From d77243823f662fafb336afa16819ef4d44914062 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 8 Oct 2014 02:12:10 -0400 Subject: [PATCH 1/2] Updates for file mime type identification. - Change to the default BOF buffer size to 3000 (was 1024). - Reorganized MS signatures into a separate file - Improved lots of the signatures and added new ones. --- .../base/frameworks/files/magic/__load__.bro | 1 + .../base/frameworks/files/magic/general.sig | 129 ++++- .../base/frameworks/files/magic/libmagic.sig | 463 ++---------------- .../base/frameworks/files/magic/msoffice.sig | 28 ++ scripts/base/init-bare.bro | 2 +- .../btest-doc.sphinx.file_extraction#1 | 2 +- .../btest-doc.sphinx.mimestats#1 | 8 +- .../files.log | 6 +- .../files.log | 6 +- .../all-events-no-args.log | 8 +- .../all-events.log | 46 +- 11 files changed, 224 insertions(+), 475 deletions(-) create mode 100644 scripts/base/frameworks/files/magic/msoffice.sig diff --git a/scripts/base/frameworks/files/magic/__load__.bro b/scripts/base/frameworks/files/magic/__load__.bro index 4a2de0926d..c6ee799a53 100644 --- a/scripts/base/frameworks/files/magic/__load__.bro +++ b/scripts/base/frameworks/files/magic/__load__.bro @@ -1,2 +1,3 @@ @load-sigs ./general +@load-sigs ./msoffice @load-sigs ./libmagic diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index a11e4a05e4..a36e32ef28 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -1,16 +1,137 @@ # General purpose file magic signatures. signature file-plaintext { - file-magic /([[:print:][:space:]]{10})/ + file-magic /^([[:print:][:space:]]{10})/ file-mime "text/plain", -20 } signature file-tar { - file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/ + file-magic /^([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/ file-mime "application/x-tar", 150 } +signature file-zip { + file-mime "application/zip", 10 + file-magic /^PK\x03\x04.{2}/ +} + +signature file-jar { + file-mime "application/java-archive", 100 + file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/ +} + +signature file-java-applet { + file-magic /^\xca\xfe\xba\xbe...[\x2e-\x34]/ + file-mime "application/x-java-applet", 71 +} + +# Shockwave flash signature file-swf { - file-magic /(F|C|Z)WS/ + file-magic /^(F|C|Z)WS/ file-mime "application/x-shockwave-flash", 60 -} \ No newline at end of file +} + +# Microsoft Outlook's Transport Neutral Encapsulation Format +signature file-tnef { + file-magic /^\x78\x9f\x3e\x22/ + file-mime "application/vnd.ms-tnef", 100 +} + +# Mac OS X DMG files +signature file-dmg { + file-magic /^(\x78\x01\x73\x0D\x62\x62\x60|\x78\xDA\x63\x60\x18\x05|\x78\x01\x63\x60\x18\x05|\x78\xDA\x73\x0D|\x78[\x01\xDA]\xED[\xD0-\xD9])/ + file-mime "application/x-dmg", 100 +} + +# Mac OS X Mach-O executable +signature file-mach-o { + file-magic /^[\xce\xcf]\xfa\xed\xfe/ + file-mime "application/x-mach-o-executable", 100 +} + +# Mac OS X Universal Mach-O executable +signature file-mach-o-universal { + file-magic /^\xca\xfe\xba\xbe..\x00[\x01-\x14]/ + file-mime "application/x-mach-o-executable", 100 +} + +# XAR (eXtensible ARchive) format. +# Mac OS X uses this for the .pkg format. +signature file-xar { + file-magic /^xar\!/ + file-mime "application/x-xar", 100 +} + +signature file-pkcs7 { + file-magic /^MIME-Version:.*protocol=\"application\/pkcs7-signature\"/ + file-mime "application/pkcs7-signature", 100 +} + +# Concatenated X.509 certificates in textual format. +signature file-pem { + file-magic /^-----BEGIN CERTIFICATE-----/ + file-mime "application/x-pem" +} + +# Java Web Start file. +signature file-jnlp { + file-magic /^\2080 string,=Foglio di lavoro Microsoft Exce (len=31), ["%s"], swap_endian=0 -signature file-magic-auto0 { - file-mime "application/vnd.ms-excel", 340 - file-magic /(.{2080})(Foglio di lavoro Microsoft Exce)/ -} - # >2 string,=---BEGIN PGP PUBLIC KEY BLOCK- (len=30), ["PGP public key block"], swap_endian=0 signature file-magic-auto1 { file-mime "application/pgp-keys", 330 file-magic /(.{2})(\x2d\x2d\x2dBEGIN PGP PUBLIC KEY BLOCK\x2d)/ } -# >2080 string,=Microsoft Excel 5.0 Worksheet (len=29), ["%s"], swap_endian=0 -signature file-magic-auto2 { - file-mime "application/vnd.ms-excel", 320 - file-magic /(.{2080})(Microsoft Excel 5\x2e0 Worksheet)/ -} - # >11 string,=must be converted with BinHex (len=29), ["BinHex binary text"], swap_endian=0 signature file-magic-auto3 { file-mime "application/mac-binhex40", 320 file-magic /(.{11})(must be converted with BinHex)/ } -# >2080 string,=Microsoft Word 6.0 Document (len=27), ["%s"], swap_endian=0 -signature file-magic-auto4 { - file-mime "application/msword", 300 - file-magic /(.{2080})(Microsoft Word 6\x2e0 Document)/ -} - -# >2080 string,=Documento Microsoft Word 6 (len=26), ["Spanish Microsoft Word 6 document data"], swap_endian=0 -signature file-magic-auto5 { - file-mime "application/msword", 290 - file-magic /(.{2080})(Documento Microsoft Word 6)/ -} - # >0 string,=-----BEGIN PGP SIGNATURE- (len=25), ["PGP signature"], swap_endian=0 signature file-magic-auto6 { file-mime "application/pgp-signature", 280 @@ -92,36 +68,6 @@ signature file-magic-auto13 { file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fgawk)/ } -# >0 string/wt,=#! /usr/local/bin/bash (len=22), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto14 { - file-mime "text/x-shellscript", 250 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fbash)/ -} - -# >0 string/wt,=#! /usr/local/bin/tcsh (len=22), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto15 { - file-mime "text/x-shellscript", 250 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2ftcsh)/ -} - -# >0 string/wt,=#! /usr/local/bin/zsh (len=21), ["Paul Falstad's zsh script text executable"], swap_endian=0 -signature file-magic-auto16 { - file-mime "text/x-shellscript", 240 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fzsh)/ -} - -# >0 string/wt,=#! /usr/local/bin/ash (len=21), ["Neil Brown's ash script text executable"], swap_endian=0 -signature file-magic-auto17 { - file-mime "text/x-shellscript", 240 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fash)/ -} - -# >0 string/wt,=#! /usr/local/bin/ae (len=20), ["Neil Brown's ae script text executable"], swap_endian=0 -signature file-magic-auto18 { - file-mime "text/x-shellscript", 230 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fae)/ -} - # >0 string,=# PaCkAgE DaTaStReAm (len=20), ["pkg Datastream (SVR4)"], swap_endian=0 signature file-magic-auto19 { file-mime "application/x-svr4-package", 230 @@ -140,30 +86,12 @@ signature file-magic-auto21 { file-magic /(\x5bKDE Desktop Entry\x5d)/ } -# >512 string,=R\000o\000o\000t\000 \000E\000n\000t\000r\000y (len=19), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto22 { - file-mime "application/msword", 220 - file-magic /(.{512})(R\x00o\x00o\x00t\x00 \x00E\x00n\x00t\x00r\x00y)/ -} - # >0 string,=!\n__________E (len=19), ["MIPS archive"], swap_endian=0 signature file-magic-auto23 { file-mime "application/x-archive", 220 file-magic /(\x21\x3carch\x3e\x0a\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5fE)/ } -# >0 string/wt,=#! /usr/local/tcsh (len=18), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto24 { - file-mime "text/x-shellscript", 210 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2ftcsh)/ -} - -# >0 string/wt,=#! /usr/local/bash (len=18), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto25 { - file-mime "text/x-shellscript", 210 - file-magic /(\x23\x21 ?\x2fusr\x2flocal\x2fbash)/ -} - # >0 string/t,=# KDE Config File (len=17), ["KDE config file"], swap_endian=0 signature file-magic-auto26 { file-mime "application/x-kdelnk", 200 @@ -189,12 +117,6 @@ signature file-magic-auto29 { file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fnawk)/ } -# >0 string/wt,=#! /usr/bin/tcsh (len=16), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto30 { - file-mime "text/x-shellscript", 190 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2ftcsh)/ -} - # >0 string/wt,=#! /usr/bin/gawk (len=16), ["GNU awk script text executable"], swap_endian=0 signature file-magic-auto31 { file-mime "text/x-gawk", 190 @@ -207,12 +129,6 @@ signature file-magic-auto32 { file-magic /(.{369})(MICROSOFT PIFEX\x00)/ } -# >0 string/wt,=#! /usr/bin/bash (len=16), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto33 { - file-mime "text/x-shellscript", 190 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fbash)/ -} - # >0 string/w,=#VRML V1.0 ascii (len=16), ["VRML 1 file"], swap_endian=0 signature file-magic-auto34 { file-mime "model/vrml", 190 @@ -334,12 +250,6 @@ signature file-magic-auto51 { file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fawk)/ } -# >0 string/wt,=#! /usr/bin/zsh (len=15), ["Paul Falstad's zsh script text executable"], swap_endian=0 -signature file-magic-auto52 { - file-mime "text/x-shellscript", 180 - file-magic /(\x23\x21 ?\x2fusr\x2fbin\x2fzsh)/ -} - # >0 string,=MAS_UTrack_V00 (len=14), [""], swap_endian=0 # >>14 string,>/0 (len=2), ["ultratracker V1.%.1s module sound data"], swap_endian=0 signature file-magic-auto53 { @@ -457,12 +367,6 @@ signature file-magic-auto70 { file-magic /(\x3cmap ?version)/ } -# >0 string/wt,=#! /bin/tcsh (len=12), ["Tenex C shell script text executable"], swap_endian=0 -signature file-magic-auto71 { - file-mime "text/x-shellscript", 150 - file-magic /(\x23\x21 ?\x2fbin\x2ftcsh)/ -} - # >0 string/wt,=#! /bin/nawk (len=12), ["new awk script text executable"], swap_endian=0 signature file-magic-auto72 { file-mime "text/x-nawk", 150 @@ -475,12 +379,6 @@ signature file-magic-auto73 { file-magic /(\x23\x21 ?\x2fbin\x2fgawk)/ } -# >0 string/wt,=#! /bin/bash (len=12), ["Bourne-Again shell script text executable"], swap_endian=0 -signature file-magic-auto74 { - file-mime "text/x-shellscript", 150 - file-magic /(\x23\x21 ?\x2fbin\x2fbash)/ -} - # >0 string/wt,=#! /bin/awk (len=11), ["awk script text executable"], swap_endian=0 signature file-magic-auto75 { file-mime "text/x-awk", 140 @@ -505,24 +403,6 @@ signature file-magic-auto78 { file-magic /(d8\x3aannounce)/ } -# >0 string/wt,=#! /bin/csh (len=11), ["C shell script text executable"], swap_endian=0 -signature file-magic-auto79 { - file-mime "text/x-shellscript", 140 - file-magic /(\x23\x21 ?\x2fbin\x2fcsh)/ -} - -# >0 string/wt,=#! /bin/ksh (len=11), ["Korn shell script text executable"], swap_endian=0 -signature file-magic-auto80 { - file-mime "text/x-shellscript", 140 - file-magic /(\x23\x21 ?\x2fbin\x2fksh)/ -} - -# >0 string/wt,=#! /bin/zsh (len=11), ["Paul Falstad's zsh script text executable"], swap_endian=0 -signature file-magic-auto81 { - file-mime "text/x-shellscript", 140 - file-magic /(\x23\x21 ?\x2fbin\x2fzsh)/ -} - # >0 string/c,=BEGIN:VCARD (len=11), ["vCard visiting card"], swap_endian=0 signature file-magic-auto82 { file-mime "text/x-vcard", 140 @@ -545,12 +425,6 @@ signature file-magic-auto84 { file-magic /(Forward to)/ } -# >0 string/wt,=#! /bin/sh (len=10), ["POSIX shell script text executable"], swap_endian=0 -signature file-magic-auto85 { - file-mime "text/x-shellscript", 130 - file-magic /(\x23\x21 ?\x2fbin\x2fsh)/ -} - # >0 string,=II*\000\020\000\000\000CR (len=10), ["Canon CR2 raw image data"], swap_endian=0 signature file-magic-auto86 { file-mime "image/x-canon-cr2", 130 @@ -585,12 +459,6 @@ signature file-magic-auto90 { file-magic /(\x3cBookFile)/ } -# >2112 string,=MSWordDoc (len=9), ["Microsoft Word document data"], swap_endian=0 -signature file-magic-auto91 { - file-mime "application/msword", 120 - file-magic /(.{2112})(MSWordDoc)/ -} - # >0 string/t,=N#! rnews (len=9), ["mailed, batched news text"], swap_endian=0 signature file-magic-auto92 { file-mime "message/rfc822", 120 @@ -656,12 +524,6 @@ signature file-magic-auto100 { file-magic /(MSCF\x00\x00\x00\x00)/ } -# >0 string/b,=\320\317\021\340\241\261\032\341 (len=8), ["Microsoft Office Document"], swap_endian=0 -signature file-magic-auto101 { - file-mime "application/msword", 110 - file-magic /(\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1)/ -} - # >21 string/c,=!SCREAM! (len=8), ["Screamtracker 2 module sound data"], swap_endian=0 signature file-magic-auto102 { file-mime "audio/x-mod", 110 @@ -771,12 +633,6 @@ signature file-magic-auto119 { file-magic /(PK\x07\x08PK\x03\x04)/ } -# >0 string/b,=\t\004\006\000\000\000\020\000 (len=8), ["Microsoft Excel Worksheet"], swap_endian=0 -signature file-magic-auto120 { - file-mime "application/vnd.ms-excel", 110 - file-magic /(\x09\x04\x06\x00\x00\x00\x10\x00)/ -} - # >0 string/b,=WordPro\000 (len=8), ["Lotus WordPro"], swap_endian=0 signature file-magic-auto121 { file-mime "application/vnd.lotus-wordpro", 110 @@ -994,12 +850,6 @@ signature file-magic-auto155 { file-magic /(\x23 xmcd)/ } -# >0 string/b,=\333\245-\000\000\000 (len=6), ["Microsoft Office Document"], swap_endian=0 -signature file-magic-auto156 { - file-mime "application/msword", 90 - file-magic /(\xdb\xa5\x2d\x00\x00\x00)/ -} - # >2 string,=MMXPR3 (len=6), ["Motorola Quark Express Document (English)"], swap_endian=0 signature file-magic-auto157 { file-mime "application/x-quark-xpress-3", 90 @@ -1046,36 +896,6 @@ signature file-magic-auto162 { file-magic /(\x3c\x3fxml)(.{15})(.*)( xmlns\x3d)(['"]http:\x2f\x2fwww.opengis.net\x2fkml)/ } -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 -# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>>&26 string,=word/ (len=5), ["Microsoft Word 2007+"], swap_endian=0 -signature file-magic-auto163 { - file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80 - file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(word\x2f)/ -} - -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 -# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>>&26 string,=ppt/ (len=4), ["Microsoft PowerPoint 2007+"], swap_endian=0 -signature file-magic-auto164 { - file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 70 - file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(ppt\x2f)/ -} - -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>30 regex,=[Content_Types].xml|_rels/.rels (len=31), [""], swap_endian=0 -# >>>18 (lelong,+49), search/2000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>&26 search/1000,=PK\003\004 (len=4), [""], swap_endian=0 -# >>>>>&26 string,=xl/ (len=3), ["Microsoft Excel 2007+"], swap_endian=0 -signature file-magic-auto165 { - file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 60 - file-magic /(PK\x03\x04)(.{26})(\[Content_Types\].xml|_rels\x2f.rels)(.*)(PK\x03\x04)(.{26})(.*)(PK\x03\x04)(.{26})(xl\x2f)/ -} - # >60 string,=RINEX (len=5), [""], swap_endian=0 # >>80 search/256,=XXRINEXB (len=8), ["RINEX Data, GEO SBAS Broadcast"], swap_endian=0 # >>>5 string,x, [", version %6.6s"], swap_endian=0 @@ -1229,30 +1049,12 @@ signature file-magic-auto187 { file-magic /(\x00\x01\x00\x00\x00)/ } -# >0 string/b,=PO^Q` (len=5), ["Microsoft Word 6.0 Document"], swap_endian=0 -signature file-magic-auto188 { - file-mime "application/msword", 80 - file-magic /(PO\x5eQ\x60)/ -} - # >0 string,=%PDF- (len=5), ["PDF document"], swap_endian=0 signature file-magic-auto189 { file-mime "application/pdf", 80 file-magic /(\x25PDF\x2d)/ } -# >2114 string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0 -signature file-magic-auto190 { - file-mime "application/vnd.ms-excel", 80 - file-magic /(.{2114})(Biff5)/ -} - -# >2121 string,=Biff5 (len=5), ["Microsoft Excel 5.0 Worksheet"], swap_endian=0 -signature file-magic-auto191 { - file-mime "application/vnd.ms-excel", 80 - file-magic /(.{2121})(Biff5)/ -} - # >0 string/t,=Path: (len=5), ["news text"], swap_endian=0 signature file-magic-auto192 { file-mime "message/news", 80 @@ -1383,12 +1185,6 @@ signature file-magic-auto211 { file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/ } -# >0 belong&,=-889275714 (0xcafebabe), [""], swap_endian=0 -signature file-magic-auto212 { - file-mime "application/x-java-applet", 71 - file-magic /(\xca\xfe\xba\xbe)/ -} - # >0 belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0 # >>3 byte&,=0xba, ["MPEG sequence"], swap_endian=0 signature file-magic-auto213 { @@ -1706,46 +1502,6 @@ signature file-magic-auto245 { file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)(epub\x2bzip)/ } -# Seems redundant with other zip signature below. -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 string,=\b\000\000\000mimetypeapplication/ (len=24), [""], swap_endian=0 -# >>>50 string,!epub+zip (len=8), [""], swap_endian=0 -# >>>>50 string,!vnd.oasis.opendocument. (len=23), [""], swap_endian=0 -# >>>>>50 string,!vnd.sun.xml. (len=12), [""], swap_endian=0 -# >>>>>>50 string,!vnd.kde. (len=8), [""], swap_endian=0 -# >>>>>>>38 regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0 -#signature file-magic-auto246 { -# file-mime "application/zip", 39 -# file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetypeapplication\x2f)/ -#} - -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 string,=\b\000\000\000mimetype (len=12), [""], swap_endian=0 -# >>>38 string,!application/ (len=12), [""], swap_endian=0 -# >>>>38 regex,=[!-OQ-~]+ (len=9), ["Zip data (MIME type "%s"?)"], swap_endian=0 -signature file-magic-auto247 { - file-mime "application/zip", 39 - file-magic /(PK\x03\x04)(.{22})(\x08\x00\x00\x00mimetype)/ -} - -# The indirect offset makes this difficult to convert. -# The (.*) may be too generous. -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 (leshort,+30), leshort&,=-13570 (0xcafe), ["Java archive data (JAR)"], swap_endian=0 -signature file-magic-auto248 { - file-mime "application/java-archive", 50 - file-magic /(PK\x03\x04)(.*)(\xfe\xca)/ -} - -# The indeirect offset and string inequality make this difficult to convert. -# >0 string,=PK\003\004 (len=4), [""], swap_endian=0 -# >>26 (leshort,+30), leshort&,!-13570 (0xcafe), [""], swap_endian=0 -# >>>26 string,!\b\000\000\000mimetype (len=12), ["Zip archive data"], swap_endian=0 -signature file-magic-auto249 { - file-mime "application/zip", 10 - file-magic /(PK\x03\x04)(.{2})/ -} - # >0 belong&,=442 (0x000001ba), [""], swap_endian=0 # >>4 byte&,&0x40, [""], swap_endian=0 signature file-magic-auto250 { @@ -2065,18 +1821,6 @@ signature file-magic-auto299 { file-magic /(PDN3)/ } -# >0 ulelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (little-endian)"], swap_endian=0 -signature file-magic-auto300 { - file-mime "application/vnd.tcpdump.pcap", 70 - file-magic /(\xd4\xc3\xb2\xa1)/ -} - -# >0 ubelong&,=2712847316 (0xa1b2c3d4), ["tcpdump capture file (big-endian)"], swap_endian=0 -signature file-magic-auto301 { - file-mime "application/vnd.tcpdump.pcap", 70 - file-magic /(\xa1\xb2\xc3\xd4)/ -} - # >0 belong&,=-17957139 (0xfeedfeed), ["Java KeyStore"], swap_endian=0 signature file-magic-auto302 { file-mime "application/x-java-keystore", 70 @@ -2297,12 +2041,6 @@ signature file-magic-auto335 { file-magic /(SIT\x21)/ } -# >0 lelong&,=574529400 (0x223e9f78), ["Transport Neutral Encapsulation Format"], swap_endian=0 -signature file-magic-auto336 { - file-mime "application/vnd.ms-tnef", 70 - file-magic /(\x78\x9f\x3e\x22)/ -} - # >0 string,= (len=4), ["System V Release 1 ar archive"], swap_endian=0 signature file-magic-auto337 { file-mime "application/x-archive", 70 @@ -2433,48 +2171,6 @@ signature file-magic-auto357 { file-magic /(RIFF)(.{4})(AVI )/ } -# >0 belong&,=834535424 (0x31be0000), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto358 { - file-mime "application/msword", 70 - file-magic /(\x31\xbe\x00\x00)/ -} - -# >0 string/b,=\3767\000# (len=4), ["Microsoft Office Document"], swap_endian=0 -signature file-magic-auto359 { - file-mime "application/msword", 70 - file-magic /(\xfe7\x00\x23)/ -} - -# >0 string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0 -signature file-magic-auto360 { - file-mime "application/msword", 70 - file-magic /(\xdb\xa5\x2d\x00)/ -} - -# >0 string/b,=\333\245-\000 (len=4), ["Microsoft WinWord 2.0 Document"], swap_endian=0 -signature file-magic-auto361 { - file-mime "application/msword", 70 - file-magic /(\xdb\xa5\x2d\x00)/ -} - -# >0 belong&,=6656 (0x00001a00), ["Lotus 1-2-3"], swap_endian=0 -signature file-magic-auto362 { - file-mime "application/x-123", 70 - file-magic /(\x00\x00\x1a\x00)/ -} - -# >0 belong&,=512 (0x00000200), ["Lotus 1-2-3"], swap_endian=0 -signature file-magic-auto363 { - file-mime "application/x-123", 70 - file-magic /(\x00\x00\x02\x00)/ -} - -# >0 string/b,=\000\000\001\000 (len=4), ["MS Windows icon resource"], swap_endian=0 -signature file-magic-auto364 { - file-mime "image/x-icon", 70 - file-magic /(\x00\x00\x01\x00)/ -} - # >0 lelong&,=268435536 (0x10000050), ["Psion Series 5"], swap_endian=0 # >>4 lelong&,=268435565 (0x1000006d), ["database"], swap_endian=0 # >>>8 lelong&,=268435588 (0x10000084), ["Agenda file"], swap_endian=0 @@ -2737,12 +2433,6 @@ signature file-magic-auto403 { file-magic /(SBI)/ } -# >0 string/b,=\224\246. (len=3), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto404 { - file-mime "application/msword", 60 - file-magic /(\x94\xa6\x2e)/ -} - # >0 string,=\004%! (len=3), ["PostScript document text"], swap_endian=0 signature file-magic-auto405 { file-mime "application/postscript", 60 @@ -2763,17 +2453,11 @@ signature file-magic-auto407 { file-magic /(.*)([ \x09]*(class|module)[ \x09][A-Z])((modul|includ)e [A-Z]|def [a-z])(^[ \x09]*end([ \x09]*[;#].*)?$)/ } -# >512 string/b,=\354\245\301 (len=3), ["Microsoft Word Document"], swap_endian=0 -signature file-magic-auto408 { - file-mime "application/msword", 60 - file-magic /(.{512})(\xec\xa5\xc1)/ -} - # >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9][ \t] (len=29), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto411 { - file-mime "text/troff", 59 - file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/ -} +#signature file-magic-auto411 { +# file-mime "text/troff", 59 +# file-magic /(^\.[A-Za-z0-9][A-Za-z0-9][ \x09])/ +#} # >0 search/4096,=\documentclass (len=14), ["LaTeX 2e document text"], swap_endian=0 signature file-magic-auto412 { @@ -2806,10 +2490,10 @@ signature file-magic-auto416 { } # >0 regex/20,=^\.[A-Za-z0-9][A-Za-z0-9]$ (len=26), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto417 { - file-mime "text/troff", 56 - file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/ -} +#signature file-magic-auto417 { +# file-mime "text/troff", 56 +# file-magic /(^\.[A-Za-z0-9][A-Za-z0-9]$)/ +#} # >0 search/w/1,=#! /usr/bin/php (len=15), ["PHP script text executable"], swap_endian=0 signature file-magic-auto418 { @@ -2829,30 +2513,12 @@ signature file-magic-auto420 { file-magic /(.*)(eval \x22exec \x2fusr\x2fbin\x2fperl)/ } -# >0 search/w/1,=#! /usr/local/bin/python (len=24), ["Python script text executable"], swap_endian=0 -signature file-magic-auto421 { - file-mime "text/x-python", 54 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fpython)/ -} - # >0 search/1,=Common subdirectories: (len=23), ["diff output text"], swap_endian=0 signature file-magic-auto422 { file-mime "text/x-diff", 53 file-magic /(.*)(Common subdirectories\x3a )/ } -# >0 search/1,=#! /usr/bin/env python (len=22), ["Python script text executable"], swap_endian=0 -signature file-magic-auto423 { - file-mime "text/x-python", 52 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv python)/ -} - -# >0 search/w/1,=#! /usr/local/bin/ruby (len=22), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto424 { - file-mime "text/x-ruby", 52 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2flocal\x2fbin\x2fruby)/ -} - # >0 search/w/1,=#! /usr/local/bin/wish (len=22), ["Tcl/Tk script text executable"], swap_endian=0 signature file-magic-auto425 { file-mime "text/x-tcl", 52 @@ -2871,12 +2537,6 @@ signature file-magic-auto427 { file-magic /(\xff\xd8)/ } -# >0 search/1,=#!/usr/bin/env python (len=21), ["Python script text executable"], swap_endian=0 -signature file-magic-auto428 { - file-mime "text/x-python", 51 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv python)/ -} - # >0 search/1,=#!/usr/bin/env nodejs (len=21), ["Node.js script text executable"], swap_endian=0 signature file-magic-auto429 { file-mime "application/javascript", 51 @@ -3189,12 +2849,6 @@ signature file-magic-auto474 { file-magic /(\x25\x21)/ } -# >0 search/1,=#! /usr/bin/env ruby (len=20), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto475 { - file-mime "text/x-ruby", 50 - file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv ruby)/ -} - # >0 regex/1,=(^[0-9]{5})[acdn][w] (len=20), ["MARC21 Classification"], swap_endian=0 signature file-magic-auto476 { file-mime "application/marc", 50 @@ -3305,17 +2959,17 @@ signature file-magic-auto493 { file-magic /(\xf7\x02)/ } -# >2 string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0 -signature file-magic-auto494 { - file-mime "application/x-tex-tfm", 50 - file-magic /(.{2})(\x00\x11)/ -} - -# >2 string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0 -signature file-magic-auto495 { - file-mime "application/x-tex-tfm", 50 - file-magic /(.{2})(\x00\x12)/ -} +## >2 string,=\000\021 (len=2), ["TeX font metric data"], swap_endian=0 +#signature file-magic-auto494 { +# file-mime "application/x-tex-tfm", 50 +# file-magic /(.{2})(\x00\x11)/ +#} +# +## >2 string,=\000\022 (len=2), ["TeX font metric data"], swap_endian=0 +#signature file-magic-auto495 { +# file-mime "application/x-tex-tfm", 50 +# file-magic /(.{2})(\x00\x12)/ +#} # >0 beshort&,=-31486 (0x8502), ["GPG encrypted data"], swap_endian=0 signature file-magic-auto496 { @@ -3470,12 +3124,6 @@ signature file-magic-auto514 { file-magic /(.*)(\x23\x21 \x2fusr\x2fbin\x2fenv lua)/ } -# >0 search/1,=#!/usr/bin/env ruby (len=19), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto515 { - file-mime "text/x-ruby", 49 - file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv ruby)/ -} - # >0 search/1,=#! /usr/bin/env tcl (len=19), ["Tcl script text executable"], swap_endian=0 signature file-magic-auto516 { file-mime "text/x-tcl", 49 @@ -3493,12 +3141,6 @@ signature file-magic-auto519 { file-magic /(.*)(\x23\x21\x2fusr\x2fbin\x2fenv lua)/ } -# >0 search/w/1,=#! /usr/bin/python (len=18), ["Python script text executable"], swap_endian=0 -signature file-magic-auto520 { - file-mime "text/x-python", 48 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fpython)/ -} - # >0 search/w/1,=#!/usr/bin/nodejs (len=17), ["Node.js script text executable"], swap_endian=0 signature file-magic-auto521 { file-mime "application/javascript", 47 @@ -3658,12 +3300,6 @@ signature file-magic-auto545 { file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fwish)/ } -# >0 search/w/1,=#! /usr/bin/ruby (len=16), ["Ruby script text executable"], swap_endian=0 -signature file-magic-auto546 { - file-mime "text/x-ruby", 46 - file-magic /(.*)(\x23\x21 ?\x2fusr\x2fbin\x2fruby)/ -} - # >0 search/w/1,=#! /usr/bin/lua (len=15), ["Lua script text executable"], swap_endian=0 signature file-magic-auto547 { file-mime "text/x-lua", 45 @@ -3887,18 +3523,6 @@ signature file-magic-auto578 { file-magic /(^dnl )/ } -# >0 regex,=^all: (len=5), ["makefile script text"], swap_endian=0 -signature file-magic-auto579 { - file-mime "text/x-makefile", 40 - file-magic /(^all:)/ -} - -# >0 regex,=^.PRECIOUS (len=10), ["makefile script text"], swap_endian=0 -signature file-magic-auto580 { - file-mime "text/x-makefile", 40 - file-magic /(^.PRECIOUS)/ -} - # >0 search/8192,=main( (len=5), ["C source text"], swap_endian=0 signature file-magic-auto581 { file-mime "text/x-c", 40 @@ -3938,16 +3562,16 @@ signature file-magic-auto586 { } # >0 search/1,=.\" (len=3), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto587 { - file-mime "text/troff", 39 - file-magic /(.*)(\x2e\x5c\x22)/ -} +#signature file-magic-auto587 { +# file-mime "text/troff", 39 +# file-magic /(.*)(\x2e\x5c\x22)/ +#} # >0 search/1,='\" (len=3), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto588 { - file-mime "text/troff", 39 - file-magic /(.*)(\x27\x5c\x22)/ -} +#signature file-magic-auto588 { +# file-mime "text/troff", 39 +# file-magic /(.*)(\x27\x5c\x22)/ +#} # >0 search/1,=0 search/1,=''' (len=3), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto593 { - file-mime "text/troff", 39 - file-magic /(.*)(\x27\x27\x27)/ -} +#signature file-magic-auto593 { +# file-mime "text/troff", 39 +# file-magic /(.*)(\x27\x27\x27)/ +#} # >0 search/4096,=try: (len=4), [""], swap_endian=0 # >>&0 regex,=^\s*except.*: (len=13), ["Python script text executable"], swap_endian=0 @@ -3999,12 +3623,6 @@ signature file-magic-auto596 { file-magic /(.*)(\x22LIBHDR\x22)/ } -# >0 regex,=^SUBDIRS (len=8), ["automake makefile script text"], swap_endian=0 -signature file-magic-auto597 { - file-mime "text/x-makefile", 38 - file-magic /(.*)(SUBDIRS)/ -} - # >0 search/4096,=(defvar (len=8), ["Lisp/Scheme program text"], swap_endian=0 signature file-magic-auto598 { file-mime "text/x-lisp", 38 @@ -4031,19 +3649,6 @@ signature file-magic-auto600 { # file-magic /(.*)(\x2a\x2a\x2a )/ #} -# >0 search/1,='.\" (len=4), ["troff or preprocessor input text"], swap_endian=0 -signature file-magic-auto602 { - file-mime "text/troff", 38 - file-magic /(.*)(\x27\x2e\x5c\x22)/ -} - -# LDFLAGS appears in other contexts, e.g. shell script. -# >0 regex,=^LDFLAGS (len=8), ["makefile script text"], swap_endian=0 -#signature file-magic-auto603 { -# file-mime "text/x-makefile", 38 -# file-magic /(.*)(LDFLAGS)/ -#} - # >0 search/8192,="libhdr" (len=8), ["BCPL source text"], swap_endian=0 signature file-magic-auto604 { file-mime "text/x-bcpl", 38 @@ -4057,12 +3662,6 @@ signature file-magic-auto604 { # file-magic /(^record)/ #} -# >0 regex,=^CFLAGS (len=7), ["makefile script text"], swap_endian=0 -signature file-magic-auto606 { - file-mime "text/x-makefile", 37 - file-magic /(.*)(CFLAGS)/ -} - # >0 search/4096,=(defun (len=7), ["Lisp/Scheme program text"], swap_endian=0 signature file-magic-auto607 { file-mime "text/x-lisp", 37 diff --git a/scripts/base/frameworks/files/magic/msoffice.sig b/scripts/base/frameworks/files/magic/msoffice.sig new file mode 100644 index 0000000000..111ec77004 --- /dev/null +++ b/scripts/base/frameworks/files/magic/msoffice.sig @@ -0,0 +1,28 @@ + +# This signature is non-specific and terrible but after +# searching for a long time there doesn't seem to be a +# better option. +signature file-msword { + file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/ + file-mime "application/msword", 50 +} + +signature file-ooxml { + file-magic /^PK\x03\x04\x14\x00\x06\x00/ + file-mime "application/vnd.openxmlformats-officedocument", 50 +} + +signature file-docx { + file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|word\x2f).*PK\x03\x04.{26}word\x2f/ + file-mime "application/vnd.openxmlformats-officedocument.wordprocessingml.document", 80 +} + +signature file-xlsx { + file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|xl\2f).*PK\x03\x04.{26}xl\x2f/ + file-mime "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", 80 +} + +signature file-pptx { + file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/ + file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80 +} diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index efce524fc5..948df69cad 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -355,7 +355,7 @@ const default_file_timeout_interval: interval = 2 mins &redef; ## Default amount of bytes that file analysis will buffer before raising ## :bro:see:`file_new`. -const default_file_bof_buffer_size: count = 1024 &redef; +const default_file_bof_buffer_size: count = 3000 &redef; ## A file that Bro is analyzing. This is Bro's type for describing the basic ## internal metadata collected about a "file", which is essentially just a diff --git a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 b/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 index 5c7da193c6..a3bec06fc1 100644 --- a/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 +++ b/testing/btest/Baseline/doc.sphinx.file_extraction/btest-doc.sphinx.file_extraction#1 @@ -8,7 +8,7 @@ Extracting file HTTP-FiIpIB2hRQSDBOSJRg.html Extracting file HTTP-FMG4bMmVV64eOsCb.txt Extracting file HTTP-FnaT2a3UDd093opCB9.txt + Extracting file HTTP-FfQGqj4Fhh3pH7nVQj.txt Extracting file HTTP-FsvATF146kf1Emc21j.txt - Extracting file HTTP-FkMQHg2nBr44fc5h63.txt [...] diff --git a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 index 3d6b9dffad..e62ab5a373 100644 --- a/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 +++ b/testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1 @@ -16,15 +16,15 @@ #empty_field (empty) #unset_field - #path mime_metrics - #open 2014-04-21-21-34-08 + #open 2014-10-08-03-56-52 #fields ts ts_delta mtype uniq_hosts hits bytes #types time interval string count count count - 1389719059.311698 300.000000 text/html 1 3 47335 + 1389719059.311698 300.000000 text/html 1 7 68469 1389719059.311698 300.000000 image/jpeg 1 1 186859 1389719059.311698 300.000000 application/pgp-signature 1 1 836 - 1389719059.311698 300.000000 text/plain 1 13 119717 + 1389719059.311698 300.000000 text/plain 1 10 101763 1389719059.311698 300.000000 image/gif 1 1 172 1389719059.311698 300.000000 image/png 1 9 82176 1389719059.311698 300.000000 image/x-icon 1 2 2300 - #close 2014-04-21-21-34-08 + #close 2014-10-08-03-56-52 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log index b836d14e47..dcb1c18c97 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.register_mime_type/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2014-09-08-21-50-32 +#open 2014-10-08-03-58-17 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - -#close 2014-09-08-21-50-32 +1362692527.009765 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 MD5 text/plain - 0.000010 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac - - - +#close 2014-10-08-03-58-17 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log index daf862e3b9..7edaa67263 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path files -#open 2014-09-08-21-55-01 +#open 2014-10-08-03-59-03 #fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted #types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string -1362692527.009512 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 SHA256,DATA_EVENT,MD5,EXTRACT,SHA1 text/plain - 0.000263 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file -#close 2014-09-08-21-55-01 +1362692527.009765 FakNcS1Jfe01uljb3 192.150.187.43 141.142.228.5 CXWv6p3arKYeMETxOg HTTP 0 SHA256,DATA_EVENT,MD5,EXTRACT,SHA1 text/plain - 0.000010 - F 4705 4705 0 0 F - 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 FakNcS1Jfe01uljb3-file +#close 2014-10-08-03-59-03 diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log index cad75c268d..be0d5ed86e 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log @@ -65,10 +65,10 @@ 1254722770.692743 mime_one_header 1254722770.692743 mime_one_header 1254722770.692743 get_file_handle -1254722770.692786 file_new -1254722770.692786 file_over_new_connection 1254722770.692804 mime_end_entity 1254722770.692804 get_file_handle +1254722770.692804 file_new +1254722770.692804 file_over_new_connection 1254722770.692804 file_state_remove 1254722770.692804 get_file_handle 1254722770.692804 mime_end_entity @@ -79,9 +79,9 @@ 1254722770.692804 mime_one_header 1254722770.692804 mime_one_header 1254722770.692804 get_file_handle -1254722770.692823 file_new -1254722770.692823 file_over_new_connection 1254722770.695115 new_connection +1254722771.469814 file_new +1254722771.469814 file_over_new_connection 1254722771.858334 mime_end_entity 1254722771.858334 get_file_handle 1254722771.858334 file_state_remove diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log index 157ca42d75..e0a29d4501 100644 --- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log +++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log @@ -305,15 +305,15 @@ [2] is_orig: bool = T 1254722770.692743 file_new - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] 1254722770.692743 file_over_new_connection - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=] [2] is_orig: bool = F 1254722770.692743 file_state_remove - [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=Fel9gs4OtNEV6gUJZ5, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=3], socks=, ssh=, syslog=]^J}, last_active=1254722770.692743, seen_bytes=79, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Hello^M^J^M^J ^M^J^M^JI send u smtp pcap file ^M^J^M^JFind the attachment^M^J^M^J ^M^J^M^JGPS^M^J^M^J^M^J, mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=3, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] 1254722770.692743 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -336,24 +336,24 @@ [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] [2] is_orig: bool = F -1254722770.692786 file_new - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163697, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692786, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=, u2_events=] + +1254722770.692804 file_over_new_connection + [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692804, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/html, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=] + [2] is_orig: bool = F + 1254722770.692804 file_state_remove - [0] f: fa_file = [id=Ft4M3f2yMvLlmwtbq9, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=4], socks=, ssh=, syslog=]^J}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J^M^J
^M^J^M^J

Hello

^M^J^M^J

 

^M^J^M^J

I send u smtp pcap file

^M^J^M^J

Find the attachment

^M^J^M^J

 

^M^J^M^J

GPS

^M^J^M^J
^M^J^M^J^M^J^M^J^M^J^M^J, mime_type=text/html, mime_types=[[strength=45, mime=text/html], [strength=41, mime=text/html], [strength=-20, mime=text/plain]], info=[ts=1254722770.692804, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=4, analyzers={^J^J}, mime_type=text/html, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] 1254722770.692804 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP @@ -393,17 +393,17 @@ [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] [2] is_orig: bool = F -1254722770.692823 file_new - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] - -1254722770.692823 file_over_new_connection - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722770.692823, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] - [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] - [2] is_orig: bool = F - 1254722770.695115 new_connection [0] c: connection = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1254722770.695115, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=CCvvfg3TEfuqmmG4bh, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=] +1254722771.469814 file_new + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.469814, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=, u2_events=] + +1254722771.469814 file_over_new_connection + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.469814, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722771.469814, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^J}, rx_hosts={^J^J}, conn_uids={^J^J}, source=SMTP, depth=0, analyzers={^J^J}, mime_type=text/plain, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [1] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0], start_time=1254722767.529046, duration=3.163758, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] + [2] is_orig: bool = F + 1254722771.858334 mime_end_entity [0] c: connection = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^ISMTP^J}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^J}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^J}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=] @@ -413,7 +413,7 @@ [2] is_orig: bool = T 1254722771.858334 file_state_remove - [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=1024, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722770.692823, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] + [0] f: fa_file = [id=FL9Y0d45OI4LpS6fmh, parent_id=, source=SMTP, is_orig=F, conns={^J^I[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0], start_time=1254722767.529046, duration=4.329288, service={^J^I^ISMTP^J^I}, addl=, hot=0, history=ShAdDa, uid=CjhGID4nQcgTWjvg4c, tunnel=, dpd=, conn=, extract_orig=F, extract_resp=F, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, modbus=, radius=, snmp=, smtp=[ts=1254722768.219663, uid=CjhGID4nQcgTWjvg4c, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=, rcptto={^J^I^I^J^I}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" , to={^J^I^I^J^I}, reply_to=, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=, subject=SMTP, x_originating_ip=, first_received=, second_received=, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=, mime_depth=5], socks=, ssh=, syslog=]^J}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=3000, bof_buffer=Version 4.9.9.1^M^J* Many bug fixes^M^J* Improved editor^M^J^M^JVersion 4.9.9.0^M^J* Support for latest Mingw compiler system builds^M^J* Bug fixes^M^J^M^JVersion 4.9.8.9^M^J* New code tooltip display^M^J* Improved Indent/Unindent and Remove Comment^M^J* Improved automatic indent^M^J* Added support for the "interface" keyword^M^J* WebUpdate should now report installation problems from PackMan^M^J* New splash screen and association icons^M^J* Improved installer^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.7^M^J* Added support for GCC > 3.2^M^J* Debug variables are now resent during next debug session^M^J* Watched Variables not in correct context are now kept and updated when it is needed^M^J* Added new compiler/linker options: ^M^J - Strip executable^M^J - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, ^M^J k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)^M^J - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)^M^J* "Default" button in Compiler Options is back^M^J* Error messages parsing improved^M^J* Bug fixes^M^J^M^JVersion 4.9.8.5^M^J* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")^M^J* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.4^M^J* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup^M^J* Improved code completion cache^M^J* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP^M^J* Big speed up in function parameters listing while editing^M^J* Bug fixes^M^J^M^JVersion 4.9.8.3^M^J* On Dev-C++ first time configuration dialog, a code completion cache of all the standard ^M^J include files can now be generated.^M^J* Improved WebUpdate module^M^J* Many bug fixes^M^J^M^JVersion 4.9.8.2^M^J* New debug feature for DLLs: attach to a running process^M^J* New project option: Use custom Makefile. ^M^J* New WebUpdater module.^M^J* Allow user to specify an alternate configuration file in Environment Options ^M^J (still can be overriden by using "-c" command line parameter).^M^J* Lots of bug fixes.^M^J^M^JVersion 4.9.8.1^M^J* When creating a DLL, the created static lib respects now the project-defined output directory^M^J^M^JVersion 4.9.8.0^M^J* Changed position of compiler/linker parameters in Project Options.^M^J* Improved help file^M^J* Bug fixes^M^J^M^JVersion 4.9.7.9^M^J* Resource errors are now reported in the Resource sheet^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.8^M^J* Made whole bottom report control floating instead of only debug output.^M^J* Many bug fixes^M^J^M^JVersion 4.9.7.7^M^J* Printing settings are now saved^M^J* New environment options : "watch variable under mouse" and "Report watch errors"^M^J* Bug fixes^M^J^M^JVersion 4.9.7.6^M^J* Debug variable browser^M^J* Added possibility to include in a Template the Project's directories , mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], info=[ts=1254722771.469814, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={^J^I74.53.140.153^J}, rx_hosts={^J^I10.10.1.4^J}, conn_uids={^J^ICjhGID4nQcgTWjvg4c^J}, source=SMTP, depth=5, analyzers={^J^J}, mime_type=text/plain, filename=NEWS.txt, duration=0 secs, local_orig=, is_orig=F, seen_bytes=0, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=, sha1=, sha256=, x509=, extracted=], u2_events=] 1254722771.858334 get_file_handle [0] tag: enum = Analyzer::ANALYZER_SMTP From 7ee34981aa0873207a39c6077164a50fddca9071 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Wed, 5 Nov 2014 11:31:48 -0500 Subject: [PATCH 2/2] Improve TAR file detection and other small changes. - Remove all of the x-c detections. Nearly all false positives. - Remove the back up TAR detections. Not very helpful. - Remove one of the x-elc detections that was too loose and caused many false positives. --- .../base/frameworks/files/magic/general.sig | 6 +- .../base/frameworks/files/magic/libmagic.sig | 72 +++++++++---------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig index a36e32ef28..500c4f7be0 100644 --- a/scripts/base/frameworks/files/magic/general.sig +++ b/scripts/base/frameworks/files/magic/general.sig @@ -6,8 +6,8 @@ signature file-plaintext { } signature file-tar { - file-magic /^([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/ - file-mime "application/x-tar", 150 + file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/ + file-mime "application/x-tar", 100 } signature file-zip { @@ -120,7 +120,7 @@ signature file-python { } signature file-php { - file-magic /.*<\?php/ + file-magic /^.*<\?php/ file-mime "text/x-php", 40 } diff --git a/scripts/base/frameworks/files/magic/libmagic.sig b/scripts/base/frameworks/files/magic/libmagic.sig index 92e1da68ae..72ec40dff8 100644 --- a/scripts/base/frameworks/files/magic/libmagic.sig +++ b/scripts/base/frameworks/files/magic/libmagic.sig @@ -616,10 +616,10 @@ signature file-magic-auto116 { } # >257 string,=ustar \000 (len=8), ["GNU tar archive"], swap_endian=0 -signature file-magic-auto117 { - file-mime "application/x-tar", 110 - file-magic /(.{257})(ustar \x00)/ -} +#signature file-magic-auto117 { +# file-mime "application/x-tar", 110 +# file-magic /(.{257})(ustar \x00)/ +#} # >0 string,=257 string,=ustar\000 (len=6), ["POSIX tar archive"], swap_endian=0 -signature file-magic-auto131 { - file-mime "application/x-tar", 90 - file-magic /(.{257})(ustar\x00)/ -} +#signature file-magic-auto131 { +# file-mime "application/x-tar", 90 +# file-magic /(.{257})(ustar\x00)/ +#} # >0 string,=AC1.40 (len=6), ["DWG AutoDesk AutoCAD Release 1.40"], swap_endian=0 signature file-magic-auto132 { @@ -2882,10 +2882,10 @@ signature file-magic-auto480 { } # >0 string,=\n( (len=2), ["Emacs v18 byte-compiled Lisp data"], swap_endian=0 -signature file-magic-auto481 { - file-mime "application/x-elc", 50 - file-magic /(\x0a\x28)/ -} +#signature file-magic-auto481 { +# file-mime "application/x-elc", 50 +# file-magic /(\x0a\x28)/ +#} # >0 string,=\021\t (len=2), ["Award BIOS Logo, 136 x 126"], swap_endian=0 signature file-magic-auto482 { @@ -3148,10 +3148,10 @@ signature file-magic-auto521 { } # >0 regex,=^class[ \t\n]+ (len=12), ["C++ source text"], swap_endian=0 -signature file-magic-auto522 { - file-mime "text/x-c++", 47 - file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ -} +#signature file-magic-auto522 { +# file-mime "text/x-c++", 47 +# file-magic /(.*)(class[ \x09\x0a]+[[:alnum:]_]+)(.*)(\x7b)(.*)(public:)/ +#} # >0 search/1,=This is Info file (len=17), ["GNU Info text"], swap_endian=0 signature file-magic-auto528 { @@ -3363,10 +3363,10 @@ signature file-magic-auto556 { } # >0 regex,=^extern[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -signature file-magic-auto557 { - file-mime "text/x-c", 43 - file-magic /(.*)(extern[ \x09\x0a]+)/ -} +#signature file-magic-auto557 { +# file-mime "text/x-c", 43 +# file-magic /(.*)(extern[ \x09\x0a]+)/ +#} # >0 search/4096,=% -*-latex-*- (len=13), ["LaTeX document text"], swap_endian=0 signature file-magic-auto558 { @@ -3382,10 +3382,10 @@ signature file-magic-auto558 { #} # >0 regex,=^struct[ \t\n]+ (len=13), ["C source text"], swap_endian=0 -signature file-magic-auto560 { - file-mime "text/x-c", 43 - file-magic /(.*)(struct[ \x09\x0a]+)/ -} +#signature file-magic-auto560 { +# file-mime "text/x-c", 43 +# file-magic /(.*)(struct[ \x09\x0a]+)/ +#} # >0 search/w/1,=#!/bin/nodejs (len=13), ["Node.js script text executable"], swap_endian=0 signature file-magic-auto561 { @@ -3438,10 +3438,10 @@ signature file-magic-auto567 { } # >0 regex,=^char[ \t\n]+ (len=11), ["C source text"], swap_endian=0 -signature file-magic-auto568 { - file-mime "text/x-c", 41 - file-magic /(.*)(char[ \x09\x0a]+)/ -} +#signature file-magic-auto568 { +# file-mime "text/x-c", 41 +# file-magic /(.*)(char[ \x09\x0a]+)/ +#} # >0 search/1,=#! (len=2), [""], swap_endian=0 # >>0 regex,=^#!.*/bin/perl$ (len=15), ["Perl script text executable"], swap_endian=0 @@ -3524,10 +3524,10 @@ signature file-magic-auto578 { } # >0 search/8192,=main( (len=5), ["C source text"], swap_endian=0 -signature file-magic-auto581 { - file-mime "text/x-c", 40 - file-magic /(.*)(main\x28)/ -} +#signature file-magic-auto581 { +# file-mime "text/x-c", 40 +# file-magic /(.*)(main\x28)/ +#} # Not specific enough. # >0 search/1,=\" (len=2), ["troff or preprocessor input text"], swap_endian=0 @@ -3556,10 +3556,10 @@ signature file-magic-auto584 { #} # >0 regex,=^#include (len=9), ["C source text"], swap_endian=0 -signature file-magic-auto586 { - file-mime "text/x-c", 39 - file-magic /(.*)(#include)/ -} +#signature file-magic-auto586 { +# file-mime "text/x-c", 39 +# file-magic /(.*)(#include)/ +#} # >0 search/1,=.\" (len=3), ["troff or preprocessor input text"], swap_endian=0 #signature file-magic-auto587 {