 +# >>>>>&0 regex/1,=[A-Z0-9]{4} (len=11), ["Protein Data Bank data, ID Code %s"], swap_endian=0 +signature file-magic-auto83 { + file-mime "chemical/x-pdb", 41 + file-magic /(HEADER )(^.{40})([0-9]{2}-[A-Z]{3}-[0-9]{2} {3})([A-Z0-9]{4}.{14}$)([A-Z0-9]{4})/ +} + +# >0 string/t,=Forward to (len=10), ["mail forwarding text"], swap_endian=0 +signature file-magic-auto84 { + file-mime "message/rfc822", 130 + file-magic /(Forward to)/ +} + +# >0 string/wt,=#! /bin/sh (len=10), ["POSIX shell script text executable"], swap_endian=0 +signature file-magic-auto85 { + file-mime "text/x-shellscript", 130 + file-magic /(\x23\x21 ?\x2fbin\x2fsh)/ +} + +# >0 string,=II*\000\020\000\000\000CR (len=10), ["Canon CR2 raw image data"], swap_endian=0 +signature file-magic-auto86 { + file-mime "image/x-canon-cr2", 130 + file-magic /(II\x2a\x00\x10\x00\x00\x00CR)/ +} + +# >0 string,=0 search/4096,=--- (len=4), [""], swap_endian=0 +# >>&0 search/1024,=\n (len=1), [""], swap_endian=0 +# >>>&0 search/1,=+++ (len=4), [""], swap_endian=0 +# >>>>&0 search/1024,=\n (len=1), [""], swap_endian=0 +# >>>>>&0 search/1,=@@ (len=2), ["unified diff output text"], swap_endian=0 +signature file-magic-auto88 { + file-mime "text/x-diff", 55 + file-magic /(.*)(\x2d\x2d\x2d )(.*)(\x0a)(.*)(\x2b\x2b\x2b )(.*)(\x0a)(.*)(\x40\x40)/ +} + +# >0 string/t,=Received: (len=9), ["RFC 822 mail text"], swap_endian=0 +signature file-magic-auto89 { + file-mime "message/rfc822", 120 + file-magic /(Received\x3a)/ +} + +# >0 string,=2112 string,=MSWordDoc (len=9), ["Microsoft Word document data"], swap_endian=0 +signature file-magic-auto91 { + file-mime "application/msword", 120 + file-magic /(.{2112})(MSWordDoc)/ +} + +# >0 string/t,=N#! rnews (len=9), ["mailed, batched news text"], swap_endian=0 +signature file-magic-auto92 { + file-mime "message/rfc822", 120 + file-magic /(N\x23\x21 rnews)/ +} + +# >0 string/b,=WordPro\r\373 (len=9), ["Lotus WordPro"], swap_endian=0 +signature file-magic-auto93 { + file-mime "application/vnd.lotus-wordpro", 120 + file-magic /(WordPro\x0d\xfb)/ +} + +# >0 string,=LPKSHHRH (len=8), [""], swap_endian=0 +# >>16 ubyte&000000fc,=0x00, [""], swap_endian=0 +# >>>24 ubequad&,>0 (0x0000000000000000), [""], swap_endian=0 +# >>>>32 ubequad&,>0 (0x0000000000000000), [""], swap_endian=0 +# >>>>>40 ubequad&,>0 (0x0000000000000000), [""], swap_endian=0 +# >>>>>>48 ubequad&,>0 (0x0000000000000000), [""], swap_endian=0 +# >>>>>>>56 ubequad&,>0 (0x0000000000000000), [""], swap_endian=0 +# >>>>>>>>64 ubequad&,>0 (0x0000000000000000), ["Journal file"], swap_endian=0 +signature file-magic-auto94 { + file-mime "application/vnd.fdo.journal", 80 + file-magic /(LPKSHHRH)(.{8})([\x00\x01\x02\x03])(.{7})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})([^\x00]{8})/ +} + +# >0 string,=AT&TFORM (len=8), [""], swap_endian=0 +# >>12 string,=DJVM (len=4), ["DjVu multiple page document"], swap_endian=0 +signature file-magic-auto95 { + file-mime "image/vnd.djvu", 70 + file-magic /(AT\x26TFORM)(.{4})(DJVM)/ +} + +# >0 string,=AT&TFORM (len=8), [""], swap_endian=0 +# >>12 string,=DJVU (len=4), ["DjVu image or single page document"], swap_endian=0 +signature file-magic-auto96 { + file-mime "image/vnd.djvu", 70 + file-magic /(AT\x26TFORM)(.{4})(DJVU)/ +} + +# >0 string,=AT&TFORM (len=8), [""], swap_endian=0 +# >>12 string,=DJVI (len=4), ["DjVu shared document"], swap_endian=0 +signature file-magic-auto97 { + file-mime "image/vnd.djvu", 70 + file-magic /(AT\x26TFORM)(.{4})(DJVI)/ +} + +# >0 string,=AT&TFORM (len=8), [""], swap_endian=0 +# >>12 string,=THUM (len=4), ["DjVu page thumbnails"], swap_endian=0 +signature file-magic-auto98 { + file-mime "image/vnd.djvu", 70 + file-magic /(AT\x26TFORM)(.{4})(THUM)/ +} + +# >0 string/t,=#! rnews (len=8), ["batched news text"], swap_endian=0 +signature file-magic-auto99 { + file-mime "message/rfc822", 110 + file-magic /(\x23\x21 rnews)/ +} + +# >0 string/b,=MSCF\000\000\000\000 (len=8), ["Microsoft Cabinet archive data"], swap_endian=0 +signature file-magic-auto100 { + file-mime "application/vnd.ms-cab-compressed", 110 + file-magic /(MSCF\x00\x00\x00\x00)/ +} + +# >0 string/b,=\320\317\021\340\241\261\032\341 (len=8), ["Microsoft Office Document"], swap_endian=0 +signature file-magic-auto101 { + file-mime "application/msword", 110 + file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/ +} + +# >21 string/c,=!SCREAM! (len=8), ["Screamtracker 2 module sound data"], swap_endian=0 +signature file-magic-auto102 { + file-mime "audio/x-mod", 110 + file-magic /(.{21})(\x21SCREAM\x21)/ +} + +# >21 string,=BMOD2STM (len=8), ["Screamtracker 2 module sound data"], swap_endian=0 +signature file-magic-auto103 { + file-mime "audio/x-mod", 110 + file-magic /(.{21})(BMOD2STM)/ +} + +# >0 string/b,=ITOLITLS (len=8), ["Microsoft Reader eBook Data"], swap_endian=0 +# >>8 lelong&,x, [", version %u"], swap_endian=0 +signature file-magic-auto104 { + file-mime "application/x-ms-reader", 1 + file-magic /(ITOLITLS)(.{4})/ +} + +# >4096 string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 4k user block"], swap_endian=0 +signature file-magic-auto105 { + file-mime "application/x-hdf", 110 + file-magic /(.{4096})(\x89HDF\x0d\x0a\x1a\x0a)/ +} + +# >2048 string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 2k user block"], swap_endian=0 +signature file-magic-auto106 { + file-mime "application/x-hdf", 110 + file-magic /(.{2048})(\x89HDF\x0d\x0a\x1a\x0a)/ +} + +# >1024 string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 1k user block"], swap_endian=0 +signature file-magic-auto107 { + file-mime "application/x-hdf", 110 + file-magic /(.{1024})(\x89HDF\x0d\x0a\x1a\x0a)/ +} + +# >512 string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) with 512 bytes user block"], swap_endian=0 +signature file-magic-auto108 { + file-mime "application/x-hdf", 110 + file-magic /(.{512})(\x89HDF\x0d\x0a\x1a\x0a)/ +} + +# >0 string,=\211HDF\r\n\032\n (len=8), ["Hierarchical Data Format (version 5) data"], swap_endian=0 +signature file-magic-auto109 { + file-mime "application/x-hdf", 110 + file-magic /(\x89HDF\x0d\x0a\x1a\x0a)/ +} + +# >0 string,=\211PNG\r\n\032\n (len=8), ["PNG image data"], swap_endian=0 +signature file-magic-auto110 { + file-mime "image/png", 110 + file-magic /(\x89PNG\x0d\x0a\x1a\x0a)/ +} + +# >36 string,=acspSUNW (len=8), ["Sun KCMS ICC Profile"], swap_endian=0 +signature file-magic-auto111 { + file-mime "application/vnd.iccprofile", 110 + file-magic /(.{36})(acspSUNW)/ +} + +# >36 string,=acspSGI (len=8), ["SGI ICC Profile"], swap_endian=0 +signature file-magic-auto112 { + file-mime "application/vnd.iccprofile", 110 + file-magic /(.{36})(acspSGI )/ +} + +# >36 string,=acspMSFT (len=8), ["Microsoft ICM Color Profile"], swap_endian=0 +signature file-magic-auto113 { + file-mime "application/vnd.iccprofile", 110 + file-magic /(.{36})(acspMSFT)/ +} + +# >36 string,=acspAPPL (len=8), ["ColorSync ICC Profile"], swap_endian=0 +signature file-magic-auto114 { + file-mime "application/vnd.iccprofile", 110 + file-magic /(.{36})(acspAPPL)/ +} + +# >0 string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0 +signature file-magic-auto115 { + file-mime "image/x-xcf", 110 + file-magic /(gimp xcf)/ +} + +# >512 string,=R\000o\000o\000t\000 (len=8), ["Hangul (Korean) Word Processor File 2000"], swap_endian=0 +signature file-magic-auto116 { + file-mime "application/x-hwp", 110 + file-magic /(.{512})(R\x00o\x00o\x00t\x00)/ +} + +# >257 string,=ustar \000 (len=8), ["GNU tar archive"], swap_endian=0 +signature file-magic-auto117 { + file-mime "application/x-tar", 110 + file-magic /(.{257})(ustar \x00)/ +} + +# >0 string,=0 string,=PK\a\bPK\003\004 (len=8), ["Zip multi-volume archive data, at least PKZIP v2.50 to extract"], swap_endian=0 +signature file-magic-auto119 { + file-mime "application/zip", 110 + file-magic /(PK\x07\x08PK\x03\x04)/ +} + +# >0 string/b,=\t\004\006\000\000\000\020\000 (len=8), ["Microsoft Excel Worksheet"], swap_endian=0 +signature file-magic-auto120 { + file-mime "application/vnd.ms-excel", 110 + file-magic /(\x09\x04\x06\x00\x00\x00\x10\x00)/ +} + +# >0 string/b,=WordPro\000 (len=8), ["Lotus WordPro"], swap_endian=0 +signature file-magic-auto121 { + file-mime "application/vnd.lotus-wordpro", 110 + file-magic /(WordPro\x00)/ +} + +# >0 string/t,=Article (len=7), ["saved news text"], swap_endian=0 +signature file-magic-auto122 { + file-mime "message/news", 100 + file-magic /(Article)/ +} + +# >0 string,=\037\213 (len=2), ["gzip compressed data"], swap_endian=0 +signature file-magic-auto123 { + file-mime "application/x-gzip", 100 + file-magic /(\x1f\x8b)/ +} + +# >0 string/t,=Pipe to (len=7), ["mail piping text"], swap_endian=0 +signature file-magic-auto124 { + file-mime "message/rfc822", 100 + file-magic /(Pipe to)/ +} + +# >0 string,=.RMF\000\000\000 (len=7), ["RealMedia file"], swap_endian=0 +signature file-magic-auto125 { + file-mime "application/vnd.rn-realmedia", 100 + file-magic /(\x2eRMF\x00\x00\x00)/ +} + +# >0 string,=StuffIt (len=7), ["StuffIt Archive"], swap_endian=0 +signature file-magic-auto126 { + file-mime "application/x-stuffit", 100 + file-magic /(StuffIt)/ +} + +# >0 string,=! (len=7), ["current ar archive"], swap_endian=0 +signature file-magic-auto127 { + file-mime "application/x-archive", 100 + file-magic /(\x21\x3carch\x3e)/ +} + +# >0 string,=P5 (len=2), [""], swap_endian=0 +# >>3 regex,=[0-9]{1,50} (len=12), [", size = %sx"], swap_endian=0 +# >>>3 regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0 +signature file-magic-auto128 { + file-mime "image/x-portable-greymap", 42 + file-magic /(P5)(.{1})([0-9]{1,50} )( [0-9]{1,50})/ +} + +# >0 string,=P6 (len=2), [""], swap_endian=0 +# >>3 regex,=[0-9]{1,50} (len=12), [", size = %sx"], swap_endian=0 +# >>>3 regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0 +signature file-magic-auto129 { + file-mime "image/x-portable-pixmap", 42 + file-magic /(P6)(.{1})([0-9]{1,50} )( [0-9]{1,50})/ +} + +# >0 string,=P4 (len=2), [""], swap_endian=0 +# >>3 regex,=[0-9]{1,50} (len=12), [", size = %sx"], swap_endian=0 +# >>>3 regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0 +signature file-magic-auto130 { + file-mime "image/x-portable-bitmap", 42 + file-magic /(P4)(.{1})([0-9]{1,50} )( [0-9]{1,50})/ +} + +# >257 string,=ustar\000 (len=6), ["POSIX tar archive"], swap_endian=0 +signature file-magic-auto131 { + file-mime "application/x-tar", 90 + file-magic /(.{257})(ustar\x00)/ +} + +# >0 string,=AC1.40 (len=6), ["DWG AutoDesk AutoCAD Release 1.40"], swap_endian=0 +signature file-magic-auto132 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1\x2e40)/ +} + +# >0 string,=AC1.50 (len=6), ["DWG AutoDesk AutoCAD Release 2.05"], swap_endian=0 +signature file-magic-auto133 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1\x2e50)/ +} + +# >0 string,=AC2.10 (len=6), ["DWG AutoDesk AutoCAD Release 2.10"], swap_endian=0 +signature file-magic-auto134 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC2\x2e10)/ +} + +# >0 string,=AC2.21 (len=6), ["DWG AutoDesk AutoCAD Release 2.21"], swap_endian=0 +signature file-magic-auto135 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC2\x2e21)/ +} + +# >0 string,=AC2.22 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0 +signature file-magic-auto136 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC2\x2e22)/ +} + +# >0 string,=AC1001 (len=6), ["DWG AutoDesk AutoCAD Release 2.22"], swap_endian=0 +signature file-magic-auto137 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1001)/ +} + +# >0 string,=AC1002 (len=6), ["DWG AutoDesk AutoCAD Release 2.50"], swap_endian=0 +signature file-magic-auto138 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1002)/ +} + +# >0 string,=AC1003 (len=6), ["DWG AutoDesk AutoCAD Release 2.60"], swap_endian=0 +signature file-magic-auto139 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1003)/ +} + +# >0 string,=AC1004 (len=6), ["DWG AutoDesk AutoCAD Release 9"], swap_endian=0 +signature file-magic-auto140 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1004)/ +} + +# >0 string,=AC1006 (len=6), ["DWG AutoDesk AutoCAD Release 10"], swap_endian=0 +signature file-magic-auto141 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1006)/ +} + +# >0 string,=AC1009 (len=6), ["DWG AutoDesk AutoCAD Release 11/12"], swap_endian=0 +signature file-magic-auto142 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1009)/ +} + +# >0 string,=AC1012 (len=6), ["DWG AutoDesk AutoCAD Release 13"], swap_endian=0 +signature file-magic-auto143 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1012)/ +} + +# >0 string,=AC1014 (len=6), ["DWG AutoDesk AutoCAD Release 14"], swap_endian=0 +signature file-magic-auto144 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1014)/ +} + +# >0 string,=AC1015 (len=6), ["DWG AutoDesk AutoCAD 2000/2002"], swap_endian=0 +signature file-magic-auto145 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1015)/ +} + +# >0 string,=AC1018 (len=6), ["DWG AutoDesk AutoCAD 2004/2005/2006"], swap_endian=0 +signature file-magic-auto146 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1018)/ +} + +# >0 string,=AC1021 (len=6), ["DWG AutoDesk AutoCAD 2007/2008/2009"], swap_endian=0 +signature file-magic-auto147 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1021)/ +} + +# >0 string,=AC1024 (len=6), ["DWG AutoDesk AutoCAD 2010/2011/2012"], swap_endian=0 +signature file-magic-auto148 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1024)/ +} + +# >0 string,=AC1027 (len=6), ["DWG AutoDesk AutoCAD 2013/2014"], swap_endian=0 +signature file-magic-auto149 { + file-mime "image/vnd.dwg", 90 + file-magic /(AC1027)/ +} + +# >0 string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0 +# >>7 byte&,x, [".%d"], swap_endian=0 +signature file-magic-auto150 { + file-mime "application/x-7z-compressed", 1 + file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/ +} + +# >0 ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0 +signature file-magic-auto151 { + file-mime "application/x-xz", 90 + file-magic /(\xfd7zXZ\x00)/ +} + +# >0 string,=0 string,=GIF94z (len=6), ["ZIF image (GIF+deflate alpha)"], swap_endian=0 +signature file-magic-auto153 { + file-mime "image/x-unknown", 90 + file-magic /(GIF94z)/ +} + +# >0 string,=FGF95a (len=6), ["FGF image (GIF+deflate beta)"], swap_endian=0 +signature file-magic-auto154 { + file-mime "image/x-unknown", 90 + file-magic /(FGF95a)/ +} + +# >0 string/t,=# xmcd (len=6), ["xmcd database file for kscd"], swap_endian=0 +signature file-magic-auto155 { + file-mime "text/x-xmcd", 90 + file-magic /(\x23 xmcd)/ +} + +# >0 string/b,=\333\245-\000\000\000 (len=6), ["Microsoft Office Document"], swap_endian=0 +signature file-magic-auto156 { + file-mime "application/msword", 90 + file-magic /(\xdb\xa5\x2d\x00\x00\x00)/ +} + +# >2 string,=MMXPR3 (len=6), ["Motorola Quark Express Document (English)"], swap_endian=0 +signature file-magic-auto157 { + file-mime "application/x-quark-xpress-3", 90 + file-magic /(.{2})(MMXPR3)/ +} + +# >0 search/1,=P1 (len=2), [""], swap_endian=0 +# >>3 regex,=[0-9]{1,50} (len=12), [", size = %sx"], swap_endian=0 +# >>>3 regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0 +signature file-magic-auto158 { + file-mime "image/x-portable-bitmap", 42 + file-magic /(.*)(P1)([0-9]{1,50} )( [0-9]{1,50})/ +} + +# >0 search/1,=P3 (len=2), [""], swap_endian=0 +# >>3 regex,=[0-9]{1,50} (len=12), [", size = %sx"], swap_endian=0 +# >>>3 regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0 +signature file-magic-auto159 { + file-mime "image/x-portable-pixmap", 42 + file-magic /(.*)(P3)([0-9]{1,50} )( [0-9]{1,50})/ +} + +# >0 search/1,=P2 (len=2), [""], swap_endian=0 +# >>3 regex,=[0-9]{1,50} (len=12), [", size = %sx"], swap_endian=0 +# >>>3 regex,= [0-9]{1,50} (len=12), ["%s"], swap_endian=0 +signature file-magic-auto160 { + file-mime "image/x-portable-greymap", 42 + file-magic /(.*)(P2)([0-9]{1,50} )( [0-9]{1,50})/ +} + +# >0 string/t,=>20 search/400,= xmlns= (len=7), [""], swap_endian=0 +# >>>&0 regex,=['"]http://earth.google.com/kml (len=31), ["Google KML document"], swap_endian=0 +signature file-magic-auto161 { + file-mime "application/vnd.google-earth.kml+xml", 61 + file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fearth.google.com\x2fkml)/ +} + +# >0 string/t,=>20 search/400,= xmlns= (len=7), [""], swap_endian=0 +# >>>&0 regex,=['"]http://www.opengis.net/kml (len=30), ["OpenGIS KML document"], swap_endian=0 +signature file-magic-auto162 { + file-mime "application/vnd.google-earth.kml+xml", 60 + file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fwww.opengis.net\x2fkml)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 +# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 +# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 +# >>>>>&26 string,=word/ (len=5), ["Microsoft Word 2007+"], swap_endian=0 +signature file-magic-auto163 { + file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80 + file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(word\x2f)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 +# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 +# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 +# >>>>>&26 string,=ppt/ (len=4), ["Microsoft PowerPoint 2007+"], swap_endian=0 +signature file-magic-auto164 { + file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 70 + file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(ppt\x2f)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 +# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 +# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 +# >>>>>&26 string,=xl/ (len=3), ["Microsoft Excel 2007+"], swap_endian=0 +signature file-magic-auto165 { + file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 60 + file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(xl\x2f)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXB (len=8), ["RINEX Data, GEO SBAS Broadcast"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto166 { + file-mime "rinex/broadcast", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXB)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXD (len=8), ["RINEX Data, Observation (Hatanaka comp)"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto167 { + file-mime "rinex/observation", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXD)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXC (len=8), ["RINEX Data, Clock"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto168 { + file-mime "rinex/clock", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXC)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXH (len=8), ["RINEX Data, GEO SBAS Navigation"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto169 { + file-mime "rinex/navigation", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXH)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXG (len=8), ["RINEX Data, GLONASS Navigation"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto170 { + file-mime "rinex/navigation", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXG)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXL (len=8), ["RINEX Data, Galileo Navigation"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto171 { + file-mime "rinex/navigation", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXL)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXM (len=8), ["RINEX Data, Meteorological"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto172 { + file-mime "rinex/meteorological", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXM)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXN (len=8), ["RINEX Data, Navigation "], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto173 { + file-mime "rinex/navigation", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXN)/ +} + +# >60 string,=RINEX (len=5), [""], swap_endian=0 +# >>80 search/256,=XXRINEXO (len=8), ["RINEX Data, Observation"], swap_endian=0 +# >>>5 string,x, [", version %6.6s"], swap_endian=0 +signature file-magic-auto174 { + file-mime "rinex/observation", 1 + file-magic /(.{60})(RINEX)(.{15})(.*)(XXRINEXO)/ +} + +# Doubt it's going to be common to have this many bytes buffered. +# >37633 string,=CD001 (len=5), ["ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)"], swap_endian=0 +#signature file-magic-auto175 { +# file-mime "application/x-iso9660-image", 80 +# file-magic /(.{37633})(CD001)/ +#} + +# >2 string,=-lhd- (len=5), ["LHa 2.x? archive data [lhd]"], swap_endian=0 +signature file-magic-auto176 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlhd\x2d)/ +} + +# >0 string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0 +# >>5 string,x, ["version %.4s"], swap_endian=0 +signature file-magic-auto177 { + file-mime "application/warc", 1 + file-magic /(WARC\x2f)(.{0})/ +} + +# >0 string,=AC1.3 (len=5), ["DWG AutoDesk AutoCAD Release 1.3"], swap_endian=0 +signature file-magic-auto178 { + file-mime "image/vnd.dwg", 80 + file-magic /(AC1\x2e3)/ +} + +# >2 string,=-lh - (len=5), ["LHa 2.x? archive data [lh ]"], swap_endian=0 +signature file-magic-auto179 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlh \x2d)/ +} + +# >0 string,=AC1.2 (len=5), ["DWG AutoDesk AutoCAD Release 1.2"], swap_endian=0 +signature file-magic-auto180 { + file-mime "image/vnd.dwg", 80 + file-magic /(AC1\x2e2)/ +} + +# >0 string,=MC0.0 (len=5), ["DWG AutoDesk AutoCAD Release 1.0"], swap_endian=0 +signature file-magic-auto181 { + file-mime "image/vnd.dwg", 80 + file-magic /(MC0\x2e0)/ +} + +# >2 string,=-lzs- (len=5), ["LHa/LZS archive data [lzs]"], swap_endian=0 +signature file-magic-auto182 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlzs\x2d)/ +} + +# >2 string,=-lz5- (len=5), ["LHarc 1.x archive data [lz5]"], swap_endian=0 +signature file-magic-auto183 { + file-mime "application/x-lharc", 80 + file-magic /(.{2})(\x2dlz5\x2d)/ +} + +# Doubt it's going to be common to have this many bytes buffered. +# >32769 string,=CD001 (len=5), ["#"], swap_endian=0 +#signature file-magic-auto184 { +# file-mime "application/x-iso9660-image", 80 +# file-magic /(.{32769})(CD001)/ +#} + +# >2 string,=-lh3- (len=5), ["LHa 2.x? archive data [lh3]"], swap_endian=0 +signature file-magic-auto185 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlh3\x2d)/ +} + +# >2 string,=-lh2- (len=5), ["LHa 2.x? archive data [lh2]"], swap_endian=0 +signature file-magic-auto186 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlh2\x2d)/ +} + +# >0 string,=\000\001\000\000\000 (len=5), ["TrueType font data"], swap_endian=0 +signature file-magic-auto187 { + file-mime "application/x-font-ttf", 80 + file-magic /(\x00\x01\x00\x00\x00)/ +} + +# >0 string/b,=PO^Q` (len=5), ["Microsoft Word 6.0 Document"], swap_endian=0 +signature file-magic-auto188 { + file-mime "application/msword", 80 + file-magic /(PO\x5eQ\x60)/ +} + +# >0 string,=%PDF- (len=5), ["PDF document"], swap_endian=0 +signature file-magic-auto189 { + file-mime "application/pdf", 80 + file-magic /(\x25PDF\x2d)/ +} + +# >2114 string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0 +signature file-magic-auto190 { + file-mime "application/vnd.ms-excel", 80 + file-magic /(.{2114})(Biff5)/ +} + +# >2121 string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0 +signature file-magic-auto191 { + file-mime "application/vnd.ms-excel", 80 + file-magic /(.{2121})(Biff5)/ +} + +# >0 string/t,=Path: (len=5), ["news text"], swap_endian=0 +signature file-magic-auto192 { + file-mime "message/news", 80 + file-magic /(Path\x3a)/ +} + +# >0 string/t,=Xref: (len=5), ["news text"], swap_endian=0 +signature file-magic-auto193 { + file-mime "message/news", 80 + file-magic /(Xref\x3a)/ +} + +# >0 string/t,=From: (len=5), ["news or mail text"], swap_endian=0 +signature file-magic-auto194 { + file-mime "message/rfc822", 80 + file-magic /(From\x3a)/ +} + +# >2 string,=-lh7- (len=5), ["LHa (2.x)/LHark archive data [lh7]"], swap_endian=0 +signature file-magic-auto195 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlh7\x2d)/ +} + +# >0 string,={\rtf (len=5), ["Rich Text Format data,"], swap_endian=0 +signature file-magic-auto196 { + file-mime "text/rtf", 80 + file-magic /(\x7b\x5crtf)/ +} + +# >2 string,=-lh6- (len=5), ["LHa (2.x) archive data [lh6]"], swap_endian=0 +signature file-magic-auto197 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlh6\x2d)/ +} + +# >2 string,=-lh5- (len=5), ["LHa (2.x) archive data [lh5]"], swap_endian=0 +signature file-magic-auto198 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlh5\x2d)/ +} + +# >2 string,=-lh4- (len=5), ["LHa (2.x) archive data [lh4]"], swap_endian=0 +signature file-magic-auto199 { + file-mime "application/x-lha", 80 + file-magic /(.{2})(\x2dlh4\x2d)/ +} + +# >2 string,=-lz4- (len=5), ["LHarc 1.x archive data [lz4]"], swap_endian=0 +signature file-magic-auto200 { + file-mime "application/x-lharc", 80 + file-magic /(.{2})(\x2dlz4\x2d)/ +} + +# >2 string,=-lh1- (len=5), ["LHarc 1.x/ARX archive data [lh1]"], swap_endian=0 +signature file-magic-auto201 { + file-mime "application/x-lharc", 80 + file-magic /(.{2})(\x2dlh1\x2d)/ +} + +# >2 string,=-lh0- (len=5), ["LHarc 1.x/ARX archive data [lh0]"], swap_endian=0 +signature file-magic-auto202 { + file-mime "application/x-lharc", 80 + file-magic /(.{2})(\x2dlh0\x2d)/ +} + +# >0 string,=%FDF- (len=5), ["FDF document"], swap_endian=0 +signature file-magic-auto203 { + file-mime "application/vnd.fdf", 80 + file-magic /(\x25FDF\x2d)/ +} + +# >0 belong&,=443 (0x000001bb), [""], swap_endian=0 +signature file-magic-auto204 { + file-mime "video/mpeg", 71 + file-magic /(\x00\x00\x01\xbb)/ +} + +# The non-sequential offsets and use of bitmask and relational operators +# made this difficult to autogenerate. Can see about manually creating +# the correct character class later. +# >0 ubelong&fff8fe00,=167772160 (0x0a000000), [""], swap_endian=0 +# >>3 ubyte&,>0x00, [""], swap_endian=0 +# >>>1 ubyte&,<0x06, [""], swap_endian=0 +# >>>>1 ubyte&,!0x01, ["PCX"], swap_endian=0 +#signature file-magic-auto205 { +# file-mime "image/x-pcx", 1 +# file-magic /(.{4})(.*)([\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05])(.*)([\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +#} + +# >0 belong&,=432 (0x000001b0), [""], swap_endian=0 +signature file-magic-auto206 { + file-mime "video/mp4v-es", 71 + file-magic /(\x00\x00\x01\xb0)/ +} + +# >0 belong&,=437 (0x000001b5), [""], swap_endian=0 +signature file-magic-auto207 { + file-mime "video/mp4v-es", 71 + file-magic /(\x00\x00\x01\xb5)/ +} + +# >0 string,=AWBM (len=4), [""], swap_endian=0 +# >>4 leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0 +signature file-magic-auto208 { + file-mime "image/x-award-bmp", 20 + file-magic /(AWBM)(.{2})/ +} + +# >0 belong&,=435 (0x000001b3), [""], swap_endian=0 +signature file-magic-auto209 { + file-mime "video/mpv", 71 + file-magic /(\x00\x00\x01\xb3)/ +} + +# Converting bitmask to character class might make the regex +# unfriendly to humans. +# >0 belong&ffffffffff5fff10,=1195376656 (0x47400010), [""], swap_endian=0 +#signature file-magic-auto210 { +# file-mime "video/mp2t", 71 +# file-magic /(.{4})/ +#} + +# >0 belong&,=1 (0x00000001), [""], swap_endian=0 +# >>4 byte&0000001f,=0x07, [""], swap_endian=0 +signature file-magic-auto211 { + file-mime "video/h264", 41 + file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/ +} + +# >0 belong&,=-889275714 (0xcafebabe), [""], swap_endian=0 +signature file-magic-auto212 { + file-mime "application/x-java-applet", 71 + file-magic /(\xca\xfe\xba\xbe)/ +} + +# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 +# >>3 byte&,=0xba, ["MPEG sequence"], swap_endian=0 +signature file-magic-auto213 { + file-mime "video/mpeg", 40 + file-magic /(\x00\x00\x01\xba)/ +} + +# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 +# >>3 byte&,=0xb0, ["MPEG sequence, v4"], swap_endian=0 +signature file-magic-auto214 { + file-mime "video/mpeg4-generic", 40 + file-magic /(\x00\x00\x01\xb0)/ +} + +# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 +# >>3 byte&,=0xb5, ["MPEG sequence, v4"], swap_endian=0 +signature file-magic-auto215 { + file-mime "video/mpeg4-generic", 40 + file-magic /(\x00\x00\x01\xb5)/ +} + +# >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 +# >>3 byte&,=0xb3, ["MPEG sequence"], swap_endian=0 +signature file-magic-auto216 { + file-mime "video/mpeg", 40 + file-magic /(\x00\x00\x01\xb3)/ +} + +# >0 lelong&,=4 (0x00000004), [""], swap_endian=0 +# >>104 lelong&,=4 (0x00000004), ["X11 SNF font data, LSB first"], swap_endian=0 +signature file-magic-auto217 { + file-mime "application/x-font-sfn", 70 + file-magic /(\x04\x00\x00\x00)(.{100})(\x04\x00\x00\x00)/ +} + +# >0 lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0 +signature file-magic-auto218 { + file-mime "application/x-lzma", 71 + file-magic /(\x5d\x00\x00.)/ +} + +# This didn't auto-generate correctly due to non-sequential offsets and +# use of bitwise/relational comparisons. At a glance: may not be +# that common/useful, leaving for later. +# >512 ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0 +# >>21 ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0 +# >>>512 ubyte&,=0xfc, ["180k"], swap_endian=0 +# >>>>2574 ubequad&,=0 (0x0000000000000000), [""], swap_endian=0 +# >>>>>2560 ubequad&,!0 (0x0000000000000000), [""], swap_endian=0 +#signature file-magic-auto219 { +# file-mime "application/x-ima", 2 +# file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xfc])(.{2061})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/ +#} + +# This didn't auto-generate correctly due to non-sequential offsets and +# use of bitwise/relational comparisons. At a glance: may not be +# that common/useful, leaving for later. +# >512 ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0 +# >>21 ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0 +# >>>512 ubyte&,=0xfd, [""], swap_endian=0 +# >>>>2574 ubequad&,=0 (0x0000000000000000), [""], swap_endian=0 +#signature file-magic-auto220 { +# file-mime "application/x-ima", 111 +# file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xfd])(.{2061})(\x00\x00\x00\x00\x00\x00\x00\x00)/ +#} + +# This didn't auto-generate correctly due to non-sequential offsets and +# use of bitwise/relational comparisons. At a glance: may not be +# that common/useful, leaving for later. +# >512 ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0 +# >>21 ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0 +# >>>512 ubyte&,=0xfe, [""], swap_endian=0 +# >>>>1024 ubelong&e0ffff00,=3774873344 (0xe0ffff00), ["160k"], swap_endian=0 +# >>>>>1550 ubequad&,=0 (0x0000000000000000), [""], swap_endian=0 +# >>>>>>1536 ubequad&,!0 (0x0000000000000000), [""], swap_endian=0 +#signature file-magic-auto221 { +# file-mime "application/x-ima", 2 +# file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xfe])(.{511})(.{4})(.{522})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/ +#} + +# This didn't auto-generate correctly due to non-sequential offsets and +# use of bitwise/relational comparisons. At a glance: may not be +# that common/useful, leaving for later. +# >512 ubelong&e0ffff00,=3774873344 (0xe0ffff00), [""], swap_endian=0 +# >>21 ubyte&,<0xe5, ["floppy with old FAT filesystem"], swap_endian=0 +# >>>512 ubyte&,=0xff, ["320k"], swap_endian=0 +# >>>>1550 ubequad&,=0 (0x0000000000000000), [""], swap_endian=0 +# >>>>>1536 ubequad&,!0 (0x0000000000000000), [""], swap_endian=0 +#signature file-magic-auto222 { +# file-mime "application/x-ima", 2 +# file-magic /(.{512})(.{4})(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4])(.{490})([\xff])(.{1037})(\x00\x00\x00\x00\x00\x00\x00\x00)(.*)(.{8})/ +#} + +# >0 string,=;ELC (len=4), [""], swap_endian=0 +# >>4 byte&,<0x20, ["Emacs/XEmacs v%d byte-compiled Lisp data"], swap_endian=0 +signature file-magic-auto223 { + file-mime "application/x-elc", 10 + file-magic /(\x3bELC)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0 +# >>4 search/4096,=B\202 (len=2), [""], swap_endian=0 +# >>>&1 string,=webm (len=4), ["WebM"], swap_endian=0 +signature file-magic-auto224 { + file-mime "video/webm", 70 + file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(webm)/ +} + +# >0 belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0 +# >>4 search/4096,=B\202 (len=2), [""], swap_endian=0 +# >>>&1 string,=matroska (len=8), ["Matroska data"], swap_endian=0 +signature file-magic-auto225 { + file-mime "video/x-matroska", 110 + file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(matroska)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>4 byte&,=0x14, [""], swap_endian=0 +# >>>30 string,=doc.kml (len=7), ["Compressed Google KML Document, including resources."], swap_endian=0 +signature file-magic-auto226 { + file-mime "application/vnd.google-earth.kmz", 100 + file-magic /(PK\x03\x04)([\x14])(.{25})(doc\x2ekml)/ +} + +# The indirect offset in the last magic rule means this has little chance +# Also plenty of bitmasking/relational comparisons that weren't auto-generated. +# of working. +# >0 ulelong&804000e9,=233 (0x000000e9), [""], swap_endian=0 +# >>11 uleshort&000f001f,=0 (0x0000), [""], swap_endian=0 +# >>>11 uleshort&,<32769 (0x8001), [""], swap_endian=0 +# >>>>11 uleshort&,>31 (0x001f), [""], swap_endian=0 +# >>>>>21 ubyte&000000f0,=0xf0, [""], swap_endian=0 +# >>>>>>21 ubyte&,!0xf8, [""], swap_endian=0 +# >>>>>>>54 string,!FAT16 (len=5), [""], swap_endian=0 +# >>>>>>>>11 (leshort,&0), ulelong&00fffff0,=16777200 (0x00fffff0), [", followed by FAT"], swap_endian=0 +#signature file-magic-auto227 { +# file-mime "application/x-ima", 70 +# file-magic /(.{4})(.{7})(.{2})(.*)(.{2})(.*)(.{2})(.{8})([\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.*)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf9\xfa\xfb\xfc\xfd\xfe\xff])(.{32})(FAT16)(.{4})/ +#} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=text (len=4), [""], swap_endian=0 +# >>>>>77 byte&,!0x2d, ["Text"], swap_endian=0 +signature file-magic-auto228 { + file-mime "application/vnd.oasis.opendocument.text", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=text (len=4), [""], swap_endian=0 +# >>>>>77 string,=-template (len=9), ["Text Template"], swap_endian=0 +signature file-magic-auto229 { + file-mime "application/vnd.oasis.opendocument.text-template", 120 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dtemplate)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=text (len=4), [""], swap_endian=0 +# >>>>>77 string,=-web (len=4), ["HTML Document Template"], swap_endian=0 +signature file-magic-auto230 { + file-mime "application/vnd.oasis.opendocument.text-web", 70 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dweb)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=text (len=4), [""], swap_endian=0 +# >>>>>77 string,=-master (len=7), ["Master Document"], swap_endian=0 +signature file-magic-auto231 { + file-mime "application/vnd.oasis.opendocument.text-master", 100 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(text)(\x2dmaster)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=graphics (len=8), [""], swap_endian=0 +# >>>>>81 byte&,!0x2d, ["Drawing"], swap_endian=0 +signature file-magic-auto232 { + file-mime "application/vnd.oasis.opendocument.graphics", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=graphics (len=8), [""], swap_endian=0 +# >>>>>81 string,=-template (len=9), ["Template"], swap_endian=0 +signature file-magic-auto233 { + file-mime "application/vnd.oasis.opendocument.graphics-template", 120 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(graphics)(\x2dtemplate)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=presentation (len=12), [""], swap_endian=0 +# >>>>>85 byte&,!0x2d, ["Presentation"], swap_endian=0 +signature file-magic-auto234 { + file-mime "application/vnd.oasis.opendocument.presentation", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=presentation (len=12), [""], swap_endian=0 +# >>>>>85 string,=-template (len=9), ["Template"], swap_endian=0 +signature file-magic-auto235 { + file-mime "application/vnd.oasis.opendocument.presentation-template", 120 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(presentation)(\x2dtemplate)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=spreadsheet (len=11), [""], swap_endian=0 +# >>>>>84 byte&,!0x2d, ["Spreadsheet"], swap_endian=0 +signature file-magic-auto236 { + file-mime "application/vnd.oasis.opendocument.spreadsheet", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=spreadsheet (len=11), [""], swap_endian=0 +# >>>>>84 string,=-template (len=9), ["Template"], swap_endian=0 +signature file-magic-auto237 { + file-mime "application/vnd.oasis.opendocument.spreadsheet-template", 120 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(spreadsheet)(\x2dtemplate)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=chart (len=5), [""], swap_endian=0 +# >>>>>78 byte&,!0x2d, ["Chart"], swap_endian=0 +signature file-magic-auto238 { + file-mime "application/vnd.oasis.opendocument.chart", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=chart (len=5), [""], swap_endian=0 +# >>>>>78 string,=-template (len=9), ["Template"], swap_endian=0 +signature file-magic-auto239 { + file-mime "application/vnd.oasis.opendocument.chart-template", 120 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(chart)(\x2dtemplate)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=formula (len=7), [""], swap_endian=0 +# >>>>>80 byte&,!0x2d, ["Formula"], swap_endian=0 +signature file-magic-auto240 { + file-mime "application/vnd.oasis.opendocument.formula", 1110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=formula (len=7), [""], swap_endian=0 +# >>>>>80 string,=-template (len=9), ["Template"], swap_endian=0 +signature file-magic-auto241 { + file-mime "application/vnd.oasis.opendocument.formula-template", 120 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(formula)(\x2dtemplate)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=database (len=8), ["Database"], swap_endian=0 +signature file-magic-auto242 { + file-mime "application/vnd.oasis.opendocument.database", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(database)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=image (len=5), [""], swap_endian=0 +# >>>>>78 byte&,!0x2d, ["Image"], swap_endian=0 +signature file-magic-auto243 { + file-mime "application/vnd.oasis.opendocument.image", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=vnd.oasis.opendocument. (len=23), ["OpenDocument"], swap_endian=0 +# >>>>73 string,=image (len=5), [""], swap_endian=0 +# >>>>>78 string,=-template (len=9), ["Template"], swap_endian=0 +signature file-magic-auto244 { + file-mime "application/vnd.oasis.opendocument.image-template", 120 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(vnd\x2eoasis\x2eopendocument\x2e)(image)(\x2dtemplate)/ +} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,=epub+zip (len=8), ["EPUB document"], swap_endian=0 +signature file-magic-auto245 { + file-mime "application/epub+zip", 110 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(epub\x2bzip)/ +} + +# Seems redundant with other zip signature below. +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 +# >>>50 string,!epub+zip (len=8), [""], swap_endian=0 +# >>>>50 string,!vnd.oasis.opendocument. (len=23), [""], swap_endian=0 +# >>>>>50 string,!vnd.sun.xml. (len=12), [""], swap_endian=0 +# >>>>>>50 string,!vnd.kde. (len=8), [""], swap_endian=0 +# >>>>>>>38 regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0 +#signature file-magic-auto246 { +# file-mime "application/zip", 39 +# file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)/ +#} + +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 string,=\b\000\000\000mimetype (len=12), [""], swap_endian=0 +# >>>38 string,!application/ (len=12), [""], swap_endian=0 +# >>>>38 regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0 +signature file-magic-auto247 { + file-mime "application/zip", 39 + file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetype)/ +} + +# The indirect offset makes this difficult to convert. +# The (.*) may be too generous. +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 (leshort,+30), leshort&,=-13570 (0xcafe), ["Java archive data (JAR)"], swap_endian=0 +signature file-magic-auto248 { + file-mime "application/java-archive", 50 + file-magic /(PK\x03\x04)(.*)(\xfe\xca)/ +} + +# The indeirect offset and string inequality make this difficult to convert. +# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 +# >>26 (leshort,+30), leshort&,!-13570 (0xcafe), [""], swap_endian=0 +# >>>26 string,!\b\000\000\000mimetype (len=12), ["Zip archive data"], swap_endian=0 +signature file-magic-auto249 { + file-mime "application/zip", 10 + file-magic /(PK\x03\x04)(.{2})/ +} + +# >0 belong&,=442 (0x000001ba), [""], swap_endian=0 +# >>4 byte&,&0x40, [""], swap_endian=0 +signature file-magic-auto250 { + file-mime "video/mp2p", 21 + file-magic /(\x00\x00\x01\xba)([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 belong&,=442 (0x000001ba), [""], swap_endian=0 +# >>4 byte&,^0x40, [""], swap_endian=0 +signature file-magic-auto251 { + file-mime "video/mpeg", 21 + file-magic /(\x00\x00\x01\xba)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/ +} + +# >0 string,=MOVI (len=4), ["Silicon Graphics movie file"], swap_endian=0 +signature file-magic-auto252 { + file-mime "video/x-sgi-movie", 70 + file-magic /(MOVI)/ +} + +# >4 string,=moov (len=4), ["Apple QuickTime"], swap_endian=0 +signature file-magic-auto253 { + file-mime "video/quicktime", 70 + file-magic /(.{4})(moov)/ +} + +# >4 string,=mdat (len=4), ["Apple QuickTime movie (unoptimized)"], swap_endian=0 +signature file-magic-auto254 { + file-mime "video/quicktime", 70 + file-magic /(.{4})(mdat)/ +} + +# >4 string,=idsc (len=4), ["Apple QuickTime image (fast start)"], swap_endian=0 +signature file-magic-auto255 { + file-mime "image/x-quicktime", 70 + file-magic /(.{4})(idsc)/ +} + +# >4 string,=pckg (len=4), ["Apple QuickTime compressed archive"], swap_endian=0 +signature file-magic-auto256 { + file-mime "application/x-quicktime-player", 70 + file-magic /(.{4})(pckg)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=isom (len=4), [", MPEG v4 system, version 1"], swap_endian=0 +signature file-magic-auto257 { + file-mime "video/mp4", 70 + file-magic /(.{4})(ftyp)(isom)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=mp41 (len=4), [", MPEG v4 system, version 1"], swap_endian=0 +signature file-magic-auto258 { + file-mime "video/mp4", 70 + file-magic /(.{4})(ftyp)(mp41)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=mp42 (len=4), [", MPEG v4 system, version 2"], swap_endian=0 +signature file-magic-auto259 { + file-mime "video/mp4", 70 + file-magic /(.{4})(ftyp)(mp42)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string/W,=jp2 (len=3), [", JPEG 2000"], swap_endian=0 +signature file-magic-auto260 { + file-mime "image/jp2", 60 + file-magic /(.{4})(ftyp)(jp2)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=3ge (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 +signature file-magic-auto261 { + file-mime "video/3gpp", 60 + file-magic /(.{4})(ftyp)(3ge)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=3gg (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 +signature file-magic-auto262 { + file-mime "video/3gpp", 60 + file-magic /(.{4})(ftyp)(3gg)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=3gp (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 +signature file-magic-auto263 { + file-mime "video/3gpp", 60 + file-magic /(.{4})(ftyp)(3gp)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=3gs (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0 +signature file-magic-auto264 { + file-mime "video/3gpp", 60 + file-magic /(.{4})(ftyp)(3gs)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=3g2 (len=3), [", MPEG v4 system, 3GPP2"], swap_endian=0 +signature file-magic-auto265 { + file-mime "video/3gpp2", 60 + file-magic /(.{4})(ftyp)(3g2)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=mmp4 (len=4), [", MPEG v4 system, 3GPP Mobile"], swap_endian=0 +signature file-magic-auto266 { + file-mime "video/mp4", 70 + file-magic /(.{4})(ftyp)(mmp4)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string,=avc1 (len=4), [", MPEG v4 system, 3GPP JVT AVC"], swap_endian=0 +signature file-magic-auto267 { + file-mime "video/3gpp", 70 + file-magic /(.{4})(ftyp)(avc1)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string/W,=M4A (len=3), [", MPEG v4 system, iTunes AAC-LC"], swap_endian=0 +signature file-magic-auto268 { + file-mime "audio/mp4", 60 + file-magic /(.{4})(ftyp)(M4A)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string/W,=M4V (len=3), [", MPEG v4 system, iTunes AVC-LC"], swap_endian=0 +signature file-magic-auto269 { + file-mime "video/mp4", 60 + file-magic /(.{4})(ftyp)(M4V)/ +} + +# >4 string,=ftyp (len=4), ["ISO Media"], swap_endian=0 +# >>8 string/W,=qt (len=2), [", Apple QuickTime movie"], swap_endian=0 +signature file-magic-auto270 { + file-mime "video/quicktime", 50 + file-magic /(.{4})(ftyp)(qt)/ +} + +# >0 string,=Xcur (len=4), ["Xcursor data"], swap_endian=0 +signature file-magic-auto271 { + file-mime "image/x-xcursor", 70 + file-magic /(Xcur)/ +} + +# >0 string,=ADIF (len=4), ["MPEG ADIF, AAC"], swap_endian=0 +signature file-magic-auto272 { + file-mime "audio/x-hx-aac-adif", 70 + file-magic /(ADIF)/ +} + +# >0 belong&,=807842421 (0x3026b275), ["Microsoft ASF"], swap_endian=0 +signature file-magic-auto273 { + file-mime "video/x-ms-asf", 70 + file-magic /(\x30\x26\xb2\x75)/ +} + +# >0 string,=\212MNG (len=4), ["MNG video data,"], swap_endian=0 +signature file-magic-auto274 { + file-mime "video/x-mng", 70 + file-magic /(\x8aMNG)/ +} + +# >0 string,=\213JNG (len=4), ["JNG video data,"], swap_endian=0 +signature file-magic-auto275 { + file-mime "video/x-jng", 70 + file-magic /(\x8bJNG)/ +} + +# >0 string,=MAC (len=4), ["Monkey's Audio compressed format"], swap_endian=0 +signature file-magic-auto276 { + file-mime "audio/x-ape", 70 + file-magic /(MAC )/ +} + +# >36 string,=acsp (len=4), ["ICC Profile"], swap_endian=0 +signature file-magic-auto277 { + file-mime "application/vnd.iccprofile", 70 + file-magic /(.{36})(acsp)/ +} + +# >0 string,=FORM (len=4), ["IFF data"], swap_endian=0 +# >>8 string,=AIFF (len=4), [", AIFF audio"], swap_endian=0 +signature file-magic-auto278 { + file-mime "audio/x-aiff", 70 + file-magic /(FORM)(.{4})(AIFF)/ +} + +# >0 string,=FORM (len=4), ["IFF data"], swap_endian=0 +# >>8 string,=AIFC (len=4), [", AIFF-C compressed audio"], swap_endian=0 +signature file-magic-auto279 { + file-mime "audio/x-aiff", 70 + file-magic /(FORM)(.{4})(AIFC)/ +} + +# >0 string,=FORM (len=4), ["IFF data"], swap_endian=0 +# >>8 string,=8SVX (len=4), [", 8SVX 8-bit sampled sound voice"], swap_endian=0 +signature file-magic-auto280 { + file-mime "audio/x-aiff", 70 + file-magic /(FORM)(.{4})(8SVX)/ +} + +# >0 string,=fLaC (len=4), ["FLAC audio bitstream data"], swap_endian=0 +signature file-magic-auto281 { + file-mime "audio/x-flac", 70 + file-magic /(fLaC)/ +} + +# >0 string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0 +signature file-magic-auto282 { + file-mime "image/x-niff", 70 + file-magic /(IIN1)/ +} + +# >0 string,=MM\000* (len=4), ["TIFF image data, big-endian"], swap_endian=0 +signature file-magic-auto283 { + file-mime "image/tiff", 70 + file-magic /(MM\x00\x2a)/ +} + +# >0 string,=II*\000 (len=4), ["TIFF image data, little-endian"], swap_endian=0 +signature file-magic-auto284 { + file-mime "image/tiff", 70 + file-magic /(II\x2a\x00)/ +} + +# >0 string,=MM\000+ (len=4), ["Big TIFF image data, big-endian"], swap_endian=0 +signature file-magic-auto285 { + file-mime "image/tiff", 70 + file-magic /(MM\x00\x2b)/ +} + +# >0 string,=II+\000 (len=4), ["Big TIFF image data, little-endian"], swap_endian=0 +signature file-magic-auto286 { + file-mime "image/tiff", 70 + file-magic /(II\x2b\x00)/ +} + +# >0 string,=GIF8 (len=4), ["GIF image data"], swap_endian=0 +signature file-magic-auto287 { + file-mime "image/gif", 70 + file-magic /(GIF8)/ +} + +# >128 string,=DICM (len=4), ["DICOM medical imaging data"], swap_endian=0 +signature file-magic-auto288 { + file-mime "application/dicom", 70 + file-magic /(.{128})(DICM)/ +} + +# >0 string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0 +signature file-magic-auto289 { + file-mime "image/vnd.adobe.photoshop", 70 + file-magic /(8BPS)/ +} + +# >0 string,=IMPM (len=4), ["Impulse Tracker module sound data -"], swap_endian=0 +signature file-magic-auto290 { + file-mime "audio/x-mod", 70 + file-magic /(IMPM)/ +} + +# >0 lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0 +signature file-magic-auto291 { + file-mime "image/x-exr", 70 + file-magic /(\x76\x2f\x31\x01)/ +} + +# >0 string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0 +signature file-magic-auto292 { + file-mime "image/x-dpx", 70 + file-magic /(SDPX)/ +} + +# >0 belong&,=235082497 (0x0e031301), ["Hierarchical Data Format (version 4) data"], swap_endian=0 +signature file-magic-auto293 { + file-mime "application/x-hdf", 70 + file-magic /(\x0e\x03\x13\x01)/ +} + +# >0 string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0 +signature file-magic-auto294 { + file-mime "image/x-cpi", 70 + file-magic /(CPC\xb2)/ +} + +# >0 string,=MMOR (len=4), ["Olympus ORF raw image data, big-endian"], swap_endian=0 +signature file-magic-auto295 { + file-mime "image/x-olympus-orf", 70 + file-magic /(MMOR)/ +} + +# >0 string,=IIRO (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0 +signature file-magic-auto296 { + file-mime "image/x-olympus-orf", 70 + file-magic /(IIRO)/ +} + +# >0 string,=IIRS (len=4), ["Olympus ORF raw image data, little-endian"], swap_endian=0 +signature file-magic-auto297 { + file-mime "image/x-olympus-orf", 70 + file-magic /(IIRS)/ +} + +# >0 string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0 +signature file-magic-auto298 { + file-mime "image/x-x3f", 70 + file-magic /(FOVb)/ +} + +# >0 string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0 +signature file-magic-auto299 { + file-mime "image/x-paintnet", 70 + file-magic /(PDN3)/ +} + +# >0 ulelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (little-endian)"], swap_endian=0 +signature file-magic-auto300 { + file-mime "application/vnd.tcpdump.pcap", 70 + file-magic /(\xd4\xc3\xb2\xa1)/ +} + +# >0 ubelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (big-endian)"], swap_endian=0 +signature file-magic-auto301 { + file-mime "application/vnd.tcpdump.pcap", 70 + file-magic /(\xa1\xb2\xc3\xd4)/ +} + +# >0 belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0 +signature file-magic-auto302 { + file-mime "application/x-java-keystore", 70 + file-magic /(\xfe\xed\xfe\xed)/ +} + +# >0 belong&,=-825307442 (0xcececece), ["Java JCE KeyStore"], swap_endian=0 +signature file-magic-auto303 { + file-mime "application/x-java-jce-keystore", 70 + file-magic /(\xce\xce\xce\xce)/ +} + +# >1080 string,=32CN (len=4), ["32-channel Taketracker module sound data"], swap_endian=0 +signature file-magic-auto304 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(32CN)/ +} + +# >1080 string,=16CN (len=4), ["16-channel Taketracker module sound data"], swap_endian=0 +signature file-magic-auto305 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(16CN)/ +} + +# >1080 string,=OKTA (len=4), ["8-channel Octalyzer module sound data"], swap_endian=0 +signature file-magic-auto306 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(OKTA)/ +} + +# >1080 string,=CD81 (len=4), ["8-channel Octalyser module sound data"], swap_endian=0 +signature file-magic-auto307 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(CD81)/ +} + +# >1080 string,=8CHN (len=4), ["8-channel Fasttracker module sound data"], swap_endian=0 +signature file-magic-auto308 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(8CHN)/ +} + +# >1080 string,=6CHN (len=4), ["6-channel Fasttracker module sound data"], swap_endian=0 +signature file-magic-auto309 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(6CHN)/ +} + +# >1080 string,=4CHN (len=4), ["4-channel Fasttracker module sound data"], swap_endian=0 +signature file-magic-auto310 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(4CHN)/ +} + +# >1080 string,=FLT8 (len=4), ["8-channel Startracker module sound data"], swap_endian=0 +signature file-magic-auto311 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(FLT8)/ +} + +# >1080 string,=FLT4 (len=4), ["4-channel Startracker module sound data"], swap_endian=0 +signature file-magic-auto312 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(FLT4)/ +} + +# >1080 string,=M!K! (len=4), ["4-channel Protracker module sound data"], swap_endian=0 +signature file-magic-auto313 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(M\x21K\x21)/ +} + +# >1080 string,=M.K. (len=4), ["4-channel Protracker module sound data"], swap_endian=0 +signature file-magic-auto314 { + file-mime "audio/x-mod", 70 + file-magic /(.{1080})(M\x2eK\x2e)/ +} + +# >0 lelong&,=336851773 (0x1413f33d), ["SYSLINUX' LSS16 image data"], swap_endian=0 +signature file-magic-auto315 { + file-mime "image/x-lss16", 70 + file-magic /(\x3d\xf3\x13\x14)/ +} + +# >0 belong&,=779248125 (0x2e7261fd), ["RealAudio sound file"], swap_endian=0 +signature file-magic-auto316 { + file-mime "audio/x-pn-realaudio", 70 + file-magic /(\x2e\x72\x61\xfd)/ +} + +# >0 string,=CTMF (len=4), ["Creative Music (CMF) data"], swap_endian=0 +signature file-magic-auto317 { + file-mime "audio/x-unknown", 70 + file-magic /(CTMF)/ +} + +# >0 string,=MThd (len=4), ["Standard MIDI data"], swap_endian=0 +signature file-magic-auto318 { + file-mime "audio/midi", 70 + file-magic /(MThd)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=1 (0x00000001), ["8-bit ISDN mu-law,"], swap_endian=0 +signature file-magic-auto319 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x01\x00\x00\x00)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=2 (0x00000002), ["8-bit linear PCM [REF-PCM],"], swap_endian=0 +signature file-magic-auto320 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x02\x00\x00\x00)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=3 (0x00000003), ["16-bit linear PCM,"], swap_endian=0 +signature file-magic-auto321 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x03\x00\x00\x00)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=4 (0x00000004), ["24-bit linear PCM,"], swap_endian=0 +signature file-magic-auto322 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x04\x00\x00\x00)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=5 (0x00000005), ["32-bit linear PCM,"], swap_endian=0 +signature file-magic-auto323 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x05\x00\x00\x00)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=6 (0x00000006), ["32-bit IEEE floating point,"], swap_endian=0 +signature file-magic-auto324 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x06\x00\x00\x00)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=7 (0x00000007), ["64-bit IEEE floating point,"], swap_endian=0 +signature file-magic-auto325 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x07\x00\x00\x00)/ +} + +# >0 lelong&,=6583086 (0x0064732e), ["DEC audio data:"], swap_endian=0 +# >>12 lelong&,=23 (0x00000017), ["8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.),"], swap_endian=0 +signature file-magic-auto326 { + file-mime "audio/x-dec-basic", 70 + file-magic /(\x2e\x73\x64\x00)(.{8})(\x17\x00\x00\x00)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=1 (0x00000001), ["8-bit ISDN mu-law,"], swap_endian=0 +signature file-magic-auto327 { + file-mime "audio/basic", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x01)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=2 (0x00000002), ["8-bit linear PCM [REF-PCM],"], swap_endian=0 +signature file-magic-auto328 { + file-mime "audio/basic", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x02)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=3 (0x00000003), ["16-bit linear PCM,"], swap_endian=0 +signature file-magic-auto329 { + file-mime "audio/basic", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x03)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=4 (0x00000004), ["24-bit linear PCM,"], swap_endian=0 +signature file-magic-auto330 { + file-mime "audio/basic", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x04)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=5 (0x00000005), ["32-bit linear PCM,"], swap_endian=0 +signature file-magic-auto331 { + file-mime "audio/basic", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x05)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=6 (0x00000006), ["32-bit IEEE floating point,"], swap_endian=0 +signature file-magic-auto332 { + file-mime "audio/basic", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x06)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=7 (0x00000007), ["64-bit IEEE floating point,"], swap_endian=0 +signature file-magic-auto333 { + file-mime "audio/basic", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x07)/ +} + +# >0 string,=.snd (len=4), ["Sun/NeXT audio data:"], swap_endian=0 +# >>12 belong&,=23 (0x00000017), ["8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.),"], swap_endian=0 +signature file-magic-auto334 { + file-mime "audio/x-adpcm", 70 + file-magic /(\x2esnd)(.{8})(\x00\x00\x00\x17)/ +} + +# >0 string,=SIT! (len=4), ["StuffIt Archive (data)"], swap_endian=0 +signature file-magic-auto335 { + file-mime "application/x-stuffit", 70 + file-magic /(SIT\x21)/ +} + +# >0 lelong&,=574529400 (0x223e9f78), ["Transport Neutral Encapsulation Format"], swap_endian=0 +signature file-magic-auto336 { + file-mime "application/vnd.ms-tnef", 70 + file-magic /(\x78\x9f\x3e\x22)/ +} + +# >0 string,= (len=4), ["System V Release 1 ar archive"], swap_endian=0 +signature file-magic-auto337 { + file-mime "application/x-archive", 70 + file-magic /(\x3car\x3e)/ +} + +# >0 lelong&ffffffff8080ffff,=2074 (0x0000081a), ["ARC archive data, dynamic LZW"], swap_endian=0 +signature file-magic-auto338 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x08\x1a)/ +} + +# >0 lelong&ffffffff8080ffff,=2330 (0x0000091a), ["ARC archive data, squashed"], swap_endian=0 +signature file-magic-auto339 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x09\x1a)/ +} + +# >0 lelong&ffffffff8080ffff,=538 (0x0000021a), ["ARC archive data, uncompressed"], swap_endian=0 +signature file-magic-auto340 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x02\x1a)/ +} + +# >0 lelong&,=270539386 (0x10201a7a), ["Symbian installation file (Symbian OS 9.x)"], swap_endian=0 +signature file-magic-auto341 { + file-mime "x-epoc/x-sisx-app", 70 + file-magic /(\x7a\x1a\x20\x10)/ +} + +# >8 lelong&,=268436505 (0x10000419), ["Symbian installation file"], swap_endian=0 +signature file-magic-auto342 { + file-mime "application/vnd.symbian.install", 70 + file-magic /(.{8})(\x19\x04\x00\x10)/ +} + +# >0 lelong&ffffffff8080ffff,=794 (0x0000031a), ["ARC archive data, packed"], swap_endian=0 +signature file-magic-auto343 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x03\x1a)/ +} + +# >0 belong&,=518520576 (0x1ee7ff00), ["EET archive"], swap_endian=0 +signature file-magic-auto344 { + file-mime "application/x-eet", 70 + file-magic /(\x1e\xe7\xff\x00)/ +} + +# >0 lelong&ffffffff8080ffff,=1050 (0x0000041a), ["ARC archive data, squeezed"], swap_endian=0 +signature file-magic-auto345 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x04\x1a)/ +} + +# >0 lelong&ffffffff8080ffff,=1562 (0x0000061a), ["ARC archive data, crunched"], swap_endian=0 +signature file-magic-auto346 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x06\x1a)/ +} + +# >0 lelong&ffffffff8080ffff,=2586 (0x00000a1a), ["PAK archive data"], swap_endian=0 +signature file-magic-auto347 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x0a\x1a)/ +} + +# >0 lelong&ffffffff8080ffff,=5146 (0x0000141a), ["ARC+ archive data"], swap_endian=0 +signature file-magic-auto348 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x14\x1a)/ +} + +# >20 lelong&,=-37443620 (0xfdc4a7dc), ["Zoo archive data"], swap_endian=0 +signature file-magic-auto349 { + file-mime "application/x-zoo", 70 + file-magic /(.{20})(\xdc\xa7\xc4\xfd)/ +} + +# >0 string,=Rar! (len=4), ["RAR archive data,"], swap_endian=0 +signature file-magic-auto350 { + file-mime "application/x-rar", 70 + file-magic /(Rar\x21)/ +} + +# >0 lelong&ffffffff8080ffff,=18458 (0x0000481a), ["HYP archive data"], swap_endian=0 +signature file-magic-auto351 { + file-mime "application/x-arc", 70 + file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})(\x48\x1a)/ +} + +# >0 string,=drpm (len=4), ["Delta RPM"], swap_endian=0 +signature file-magic-auto352 { + file-mime "application/x-rpm", 70 + file-magic /(drpm)/ +} + +# >0 belong&,=-307499301 (0xedabeedb), ["RPM"], swap_endian=0 +signature file-magic-auto353 { + file-mime "application/x-rpm", 70 + file-magic /(\xed\xab\xee\xdb)/ +} + +# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 +# >>8 string,=WAVE (len=4), [", WAVE audio"], swap_endian=0 +signature file-magic-auto354 { + file-mime "audio/x-wav", 70 + file-magic /(RIFF)(.{4})(WAVE)/ +} + +# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 +# >>8 string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0 +signature file-magic-auto355 { + file-mime "image/x-coreldraw", 70 + file-magic /(RIFF)(.{4})(CDRA)/ +} + +# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 +# >>8 string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0 +signature file-magic-auto356 { + file-mime "image/x-coreldraw", 70 + file-magic /(RIFF)(.{4})(CDR6)/ +} + +# >0 string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0 +# >>8 string,=AVI (len=4), [", AVI"], swap_endian=0 +signature file-magic-auto357 { + file-mime "video/x-msvideo", 70 + file-magic /(RIFF)(.{4})(AVI )/ +} + +# >0 belong&,=834535424 (0x31be0000), ["Microsoft Word Document"], swap_endian=0 +signature file-magic-auto358 { + file-mime "application/msword", 70 + file-magic /(\x31\xbe\x00\x00)/ +} + +# >0 string/b,=\3767\000# (len=4), ["Microsoft Office Document"], swap_endian=0 +signature file-magic-auto359 { + file-mime "application/msword", 70 + file-magic /(\xfe7\x00\x23)/ +} + +# >0 string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0 +signature file-magic-auto360 { + file-mime "application/msword", 70 + file-magic /(\xdb\xa5\x2d\x00)/ +} + +# >0 string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0 +signature file-magic-auto361 { + file-mime "application/msword", 70 + file-magic /(\xdb\xa5\x2d\x00)/ +} + +# >0 belong&,=6656 (0x00001a00), ["Lotus 1-2-3"], swap_endian=0 +signature file-magic-auto362 { + file-mime "application/x-123", 70 + file-magic /(\x00\x00\x1a\x00)/ +} + +# >0 belong&,=512 (0x00000200), ["Lotus 1-2-3"], swap_endian=0 +signature file-magic-auto363 { + file-mime "application/x-123", 70 + file-magic /(\x00\x00\x02\x00)/ +} + +# >0 string/b,=\000\000\001\000 (len=4), ["MS Windows icon resource"], swap_endian=0 +signature file-magic-auto364 { + file-mime "image/x-icon", 70 + file-magic /(\x00\x00\x01\x00)/ +} + +# >0 lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0 +# >>>8 lelong&,=268435588 (0x10000084), ["Agenda file"], swap_endian=0 +signature file-magic-auto365 { + file-mime "application/x-epoc-agenda", 70 + file-magic /(\x50\x00\x00\x10)(\x6d\x00\x00\x10)(\x84\x00\x00\x10)/ +} + +# >0 lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0 +# >>>8 lelong&,=268435590 (0x10000086), ["Data file"], swap_endian=0 +signature file-magic-auto366 { + file-mime "application/x-epoc-data", 70 + file-magic /(\x50\x00\x00\x10)(\x6d\x00\x00\x10)(\x86\x00\x00\x10)/ +} + +# >0 lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0 +# >>>8 lelong&,=268438762 (0x10000cea), ["Jotter file"], swap_endian=0 +signature file-magic-auto367 { + file-mime "application/x-epoc-jotter", 70 + file-magic /(\x50\x00\x00\x10)(\x6d\x00\x00\x10)(\xea\x0c\x00\x10)/ +} + +# >0 lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435522 (0x10000042), ["multi-bitmap image"], swap_endian=0 +signature file-magic-auto368 { + file-mime "image/x-epoc-mbm", 70 + file-magic /(\x37\x00\x00\x10)(\x42\x00\x00\x10)/ +} + +# >0 lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435565 (0x1000006d), [""], swap_endian=0 +# >>>8 lelong&,=268435581 (0x1000007d), ["Sketch image"], swap_endian=0 +signature file-magic-auto369 { + file-mime "image/x-epoc-sketch", 70 + file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x7d\x00\x00\x10)/ +} + +# >0 lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435565 (0x1000006d), [""], swap_endian=0 +# >>>8 lelong&,=268435583 (0x1000007f), ["Word file"], swap_endian=0 +signature file-magic-auto370 { + file-mime "application/x-epoc-word", 70 + file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x7f\x00\x00\x10)/ +} + +# >0 lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435565 (0x1000006d), [""], swap_endian=0 +# >>>8 lelong&,=268435589 (0x10000085), ["OPL program (TextEd)"], swap_endian=0 +signature file-magic-auto371 { + file-mime "application/x-epoc-opl", 70 + file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x85\x00\x00\x10)/ +} + +# >0 lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435565 (0x1000006d), [""], swap_endian=0 +# >>>8 lelong&,=268435592 (0x10000088), ["Sheet file"], swap_endian=0 +signature file-magic-auto372 { + file-mime "application/x-epoc-sheet", 70 + file-magic /(\x37\x00\x00\x10)(\x6d\x00\x00\x10)(\x88\x00\x00\x10)/ +} + +# >0 lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435571 (0x10000073), ["OPO module"], swap_endian=0 +signature file-magic-auto373 { + file-mime "application/x-epoc-opo", 70 + file-magic /(\x37\x00\x00\x10)(\x73\x00\x00\x10)/ +} + +# >0 lelong&,=268435511 (0x10000037), ["Psion Series 5"], swap_endian=0 +# >>4 lelong&,=268435572 (0x10000074), ["OPL application"], swap_endian=0 +signature file-magic-auto374 { + file-mime "application/x-epoc-app", 70 + file-magic /(\x37\x00\x00\x10)(\x74\x00\x00\x10)/ +} + +# >0 long&,=398689 (0x00061561), ["Berkeley DB"], swap_endian=0 +signature file-magic-auto375 { + file-mime "application/x-dbm", 70 + file-magic /((\x61\x15\x06\x00)|(\x00\x06\x15\x61))/ +} + +# >0 string,=GDBM (len=4), ["GNU dbm 2.x database"], swap_endian=0 +signature file-magic-auto376 { + file-mime "application/x-gdbm", 70 + file-magic /(GDBM)/ +} + +# >0 lelong&,=324508366 (0x13579ace), ["GNU dbm 1.x or ndbm database, little endian"], swap_endian=0 +signature file-magic-auto377 { + file-mime "application/x-gdbm", 70 + file-magic /(\xce\x9a\x57\x13)/ +} + +# >0 belong&,=324508366 (0x13579ace), ["GNU dbm 1.x or ndbm database, big endian"], swap_endian=0 +signature file-magic-auto378 { + file-mime "application/x-gdbm", 70 + file-magic /(\x13\x57\x9a\xce)/ +} + +# >0 belong&,=4 (0x00000004), ["X11 SNF font data, MSB first"], swap_endian=0 +signature file-magic-auto379 { + file-mime "application/x-font-sfn", 70 + file-magic /(\x00\x00\x00\x04)/ +} + +# >0 string,=OTTO (len=4), ["OpenType font data"], swap_endian=0 +signature file-magic-auto380 { + file-mime "application/vnd.ms-opentype", 70 + file-magic /(OTTO)/ +} + +# >0 string,=0 lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0 +signature file-magic-auto382 { + file-mime "application/x-lz4", 70 + file-magic /(\x02\x21\x4c\x18)/ +} + +# >0 lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0 +signature file-magic-auto383 { + file-mime "application/x-lz4", 70 + file-magic /(\x04\x22\x4d\x18)/ +} + +# >0 string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0 +# >>5 byte&,x, [".%d"], swap_endian=0 +signature file-magic-auto384 { + file-mime "application/x-lrzip", 1 + file-magic /(LRZI)(.{1})(.{1})/ +} + +# >0 string,=OggS (len=4), ["Ogg data"], swap_endian=0 +signature file-magic-auto385 { + file-mime "application/ogg", 70 + file-magic /(OggS)/ +} + +# >0 string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0 +signature file-magic-auto386 { + file-mime "application/x-lzip", 70 + file-magic /(LZIP)/ +} + +# >0 belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0 +# >>4 byte&,x, ["%d"], swap_endian=0 +signature file-magic-auto387 { + file-mime "application/x-java-pack200", 1 + file-magic /(\xca\xfe\xd0\x0d)(.{1})/ +} + +# >0 belong&,=-889270259 (0xcafed00d), ["JAR compressed with pack200,"], swap_endian=0 +# >>4 byte&,x, ["%d"], swap_endian=0 +signature file-magic-auto388 { + file-mime "application/x-java-pack200", 1 + file-magic /(\xca\xfe\xd0\x0d)(.{1})/ +} + +# >0 regex,=^( |\t){0,50}def {1,50}[a-zA-Z]{1,100} (len=38), [""], swap_endian=0 +# >>&0 regex,= {0,50}\(([a-zA-Z]|,| ){1,500}\):$ (len=34), ["Python script text executable"], swap_endian=0 +signature file-magic-auto389 { + file-mime "text/x-python", 64 + file-magic /(.*)(( |\t){0,50}def {1,50}[a-zA-Z]{1,100})( {0,50}\(([a-zA-Z]|,| ){1,500}\):$)/ +} + +# >0 search/4096,=\documentstyle (len=14), ["LaTeX document text"], swap_endian=0 +signature file-magic-auto390 { + file-mime "text/x-tex", 62 + file-magic /(.*)(\x5cdocumentstyle)/ +} + +# >0 string,=DOC (len=3), [""], swap_endian=0 +# >>43 byte&,=0x14, ["Just System Word Processor Ichitaro v4"], swap_endian=0 +signature file-magic-auto391 { + file-mime "application/x-ichitaro4", 40 + file-magic /(DOC)(.{40})([\x14])/ +} + +# >0 string,=DOC (len=3), [""], swap_endian=0 +# >>43 byte&,=0x15, ["Just System Word Processor Ichitaro v5"], swap_endian=0 +signature file-magic-auto392 { + file-mime "application/x-ichitaro5", 40 + file-magic /(DOC)(.{40})([\x15])/ +} + +# >1 string,=SaR (len=3), [""], swap_endian=0 +# >>0 string,=3 (len=1), ["Cups Raster version 3, Little Endian"], swap_endian=0 +signature file-magic-auto393 { + file-mime "application/vnd.cups-raster", 40 + file-magic /(3)(SaR)/ +} + +# >0 string,=RaS (len=3), [""], swap_endian=0 +# >>3 string,=3 (len=1), ["Cups Raster version 3, Big Endian"], swap_endian=0 +signature file-magic-auto394 { + file-mime "application/vnd.cups-raster", 40 + file-magic /(RaS)(3)/ +} + +# >0 string,=DOC (len=3), [""], swap_endian=0 +# >>43 byte&,=0x16, ["Just System Word Processor Ichitaro v6"], swap_endian=0 +signature file-magic-auto395 { + file-mime "application/x-ichitaro6", 40 + file-magic /(DOC)(.{40})([\x16])/ +} + +# >0 search/w/1,=#! /usr/local/bin/php (len=21), ["PHP script text executable"], swap_endian=0 +signature file-magic-auto396 { + file-mime "text/x-php", 61 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fphp)/ +} + +# >0 search/1,=eval '(exit $?0)' && eval 'exec (len=31), ["Perl script text"], swap_endian=0 +signature file-magic-auto397 { + file-mime "text/x-perl", 61 + file-magic /(.*)(eval \x27\x28exit \x24\x3f0\x29\x27 \x26\x26 eval \x27exec)/ +} + +# >0 regex,=^[ \t]*require[ \t]'[A-Za-z_/]+' (len=30), [""], swap_endian=0 +# >>0 regex,=include [A-Z]|def [a-z]| do$ (len=28), [""], swap_endian=0 +# >>>0 regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby script text"], swap_endian=0 +signature file-magic-auto398 { + file-mime "text/x-ruby", 54 + file-magic /(.*)([ \x09]*require[ \x09]'[A-Za-z_\x2f]+')(include [A-Z]|def [a-z]| do$)(^[ \x09]*end([ \x09]*[;#].*)?$)/ +} + +# >0 search/1,=eval "exec /usr/local/bin/perl (len=30), ["Perl script text"], swap_endian=0 +signature file-magic-auto399 { + file-mime "text/x-perl", 60 + file-magic /(.*)(eval \x22exec \x2fusr\x2flocal\x2fbin\x2fperl)/ +} + +# >0 string,=FLV (len=3), ["Macromedia Flash Video"], swap_endian=0 +signature file-magic-auto400 { + file-mime "video/x-flv", 60 + file-magic /(FLV)/ +} + +# >0 string,=MP+ (len=3), ["Musepack audio"], swap_endian=0 +signature file-magic-auto401 { + file-mime "audio/x-musepack", 60 + file-magic /(MP\x2b)/ +} + +# >0 string,=PBF (len=3), ["PBF image (deflate compression)"], swap_endian=0 +signature file-magic-auto402 { + file-mime "image/x-unknown", 60 + file-magic /(PBF)/ +} + +# >0 string,=SBI (len=3), ["SoundBlaster instrument data"], swap_endian=0 +signature file-magic-auto403 { + file-mime "audio/x-unknown", 60 + file-magic /(SBI)/ +} + +# >0 string/b,=\224\246. (len=3), ["Microsoft Word Document"], swap_endian=0 +signature file-magic-auto404 { + file-mime "application/msword", 60 + file-magic /(\x94\xa6\x2e)/ +} + +# >0 string,=\004%! (len=3), ["PostScript document text"], swap_endian=0 +signature file-magic-auto405 { + file-mime "application/postscript", 60 + file-magic /(\x04\x25\x21)/ +} + +# >0 string,=BZh (len=3), ["bzip2 compressed data"], swap_endian=0 +signature file-magic-auto406 { + file-mime "application/x-bzip2", 60 + file-magic /(BZh)/ +} + +# >0 regex,=^[ \t]*(class|module)[ \t][A-Z] (len=29), [""], swap_endian=0 +# >>0 regex,=(modul|includ)e [A-Z]|def [a-z] (len=31), [""], swap_endian=0 +# >>>0 regex,=^[ \t]*end([ \t]*[;#].*)?$ (len=24), ["Ruby module source text"], swap_endian=0 +signature file-magic-auto407 { + file-mime "text/x-ruby", 54 + file-magic /(.*)([ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/ +} + +# >512 string/b,=\354\245\301 (len=3), ["Microsoft Word Document"], swap_endian=0 +signature file-magic-auto408 { + file-mime "application/msword", 60 + file-magic /(.{512})(\xec\xa5\xc1)/ +} + +# >0 string,=FWS (len=3), ["Macromedia Flash data,"], swap_endian=0 +# >>3 byte&,x, ["version %d"], swap_endian=0 +signature file-magic-auto409 { + file-mime "application/x-shockwave-flash", 1 + file-magic /(FWS)(.{1})/ +} + +# >0 string,=CWS (len=3), ["Macromedia Flash data (compressed),"], swap_endian=0 +signature file-magic-auto410 { + file-mime "application/x-shockwave-flash", 60 + file-magic /(CWS)/ +} + +# >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9][ \t] (len=29), ["troff or preprocessor input text"], swap_endian=0 +signature file-magic-auto411 { + file-mime "text/troff", 59 + file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/ +} + +# >0 search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0 +signature file-magic-auto412 { + file-mime "text/x-tex", 59 + file-magic /(.*)(\x5cdocumentclass)/ +} + +# >0 regex,=^from\s+(\w|\.)+\s+import.*$ (len=28), ["Python script text executable"], swap_endian=0 +signature file-magic-auto413 { + file-mime "text/x-python", 58 + file-magic /(.*)(from\s+(\w|\.)+\s+import.*$)/ +} + +# >0 search/4096,=\contentsline (len=13), ["LaTeX table of contents"], swap_endian=0 +signature file-magic-auto414 { + file-mime "text/x-tex", 58 + file-magic /(.*)(\x5ccontentsline)/ +} + +# >0 search/4096,=\chapter (len=8), ["LaTeX document text"], swap_endian=0 +signature file-magic-auto415 { + file-mime "text/x-tex", 56 + file-magic /(.*)(\x5cchapter)/ +} + +# >0 search/4096,=\section (len=8), ["LaTeX document text"], swap_endian=0 +signature file-magic-auto416 { + file-mime "text/x-tex", 56 + file-magic /(.*)(\x5csection)/ +} + +# >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9]$ (len=26), ["troff or preprocessor input text"], swap_endian=0 +signature file-magic-auto417 { + file-mime "text/troff", 56 + file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/ +} + +# >0 search/w/1,=#! /usr/bin/php (len=15), ["PHP script text executable"], swap_endian=0 +signature file-magic-auto418 { + file-mime "text/x-php", 55 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fphp)/ +} + +# >0 search/4096,=\setlength (len=10), ["LaTeX document text"], swap_endian=0 +signature file-magic-auto419 { + file-mime "text/x-tex", 55 + file-magic /(.*)(\x5csetlength)/ +} + +# >0 search/1,=eval "exec /usr/bin/perl (len=24), ["Perl script text"], swap_endian=0 +signature file-magic-auto420 { + file-mime "text/x-perl", 54 + file-magic /(.*)(eval \x22exec \x2fusr\x2fbin\x2fperl)/ +} + +# >0 search/w/1,=#! /usr/local/bin/python (len=24), ["Python script text executable"], swap_endian=0 +signature file-magic-auto421 { + file-mime "text/x-python", 54 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fpython)/ +} + +# >0 search/1,=Common subdirectories: (len=23), ["diff output text"], swap_endian=0 +signature file-magic-auto422 { + file-mime "text/x-diff", 53 + file-magic /(.*)(Common subdirectories\x3a )/ +} + +# >0 search/1,=#! /usr/bin/env python (len=22), ["Python script text executable"], swap_endian=0 +signature file-magic-auto423 { + file-mime "text/x-python", 52 + file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv python)/ +} + +# >0 search/w/1,=#! /usr/local/bin/ruby (len=22), ["Ruby script text executable"], swap_endian=0 +signature file-magic-auto424 { + file-mime "text/x-ruby", 52 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fruby)/ +} + +# >0 search/w/1,=#! /usr/local/bin/wish (len=22), ["Tcl/Tk script text executable"], swap_endian=0 +signature file-magic-auto425 { + file-mime "text/x-tcl", 52 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fwish)/ +} + +# >0 search/4096,=(custom-set-variables (len=22), ["Lisp/Scheme program text"], swap_endian=0 +signature file-magic-auto426 { + file-mime "text/x-lisp", 52 + file-magic /(.*)(\x28custom\x2dset\x2dvariables )/ +} + +# >0 beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0 +signature file-magic-auto427 { + file-mime "image/jpeg", 52 + file-magic /(\xff\xd8)/ +} + +# >0 search/1,=#!/usr/bin/env python (len=21), ["Python script text executable"], swap_endian=0 +signature file-magic-auto428 { + file-mime "text/x-python", 51 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv python)/ +} + +# >0 search/1,=#!/usr/bin/env nodejs (len=21), ["Node.js script text executable"], swap_endian=0 +signature file-magic-auto429 { + file-mime "application/javascript", 51 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv nodejs)/ +} + +# >0 search/w/1,=#! /usr/local/bin/tcl (len=21), ["Tcl script text executable"], swap_endian=0 +signature file-magic-auto430 { + file-mime "text/x-tcl", 51 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcl)/ +} + +# This didn't autogenerate well due to indirect offset, bitmasking, and +# relational comparisons. +# >0 leshort&fffffffffffffefe,=0 (0x0000), [""], swap_endian=0 +# >>4 ulelong&fcfffe00,=0 (0x00000000), [""], swap_endian=0 +# >>>68 ulelong&,>87 (0x00000057), [""], swap_endian=0 +# >>>>68 (lelong,-1), ubelong&ffe0c519,=4194328 (0x00400018), ["Windows Precompiled iNF"], swap_endian=0 +#signature file-magic-auto431 { +# file-mime "application/x-pnf", 70 +# file-magic /(.{2})(.{2})(.{4})(.{60})(.{4})(.{4})/ +#} + +# >0 search/w/1,=#! /usr/local/bin/lua (len=21), ["Lua script text executable"], swap_endian=0 +signature file-magic-auto432 { + file-mime "text/x-lua", 51 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2flua)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +signature file-magic-auto433 { + file-mime "application/x-dosexec", 51 + file-magic /(MZ)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>30 string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0 +signature file-magic-auto434 { + file-mime "application/zip", 340 + file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>30 string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0 +signature file-magic-auto435 { + file-mime "application/zip", 150 + file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>36 string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0 +signature file-magic-auto436 { + file-mime "application/x-lha", 120 + file-magic /(MZ)(.{34})(LHa\x27s SFX)/ +} + +# >0 string/b,=MZ (len=2), [""], swap_endian=0 +# >>36 string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0 +signature file-magic-auto437 { + file-mime "application/x-lha", 120 + file-magic /(MZ)(.{34})(LHA\x27s SFX)/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x10, ["MPEG ADTS, layer III, v1, 32 kbps"], swap_endian=0 +signature file-magic-auto438 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x20, ["MPEG ADTS, layer III, v1, 40 kbps"], swap_endian=0 +signature file-magic-auto439 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x30, ["MPEG ADTS, layer III, v1, 48 kbps"], swap_endian=0 +signature file-magic-auto440 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x40, ["MPEG ADTS, layer III, v1, 56 kbps"], swap_endian=0 +signature file-magic-auto441 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x50, ["MPEG ADTS, layer III, v1, 64 kbps"], swap_endian=0 +signature file-magic-auto442 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x60, ["MPEG ADTS, layer III, v1, 80 kbps"], swap_endian=0 +signature file-magic-auto443 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x70, ["MPEG ADTS, layer III, v1, 96 kbps"], swap_endian=0 +signature file-magic-auto444 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x80, ["MPEG ADTS, layer III, v1, 112 kbps"], swap_endian=0 +signature file-magic-auto445 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0x90, ["MPEG ADTS, layer III, v1, 128 kbps"], swap_endian=0 +signature file-magic-auto446 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0xa0, ["MPEG ADTS, layer III, v1, 160 kbps"], swap_endian=0 +signature file-magic-auto447 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0xb0, ["MPEG ADTS, layer III, v1, 192 kbps"], swap_endian=0 +signature file-magic-auto448 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0xc0, ["MPEG ADTS, layer III, v1, 224 kbps"], swap_endian=0 +signature file-magic-auto449 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0xd0, ["MPEG ADTS, layer III, v1, 256 kbps"], swap_endian=0 +signature file-magic-auto450 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf])/ +} + +# >0 beshort&fffffffffffffffe,=-6 (0xfffa), [""], swap_endian=0 +# >>2 byte&fffffffffffffff0,=0xe0, ["MPEG ADTS, layer III, v1, 320 kbps"], swap_endian=0 +signature file-magic-auto451 { + file-mime "audio/mpeg", 40 + file-magic /(\xff[\xfa\xfb])([\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef])/ +} + +# >4 leshort&,=-20719 (0xaf11), [""], swap_endian=0 +# >>8 leshort&,=320 (0x0140), [""], swap_endian=0 +# >>>10 leshort&,=200 (0x00c8), [""], swap_endian=0 +# >>>>12 leshort&,=8 (0x0008), ["FLI animation, 320x200x8"], swap_endian=0 +signature file-magic-auto452 { + file-mime "video/x-fli", 50 + file-magic /(.{4})(\x11\xaf)(.{2})(\x40\x01)(\xc8\x00)(\x08\x00)/ +} + +# >4 leshort&,=-20718 (0xaf12), [""], swap_endian=0 +# >>12 leshort&,=8 (0x0008), ["FLC animation"], swap_endian=0 +signature file-magic-auto453 { + file-mime "video/x-flc", 50 + file-magic /(.{4})(\x12\xaf)(.{6})(\x08\x00)/ +} + +# >0 string,=BM (len=2), [""], swap_endian=0 +# >>14 leshort&,=12 (0x000c), ["PC bitmap, OS/2 1.x format"], swap_endian=0 +signature file-magic-auto454 { + file-mime "image/x-ms-bmp", 50 + file-magic /(BM)(.{12})(\x0c\x00)/ +} + +# >0 string,=BM (len=2), [""], swap_endian=0 +# >>14 leshort&,=64 (0x0040), ["PC bitmap, OS/2 2.x format"], swap_endian=0 +signature file-magic-auto455 { + file-mime "image/x-ms-bmp", 50 + file-magic /(BM)(.{12})(\x40\x00)/ +} + +# >0 string,=BM (len=2), [""], swap_endian=0 +# >>14 leshort&,=40 (0x0028), ["PC bitmap, Windows 3.x format"], swap_endian=0 +signature file-magic-auto456 { + file-mime "image/x-ms-bmp", 50 + file-magic /(BM)(.{12})(\x28\x00)/ +} + +# >0 string,=BM (len=2), [""], swap_endian=0 +# >>14 leshort&,=124 (0x007c), ["PC bitmap, Windows 98/2000 and newer format"], swap_endian=0 +signature file-magic-auto457 { + file-mime "image/x-ms-bmp", 50 + file-magic /(BM)(.{12})(\x7c\x00)/ +} + +# >0 string,=BM (len=2), [""], swap_endian=0 +# >>14 leshort&,=108 (0x006c), ["PC bitmap, Windows 95/NT4 and newer format"], swap_endian=0 +signature file-magic-auto458 { + file-mime "image/x-ms-bmp", 50 + file-magic /(BM)(.{12})(\x6c\x00)/ +} + +# >0 string,=BM (len=2), [""], swap_endian=0 +# >>14 leshort&,=128 (0x0080), ["PC bitmap, Windows NT/2000 format"], swap_endian=0 +signature file-magic-auto459 { + file-mime "image/x-ms-bmp", 50 + file-magic /(BM)(.{12})(\x80\x00)/ +} + +# >20 string,=45 (len=2), [""], swap_endian=0 +# >>0 regex/1,=(^[0-9]{5})[acdnp][^bhlnqsu-z] (len=30), ["MARC21 Bibliographic"], swap_endian=0 +signature file-magic-auto460 { + file-mime "application/marc", 60 + file-magic /(.{20})(45)(.*)((^[0-9]{5})[acdnp][^bhlnqsu-z])/ +} + +# >20 string,=45 (len=2), [""], swap_endian=0 +# >>0 regex/1,=(^[0-9]{5})[acdnosx][z] (len=23), ["MARC21 Authority"], swap_endian=0 +signature file-magic-auto461 { + file-mime "application/marc", 53 + file-magic /(.{20})(45)(.*)((^[0-9]{5})[acdnosx][z])/ +} + +# >20 string,=45 (len=2), [""], swap_endian=0 +# >>0 regex/1,=(^[0-9]{5})[cdn][uvxy] (len=22), ["MARC21 Holdings"], swap_endian=0 +signature file-magic-auto462 { + file-mime "application/marc", 52 + file-magic /(.{20})(45)(.*)((^[0-9]{5})[cdn][uvxy])/ +} + +# >0 search/4096,=\relax (len=6), ["LaTeX auxiliary file"], swap_endian=0 +signature file-magic-auto463 { + file-mime "text/x-tex", 51 + file-magic /(.*)(\x5crelax)/ +} + +# >0 search/4096,=\begin (len=6), ["LaTeX document text"], swap_endian=0 +signature file-magic-auto464 { + file-mime "text/x-tex", 51 + file-magic /(.*)(\x5cbegin)/ +} + +# >0 search/4096,=\input (len=6), ["TeX document text"], swap_endian=0 +signature file-magic-auto465 { + file-mime "text/x-tex", 51 + file-magic /(.*)(\x5cinput)/ +} + +# >0 leshort&,=-24712 (0x9f78), ["TNEF"], swap_endian=0 +signature file-magic-auto466 { + file-mime "application/vnd.ms-tnef", 50 + file-magic /(\x78\x9f)/ +} + +# >0 leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0 +signature file-magic-auto467 { + file-mime "application/x-arj", 50 + file-magic /(\x60\xea)/ +} + +# >0 search/1,=eval "exec /bin/perl (len=20), ["Perl script text"], swap_endian=0 +signature file-magic-auto468 { + file-mime "text/x-perl", 50 + file-magic /(.*)(eval \x22exec \x2fbin\x2fperl)/ +} + +# >0 search/1,=#! /usr/bin/env perl (len=20), ["Perl script text executable"], swap_endian=0 +signature file-magic-auto469 { + file-mime "text/x-perl", 50 + file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv perl)/ +} + +# >0 beshort&,=-26368 (0x9900), ["PGP key public ring"], swap_endian=0 +signature file-magic-auto470 { + file-mime "application/x-pgp-keyring", 50 + file-magic /(\x99\x00)/ +} + +# >0 beshort&,=-27391 (0x9501), ["PGP key security ring"], swap_endian=0 +signature file-magic-auto471 { + file-mime "application/x-pgp-keyring", 50 + file-magic /(\x95\x01)/ +} + +# >0 beshort&,=-27392 (0x9500), ["PGP key security ring"], swap_endian=0 +signature file-magic-auto472 { + file-mime "application/x-pgp-keyring", 50 + file-magic /(\x95\x00)/ +} + +# >0 beshort&,=-23040 (0xa600), ["PGP encrypted data"], swap_endian=0 +signature file-magic-auto473 { + file-mime "text/PGP", 50 + file-magic /(\xa6\x00)/ +} + +# >0 string,=%! (len=2), ["PostScript document text"], swap_endian=0 +signature file-magic-auto474 { + file-mime "application/postscript", 50 + file-magic /(\x25\x21)/ +} + +# >0 search/1,=#! /usr/bin/env ruby (len=20), ["Ruby script text executable"], swap_endian=0 +signature file-magic-auto475 { + file-mime "text/x-ruby", 50 + file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv ruby)/ +} + +# >0 regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0 +signature file-magic-auto476 { + file-mime "application/marc", 50 + file-magic /((^[0-9]{5})[acdn][w])/ +} + +# >0 regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0 +# >>0 regex/1,=(^[0-9]{5})[cdn][q] (len=19), ["MARC21 Community"], swap_endian=0 +signature file-magic-auto477 { + file-mime "application/marc", 49 + file-magic /((^[0-9]{5})[acdn][w])((^[0-9]{5})[cdn][q])/ +} + +# >0 regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0 +# >>0 regex/1,=(^.{21})([^0]{2}) (len=17), ["(non-conforming)"], swap_endian=0 +signature file-magic-auto478 { + file-mime "application/marc", 47 + file-magic /((^[0-9]{5})[acdn][w])((^.{21})([^0]{2}))/ +} + +# >0 short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0 +signature file-magic-auto479 { + file-mime "application/x-cpio", 50 + file-magic /((\x71\xc7)|(\xc7\x71))/ +} + +# >0 short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0 +signature file-magic-auto480 { + file-mime "application/x-cpio", 50 + file-magic /((\xc7\x71)|(\x71\xc7))/ +} + +# >0 string,=\n( (len=2), ["Emacs v18 byte-compiled Lisp data"], swap_endian=0 +signature file-magic-auto481 { + file-mime "application/x-elc", 50 + file-magic /(\x0a\x28)/ +} + +# >0 string,=\021\t (len=2), ["Award BIOS Logo, 136 x 126"], swap_endian=0 +signature file-magic-auto482 { + file-mime "image/x-award-bioslogo", 50 + file-magic /(\x11\x09)/ +} + +# >0 string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0 +signature file-magic-auto483 { + file-mime "image/x-award-bioslogo", 50 + file-magic /(\x11\x06)/ +} + +# >0 string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0 +signature file-magic-auto484 { + file-mime "image/x-portable-pixmap", 50 + file-magic /(P7)/ +} + +# >0 beshort&ffffffffffffffe0,=22240 (0x56e0), ["MPEG-4 LOAS"], swap_endian=0 +signature file-magic-auto485 { + file-mime "audio/x-mp4a-latm", 50 + file-magic /(\x56[\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 beshort&fffffffffffffff6,=-16 (0xfff0), ["MPEG ADTS, AAC"], swap_endian=0 +signature file-magic-auto486 { + file-mime "audio/x-hx-aac-adts", 50 + file-magic /(\xff[\xf0\xf1\xf8\xf9])/ +} + +# >0 beshort&fffffffffffffffe,=-30 (0xffe2), ["MPEG ADTS, layer III, v2.5"], swap_endian=0 +signature file-magic-auto487 { + file-mime "audio/mpeg", 50 + file-magic /(\xff[\xe2\xe3])/ +} + +# >0 beshort&fffffffffffffffe,=-10 (0xfff6), ["MPEG ADTS, layer I, v2"], swap_endian=0 +signature file-magic-auto488 { + file-mime "audio/mpeg", 50 + file-magic /(\xff[\xf6\xf7])/ +} + +# >0 beshort&fffffffffffffffe,=-14 (0xfff2), ["MPEG ADTS, layer III, v2"], swap_endian=0 +signature file-magic-auto489 { + file-mime "audio/mpeg", 50 + file-magic /(\xff[\xf2\xf3])/ +} + +# >0 beshort&fffffffffffffffe,=-4 (0xfffc), ["MPEG ADTS, layer II, v1"], swap_endian=0 +signature file-magic-auto490 { + file-mime "audio/mpeg", 50 + file-magic /(\xff[\xfc\xfd])/ +} + +# >0 search/1,=#! /usr/bin/env wish (len=20), ["Tcl/Tk script text executable"], swap_endian=0 +signature file-magic-auto491 { + file-mime "text/x-tcl", 50 + file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv wish)/ +} + +# >0 beshort&,=-26367 (0x9901), ["GPG key public ring"], swap_endian=0 +signature file-magic-auto492 { + file-mime "application/x-gnupg-keyring", 50 + file-magic /(\x99\x01)/ +} + +# >0 string,=\367\002 (len=2), ["TeX DVI file"], swap_endian=0 +signature file-magic-auto493 { + file-mime "application/x-dvi", 50 + file-magic /(\xf7\x02)/ +} + +# >2 string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0 +signature file-magic-auto494 { + file-mime "application/x-tex-tfm", 50 + file-magic /(.{2})(\x00\x11)/ +} + +# >2 string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0 +signature file-magic-auto495 { + file-mime "application/x-tex-tfm", 50 + file-magic /(.{2})(\x00\x12)/ +} + +# >0 beshort&,=-31486 (0x8502), ["GPG encrypted data"], swap_endian=0 +signature file-magic-auto496 { + file-mime "text/PGP", 50 + file-magic /(\x85\x02)/ +} + +# >4 string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0 +signature file-magic-auto497 { + file-mime "image/jp2", 50 + file-magic /(.{4})(jP)/ +} + +# Not specific enough. +# >0 regex,=^template[ \t\n]+ (len=15), ["C++ source text"], swap_endian=0 +#signature file-magic-auto498 { +# file-mime "text/x-c++", 50 +# file-magic /(.*)(template[ \x09\x0a]+)/ +#} + +# >0 search/c/1,=0 string,=\037\235 (len=2), ["compress'd data"], swap_endian=0 +signature file-magic-auto500 { + file-mime "application/x-compress", 50 + file-magic /(\x1f\x9d)/ +} + +# >0 string,=\037\036 (len=2), ["packed data"], swap_endian=0 +#signature file-magic-auto501 { +# file-mime "application/octet-stream", 50 +# file-magic /(\x1f\x1e)/ +#} + +# >0 short&,=7967 (0x1f1f), ["old packed data"], swap_endian=0 +#signature file-magic-auto502 { +# file-mime "application/octet-stream", 50 +# file-magic /((\x1f\x1f)|(\x1f\x1f))/ +#} + +# >0 short&,=8191 (0x1fff), ["compacted data"], swap_endian=0 +#signature file-magic-auto503 { +# file-mime "application/octet-stream", 50 +# file-magic /((\xff\x1f)|(\x1f\xff))/ +#} + +# >0 string,=\377\037 (len=2), ["compacted data"], swap_endian=0 +#signature file-magic-auto504 { +# file-mime "application/octet-stream", 50 +# file-magic /(\xff\x1f)/ +#} + +# >0 short&,=-13563 (0xcb05), ["huf output"], swap_endian=0 +#signature file-magic-auto505 { +# file-mime "application/octet-stream", 50 +# file-magic /((\x05\xcb)|(\xcb\x05))/ +#} + +# >34 string,=LP (len=2), ["Embedded OpenType (EOT)"], swap_endian=0 +signature file-magic-auto506 { + file-mime "application/vnd.ms-fontobject", 50 + file-magic /(.{34})(LP)/ +} + +# >0 beshort&,=2935 (0x0b77), ["ATSC A/52 aka AC-3 aka Dolby Digital stream,"], swap_endian=0 +signature file-magic-auto507 { + file-mime "audio/vnd.dolby.dd-raw", 50 + file-magic /(\x0b\x77)/ +} + +# >0 search/1,=#!/usr/bin/env node (len=19), ["Node.js script text executable"], swap_endian=0 +signature file-magic-auto508 { + file-mime "application/javascript", 49 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv node)/ +} + +# >0 search/1,=#!/usr/bin/env wish (len=19), ["Tcl/Tk script text executable"], swap_endian=0 +signature file-magic-auto509 { + file-mime "text/x-tcl", 49 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv wish)/ +} + +# >0 regex,=^[ \t]{0,50}\.asciiz (len=19), ["assembler source text"], swap_endian=0 +signature file-magic-auto510 { + file-mime "text/x-asm", 49 + file-magic /(^[ \x09]{0,50}\.(asciiz|asciz|section|globl|align|even|byte|file|type))/ +} + +# >0 regex,=^[ \t]{0,50}\.globl (len=18), ["assembler source text"], swap_endian=0 +#signature file-magic-auto517 { +# file-mime "text/x-asm", 48 +# file-magic /(^[ \x09]{0,50}\.globl)/ +#} + +# >0 regex,=^[ \t]{0,50}\.text (len=17), ["assembler source text"], swap_endian=0 +#signature file-magic-auto523 { +# file-mime "text/x-asm", 47 +# file-magic /(^[ \x09]{0,50}\.text)/ +#} + +# >0 regex,=^[ \t]{0,50}\.even (len=17), ["assembler source text"], swap_endian=0 +#signature file-magic-auto524 { +# file-mime "text/x-asm", 47 +# file-magic /(^[ \x09]{0,50}\.even)/ +#} + +# >0 regex,=^[ \t]{0,50}\.byte (len=17), ["assembler source text"], swap_endian=0 +#signature file-magic-auto525 { +# file-mime "text/x-asm", 47 +# file-magic /(^[ \x09]{0,50}\.byte)/ +#} + +# >0 regex,=^[ \t]{0,50}\.file (len=17), ["assembler source text"], swap_endian=0 +#signature file-magic-auto526 { +# file-mime "text/x-asm", 47 +# file-magic /(^[ \x09]{0,50}\.file)/ +#} + +# >0 regex,=^[ \t]{0,50}\.type (len=17), ["assembler source text"], swap_endian=0 +#signature file-magic-auto527 { +# file-mime "text/x-asm", 47 +# file-magic /(^[ \x09]{0,50}\.type)/ +#} + + +# >0 search/1,=#!/usr/bin/env perl (len=19), ["Perl script text executable"], swap_endian=0 +signature file-magic-auto511 { + file-mime "text/x-perl", 49 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv perl)/ +} + +# >0 search/Wct/4096,=0 regex,=^virtual[ \t\n]+ (len=14), ["C++ source text"], swap_endian=0 +#signature file-magic-auto513 { +# file-mime "text/x-c++", 49 +# file-magic /(.*)(virtual[ \x09\x0a]+)/ +#} + +# >0 search/1,=#! /usr/bin/env lua (len=19), ["Lua script text executable"], swap_endian=0 +signature file-magic-auto514 { + file-mime "text/x-lua", 49 + file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv lua)/ +} + +# >0 search/1,=#!/usr/bin/env ruby (len=19), ["Ruby script text executable"], swap_endian=0 +signature file-magic-auto515 { + file-mime "text/x-ruby", 49 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv ruby)/ +} + +# >0 search/1,=#! /usr/bin/env tcl (len=19), ["Tcl script text executable"], swap_endian=0 +signature file-magic-auto516 { + file-mime "text/x-tcl", 49 + file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv tcl)/ +} +# >0 search/1,=#!/usr/bin/env tcl (len=18), ["Tcl script text executable"], swap_endian=0 +signature file-magic-auto518 { + file-mime "text/x-tcl", 48 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv tcl)/ +} + +# >0 search/1,=#!/usr/bin/env lua (len=18), ["Lua script text executable"], swap_endian=0 +signature file-magic-auto519 { + file-mime "text/x-lua", 48 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv lua)/ +} + +# >0 search/w/1,=#! /usr/bin/python (len=18), ["Python script text executable"], swap_endian=0 +signature file-magic-auto520 { + file-mime "text/x-python", 48 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fpython)/ +} + +# >0 search/w/1,=#!/usr/bin/nodejs (len=17), ["Node.js script text executable"], swap_endian=0 +signature file-magic-auto521 { + file-mime "application/javascript", 47 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnodejs)/ +} + +# >0 regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0 +signature file-magic-auto522 { + file-mime "text/x-c++", 47 + file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ +} + +# >0 search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0 +signature file-magic-auto528 { + file-mime "text/x-info", 47 + file-magic /(.*)(This is Info file)/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0 +# >>>>&0 ubyte&,=0x5b, ["INItialization configuration"], swap_endian=0 +signature file-magic-auto529 { + file-mime "application/x-wine-extension-ini", 40 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([aA][uU][tT][oO][rR][uU][nN])]\x0d\x0a)([\x5b])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(autorun)]\r\n (len=13), [""], swap_endian=0 +# >>>>&0 ubyte&,!0x5b, ["Microsoft Windows Autorun file"], swap_endian=0 +signature file-magic-auto530 { + file-mime "application/x-setupscript", 1 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([aA][uU][tT][oO][rR][uU][nN])]\x0d\x0a)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(version|strings)] (len=19), ["Windows setup INFormation"], swap_endian=0 +signature file-magic-auto531 { + file-mime "application/x-setupscript", 49 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([vV][eE][rR][sS][iI][oO][nN]|[sS][tT][rR][iI][nN][gG][sS])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(WinsockCRCList|OEMCPL)] (len=25), ["Windows setup INFormation"], swap_endian=0 +signature file-magic-auto532 { + file-mime "text/inf", 55 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ww][iI][nN][sS][oO][cC][kK][Cc][Rr][Cc][Ll][iI][sS][tT]|[Oo][Ee][Mm][Cc][Pp][Ll])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] (len=51), ["Windows desktop.ini"], swap_endian=0 +signature file-magic-auto533 { + file-mime "application/x-wine-extension-ini", 81 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^(.[Ss][hH][eE][lL][lL][Cc][lL][aA][sS][sS][Ii][nN][fF][oO]|[Dd][eE][lL][eE][tT][eE][Oo][nN][Cc][oO][pP][yY]|[Ll][oO][cC][aA][lL][iI][zZ][eE][dD][Ff][iI][lL][eE][Nn][aA][mM][eE][sS])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(don't load)] (len=14), ["Windows CONTROL.INI"], swap_endian=0 +signature file-magic-auto534 { + file-mime "application/x-wine-extension-ini", 44 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([dD][oO][nN]'[tT] [lL][oO][aA][dD])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(ndishlp\$|protman\$|NETBEUI\$)] (len=33), ["Windows PROTOCOL.INI"], swap_endian=0 +signature file-magic-auto535 { + file-mime "application/x-wine-extension-ini", 63 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([nN][dD][iI][sS][hH][lL][pP]\$|[pP][rR][oO][tT][mM][aA][nN]\$|[Nn][Ee][Tt][Bb][Ee][Uu][Ii]\$)])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(windows|Compatibility|embedding)] (len=35), ["Windows WIN.INI"], swap_endian=0 +signature file-magic-auto536 { + file-mime "application/x-wine-extension-ini", 65 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([wW][iI][nN][dD][oO][wW][sS]|[Cc][oO][mM][pP][aA][tT][iI][bB][iI][lL][iI][tT][yY]|[eE][mM][bB][eE][dD][dD][iI][nN][gG])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(boot|386enh|drivers)] (len=23), ["Windows SYSTEM.INI"], swap_endian=0 +signature file-magic-auto537 { + file-mime "application/x-wine-extension-ini", 53 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT]|386[eE][nN][hH]|[dD][rR][iI][vV][eE][rR][sS])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(SafeList)] (len=12), ["Windows IOS.INI"], swap_endian=0 +signature file-magic-auto538 { + file-mime "application/x-wine-extension-ini", 42 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([Ss][aA][fF][eE][Ll][iI][sS][tT])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 regex/c,=^(boot loader)] (len=15), ["Windows boot.ini"], swap_endian=0 +signature file-magic-auto539 { + file-mime "application/x-wine-extension-ini", 45 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(^([bB][oO][oO][tT] [lL][oO][aA][dD][eE][rR])])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 ubequad&ffdfffdfffdfffdf,=24207144355233875 (0x0056004500520053), [""], swap_endian=0 +# >>>>&0 ubequad&ffdfffdfffdfffff,=20548012607406173 (0x0049004f004e005d), ["Windows setup INFormation "], swap_endian=0 +signature file-magic-auto540 { + file-mime "application/x-setupscript", 110 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(\x00[\x56\x76]\x00[\x45\x65]\x00[\x52\x72]\x00[\x53\x73])(\x00[\x49\x69]\x00[\x4f\x6f]\x00[\x4e\x6e]\x00\x5d)/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 ubequad&ffdfffdfffdfffdf,=23362783849611337 (0x0053005400520049), [""], swap_endian=0 +# >>>>&0 ubequad&ffdfffdfffdfffff,=21955353131548765 (0x004e00470053005d), ["Windows setup INFormation "], swap_endian=0 +signature file-magic-auto541 { + file-mime "application/x-setupscript", 110 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(\x00[\x53\x73]\x00[\x54\x74]\x00[\x52\x72]\x00[\x49\x69)(\x00[\x4e\x6e]\x00[\x47\x67]\x00[\x53\x73]\x00\x5d)/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 default&,x, [""], swap_endian=0 +# >>>>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>>>&0 string/c,=version (len=7), ["Windows setup INFormation "], swap_endian=0 +signature file-magic-auto542 { + file-mime "application/x-setupscript", 100 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(.*)(\x5b)([vV][eE][rR][sS][iI][oO][nN])/ +} + +# >0 regex/s,=\`(\r\n|;|[[]|\377\376) (len=15), [""], swap_endian=0 +# >>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>&0 default&,x, [""], swap_endian=0 +# >>>>&0 search/8192,=[ (len=1), [""], swap_endian=0 +# >>>>>&0 ubequad&ffdfffdfffdfffdf,=24207144355233875 (0x0056004500520053), [""], swap_endian=0 +# >>>>>>&0 ubequad&ffdfffdfffdfffff,=20548012607406173 (0x0049004f004e005d), ["Windows setup INFormation "], swap_endian=0 +signature file-magic-auto543 { + file-mime "application/x-setupscript", 110 + file-magic /(\`(\x0d\x0a|;|[[]|\xff\xfe))(.*)(\x5b)(.*)(\x5b)(\x00[\x56\x76]\x00[\x45\x65]\x00[\x52\x72]\x00[\x53\x73])(\x00[\x49\x69]\x00[\x4f\x6f]\x00[\x4e\x6e]\x00\x5d)/ +} + +# >0 search/1,=0 search/w/1,=#! /usr/bin/wish (len=16), ["Tcl/Tk script text executable"], swap_endian=0 +signature file-magic-auto545 { + file-mime "text/x-tcl", 46 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fwish)/ +} + +# >0 search/w/1,=#! /usr/bin/ruby (len=16), ["Ruby script text executable"], swap_endian=0 +signature file-magic-auto546 { + file-mime "text/x-ruby", 46 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fruby)/ +} + +# >0 search/w/1,=#! /usr/bin/lua (len=15), ["Lua script text executable"], swap_endian=0 +signature file-magic-auto547 { + file-mime "text/x-lua", 45 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2flua)/ +} + +# >0 search/w/1,=#! /usr/bin/tcl (len=15), ["Tcl script text executable"], swap_endian=0 +signature file-magic-auto548 { + file-mime "text/x-tcl", 45 + file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2ftcl)/ +} + +# >0 search/wct/4096,=0 search/wct/4096,=0 search/w/1,=#!/usr/bin/node (len=15), ["Node.js script text executable"], swap_endian=0 +signature file-magic-auto551 { + file-mime "application/javascript", 45 + file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fnode)/ +} + +# >0 search/wct/1,=0 search/1,=\input texinfo (len=14), ["Texinfo source text"], swap_endian=0 +signature file-magic-auto553 { + file-mime "text/x-texinfo", 44 + file-magic /(.*)(\x5cinput texinfo)/ +} + +# Not specific enough. +# >0 regex,=^private: (len=9), ["C++ source text"], swap_endian=0 +#signature file-magic-auto554 { +# file-mime "text/x-c++", 44 +# file-magic /(.*)(private:)/ +#} + +# >0 search/4096,=def __init__ (len=12), [""], swap_endian=0 +# >>&0 search/64,=self (len=4), ["Python script text executable"], swap_endian=0 +signature file-magic-auto555 { + file-mime "text/x-python", 38 + file-magic /(.*)(def \x5f\x5finit\x5f\x5f)(.*)(self)/ +} + +# >0 search/wct/4096,=0 regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0 +signature file-magic-auto557 { + file-mime "text/x-c", 43 + file-magic /(.*)(extern[ \x09\x0a]+)/ +} + +# >0 search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0 +signature file-magic-auto558 { + file-mime "text/x-tex", 43 + file-magic /(.*)(\x25 \x2d\x2a\x2dlatex\x2d\x2a\x2d)/ +} + +# Doesn't seem specific enough. +# >0 regex,=^double[ \t\n]+ (len=13), ["C source text"], swap_endian=0 +#signature file-magic-auto559 { +# file-mime "text/x-c", 43 +# file-magic /(^double[ \x09\x0a]+)/ +#} + +# >0 regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0 +signature file-magic-auto560 { + file-mime "text/x-c", 43 + file-magic /(.*)(struct[ \x09\x0a]+)/ +} + +# >0 search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0 +signature file-magic-auto561 { + file-mime "application/javascript", 43 + file-magic /(.*)(\x23\x21\x2fbin\x2fnodejs)/ +} + +# Not specific enough. +# >0 regex,=^public: (len=8), ["C++ source text"], swap_endian=0 +#signature file-magic-auto562 { +# file-mime "text/x-c++", 43 +# file-magic /(.*)(public:)/ +#} + +# >0 search/wct/4096,=