Lots of fixes for file type identification.

- Plain text now identified with BOMs for UTF8,16,32
   (even though 16 and 32 wouldn't get identified as plain text, oh-well)
 - X.509 certificates are now populating files.log with
   the mime type application/pkix-cert.
 - File signatures are split apart into file types
   to help group and organize signatures a bit better.
 - Normalized some FILE_ANALYSIS debug messages.
 - Improved Javascript detection.
 - Improved HTML detection.
 - Removed a bunch of bad signatures.
 - Merged a bunch of signatures that ultimately detected
   the same mime type.
 - Added detection for MS LNK files.
 - Added detection for cross-domain-policy XML files.
 - Added detection for SOAP envelopes.

scripts/base/files/x509/main.bro

@@ -47,6 +47,9 @@ redef record Files::Info += {
 
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
+	if ( ! f$info?$mime_type )
+		f$info$mime_type = "application/pkix-cert";
+	
 	f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 

scripts/base/frameworks/files/magic/__load__.bro

@@ -1,3 +1,6 @@
 @load-sigs ./general
+@load-sigs ./archive
+@load-sigs ./image
+@load-sigs ./video
 @load-sigs ./msoffice
 @load-sigs ./libmagic

scripts/base/frameworks/files/magic/archive.sig

@@ -0,0 +1,188 @@
+signature file-tar {
+    file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/
+    file-mime "application/x-tar", 100
+}
+
+# This is low priority so that files using zip as a 
+# container will be identified correctly.
+signature file-zip {
+	file-mime "application/zip", 10
+	file-magic /^PK\x03\x04.{2}/
+}
+
+# Multivolume Zip archive
+signature file-multi-zip {
+	file-mime "application/zip", 10
+	file-magic /^PK\x07\x08PK\x03\x04/
+}
+
+signature file-rar {
+	file-mime "application/x-rar", 70
+	file-magic /^Rar!/
+}
+
+signature file-gzip {
+	file-mime "application/x-gzip", 100
+	file-magic /\x1f\x8b/
+}
+
+signature file-ms-cab {
+	file-mime "application/vnd.ms-cab-compressed", 110
+	file-magic /^MSCF\x00\x00\x00\x00/
+}
+
+# Mac OS X DMG files
+signature file-dmg {
+	file-magic /^(\x78\x01\x73\x0D\x62\x62\x60|\x78\xDA\x63\x60\x18\x05|\x78\x01\x63\x60\x18\x05|\x78\xDA\x73\x0D|\x78[\x01\xDA]\xED[\xD0-\xD9])/
+	file-mime "application/x-dmg", 100
+}
+
+# XAR (eXtensible ARchive) format. 
+# Mac OS X uses this for the .pkg format.
+signature file-xar {
+	file-magic /^xar\!/
+	file-mime "application/x-xar", 100
+}
+
+# RPM
+signature file-magic-auto352 {
+	file-mime "application/x-rpm", 70
+	file-magic /^(drpm|\xed\xab\xee\xdb)/
+}
+
+signature file-stuffit {
+	file-mime "application/x-stuffit", 70
+	file-magic /^(SIT\x21|StuffIt)/
+}
+
+signature file-x-archive {
+	file-mime "application/x-archive", 70
+	file-magic /^!?<ar(ch)?>/
+}
+
+# ARC archive data
+signature file-arc {
+	file-mime "application/x-arc", 70
+	file-magic /([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f]{2})([\x02-\x0a\x14\x48]\x1a)/
+}
+
+# EET archive
+signature file-eet {
+	file-mime "application/x-eet", 70
+	file-magic /^\x1e\xe7\xff\x00/
+}
+
+# Zoo archive
+signature file-zoo {
+	file-mime "application/x-zoo", 70
+	file-magic /^.{20}\xdc\xa7\xc4\xfd/
+}
+
+# >0  lelong&,=407642370 (0x184c2102), ["LZ4 compressed data, legacy format"], swap_endian=0
+signature file-magic-auto382 {
+	file-mime "application/x-lz4", 70
+	file-magic /(\x02\x21\x4c\x18)/
+}
+
+# >0  lelong&,=407708164 (0x184d2204), ["LZ4 compressed data"], swap_endian=0
+signature file-magic-auto383 {
+	file-mime "application/x-lz4", 70
+	file-magic /(\x04\x22\x4d\x18)/
+}
+
+# >0  string,=LRZI (len=4), ["LRZIP compressed data"], swap_endian=0
+# >>5  byte&,x, [".%d"], swap_endian=0
+signature file-magic-auto384 {
+	file-mime "application/x-lrzip", 1
+	file-magic /(LRZI)(.{1})(.{1})/
+}
+
+# >0  string,=LZIP (len=4), ["lzip compressed data"], swap_endian=0
+signature file-magic-auto386 {
+	file-mime "application/x-lzip", 70
+	file-magic /(LZIP)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>30  string,=Copyright 1989-1990 PKWARE Inc. (len=31), ["Self-extracting PKZIP archive"], swap_endian=0
+signature file-magic-auto434 {
+	file-mime "application/zip", 340
+	file-magic /(MZ)(.{28})(Copyright 1989\x2d1990 PKWARE Inc\x2e)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>30  string,=PKLITE Copr. (len=12), ["Self-extracting PKZIP archive"], swap_endian=0
+signature file-magic-auto435 {
+	file-mime "application/zip", 150
+	file-magic /(MZ)(.{28})(PKLITE Copr\x2e)/
+}
+
+# LHA archive (LZH)
+signature file-lzh {
+	file-mime "application/x-lzh", 80
+	file-magic /^.{2}-(lh[ abcdex0-9]|lz[s2-8]|lz[s2-8]|pm[s012]|pc1)-/
+}
+
+# >0  string,=WARC/ (len=5), ["WARC Archive"], swap_endian=0
+# >>5  string,x, ["version %.4s"], swap_endian=0
+signature file-magic-auto177 {
+	file-mime "application/warc", 1
+	file-magic /(WARC\x2f)(.{0})/
+}
+
+# >0  string,=7z\274\257'\034 (len=6), ["7-zip archive data,"], swap_endian=0
+# >>7  byte&,x, [".%d"], swap_endian=0
+signature file-magic-auto150 {
+	file-mime "application/x-7z-compressed", 1
+	file-magic /(7z\xbc\xaf\x27\x1c)(.{1})(.{1})/
+}
+
+# >0  ustring,=\3757zXZ\000 (len=6), ["XZ compressed data"], swap_endian=0
+signature file-magic-auto151 {
+	file-mime "application/x-xz", 90
+	file-magic /(\xfd7zXZ\x00)/
+}
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>36  string,=LHa's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
+signature file-magic-auto436 {
+	file-mime "application/x-lha", 120
+	file-magic /(MZ)(.{34})(LHa\x27s SFX)/
+}
+
+# >0  string/b,=MZ (len=2), [""], swap_endian=0
+# >>36  string,=LHA's SFX (len=9), [", LHa self-extracting archive"], swap_endian=0
+signature file-magic-auto437 {
+	file-mime "application/x-lha", 120
+	file-magic /(MZ)(.{34})(LHA\x27s SFX)/
+}
+
+# >0  leshort&,=-5536 (0xea60), ["ARJ archive data"], swap_endian=0
+signature file-magic-auto467 {
+	file-mime "application/x-arj", 50
+	file-magic /(\x60\xea)/
+}
+
+# >0  short&,=-14479 (0xc771), ["byte-swapped cpio archive"], swap_endian=0
+signature file-magic-auto479 {
+	file-mime "application/x-cpio", 50
+	file-magic /((\x71\xc7)|(\xc7\x71))/
+}
+
+# >0  short&,=29127 (0x71c7), ["cpio archive"], swap_endian=0
+signature file-magic-auto480 {
+	file-mime "application/x-cpio", 50
+	file-magic /((\xc7\x71)|(\x71\xc7))/
+}
+
+# >0  string,=\037\235 (len=2), ["compress'd data"], swap_endian=0
+signature file-magic-auto500 {
+	file-mime "application/x-compress", 50
+	file-magic /(\x1f\x9d)/
+}
+
+# >0  lelong&00ffffff,=93 (0x0000005d), [""], swap_endian=0
+signature file-magic-auto218 {
+	file-mime "application/x-lzma", 71
+	file-magic /(\x5d\x00\x00.)/
+}
+

scripts/base/frameworks/files/magic/general.sig

@@ -1,18 +1,51 @@
 # General purpose file magic signatures.
 
+# Plaintext 
+# (Including BOMs for UTF-8, 16, and 32)
 signature file-plaintext {
-    file-magic /^([[:print:][:space:]]{10})/
+	file-magic /^(\xef\xbb\xbf|(\x00\x00)?\xfe\xff|\xff\xfe(\x00\x00)?)?[[:space:]\x20-\x7E]{10}/
-    file-mime "text/plain", -20
+	file-mime "text/plain", -20
 }
 
-signature file-tar {
+signature file-xml {
-    file-magic /^[[:print:]\x00]{100}([[:digit:]\x20]{7}\x00){3}([[:digit:]\x20]{11}\x00){2}([[:digit:]\x00\x20]{7}[\x20\x00])[0-7\x00]/
+	file-mime "application/xml", 10
-    file-mime "application/x-tar", 100
+	file-magic /^[\x0d\x0a[:blank:]]*<\?xml /
 }
 
-signature file-zip {
+signature file-xhtml {
-	file-mime "application/zip", 10
+	file-mime "text/html", 100
-	file-magic /^PK\x03\x04.{2}/
+	file-magic /^[\x0d\x0a[:blank:]]*<\?xml version[ =]['"].*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL])/
+}
+
+signature file-html {
+	file-mime "text/html", 49
+	file-magic /^[\x0d\x0a[:blank:]]*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
+}
+
+signature file-html2 {
+	file-mime "text/html", 20
+	file-magic /[\x0d\x0a[:blank:]]*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+}
+
+signature file-soap {
+	file-mime "application/soap+xml", 49
+	file-magic /^[\x0d\x0a[:blank:]]*<[sS][oO][aA][pP]-[eE][nN][vV]:[eE][nN][vV][eE][lL][oO][pP][eE]/
+}
+
+signature file-cross-domain-policy {
+	file-mime "text/x-cross-domain-policy", 49
+	file-magic /^[\x0d\x0a[:blank:]]*(<\?xml version="1.0"\?>)?<![dD][oO][cC][tT][yY][pP][eE] {1,}[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+}
+
+signature file-cross-domain-policy2 {
+	file-mime "text/x-cross-domain-policy", 49
+	file-magic /^[\x0d\x0a[:blank:]]*<[cC][rR][oO][sS][sS]-[dD][oO][mM][aA][iI][nN]-[pP][oO][lL][iI][cC][yY]/
+}
+
+# Microsoft LNK files
+signature file-lnk {
+	file-mime "application/x-ms-shortcut", 49
+	file-magic /^\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x10\x00\x00\x00\x46/
 }
 
 signature file-jar {
@@ -37,12 +70,6 @@ signature file-tnef {
 	file-mime "application/vnd.ms-tnef", 100
 }
 
-# Mac OS X DMG files
-signature file-dmg {
-	file-magic /^(\x78\x01\x73\x0D\x62\x62\x60|\x78\xDA\x63\x60\x18\x05|\x78\x01\x63\x60\x18\x05|\x78\xDA\x73\x0D|\x78[\x01\xDA]\xED[\xD0-\xD9])/
-	file-mime "application/x-dmg", 100
-}
-
 # Mac OS X Mach-O executable
 signature file-mach-o {
 	file-magic /^[\xce\xcf]\xfa\xed\xfe/
@@ -55,13 +82,6 @@ signature file-mach-o-universal {
 	file-mime "application/x-mach-o-executable", 100
 }
 
-# XAR (eXtensible ARchive) format. 
-# Mac OS X uses this for the .pkg format.
-signature file-xar {
-	file-magic /^xar\!/
-	file-mime "application/x-xar", 100
-}
-
 signature file-pkcs7 {
 	file-magic /^MIME-Version:.*protocol=\"application\/pkcs7-signature\"/
 	file-mime "application/pkcs7-signature", 100
@@ -79,16 +99,6 @@ signature file-jnlp {
 	file-mime "application/x-java-jnlp-file", 100
 }
 
-signature file-ico {
-	file-magic /^\x00\x00\x01\x00/
-	file-mime "image/x-icon", 70
-}
-
-signature file-cur {
-	file-magic /^\x00\x00\x02\x00/
-	file-mime "image/x-cursor", 70
-}
-
 signature file-pcap {
 	file-magic /^(\xa1\xb2\xc3\xd4|\xd4\xc3\xb2\xa1)/
 	file-mime "application/vnd.tcpdump.pcap", 70
@@ -119,7 +129,53 @@ signature file-python {
 	file-mime "text/x-python", 60
 }
 
+signature file-awk {
+	file-mime "text/x-awk", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(g|n)?awk/
+}
+
+signature file-tcl {
+	file-mime "text/x-tcl", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?(wish|tcl)/
+}
+
+signature file-lua {
+	file-mime "text/x-lua", 49
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?lua/
+}
+
+signature file-javascript {
+	file-mime "application/javascript", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?node(js)?/
+}
+
+signature file-javascript2 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*<script[[:blank:]]+(type|language)=['"](text\/)?javascript['"]>/
+}
+
+signature file-javascript3 {
+	file-mime "application/javascript", 60
+	# This seems to be a somewhat common idiom in javascript.
+	file-magic /^[\x0d\x0a[:blank:]]*for \(;;\);/
+}
+
+signature file-javascript4 {
+	file-mime "application/javascript", 60
+	file-magic /^[\x0d\x0a[:blank:]]*document\.write(ln)?[:blank:]?\(/
+}
+
+signature file-javascript5 {
+	file-mime "application/javascript", 60
+	file-magic /^\(function\(\)[[:blank:]\n]*\{/
+}
+
 signature file-php {
+	file-mime "text/x-php", 60
+	file-magic /^\x23\x21[^\n]{1,15}bin\/(env[[:space:]]+)?php/
+}
+
+signature file-php2 {
 	file-magic /^.*<\?php/
 	file-mime "text/x-php", 40
 }
@@ -135,3 +191,23 @@ signature file-skp {
 	file-magic /^\xFF\xFE\xFF\x0E\x53\x00\x6B\x00\x65\x00\x74\x00\x63\x00\x68\x00\x55\x00\x70\x00\x20\x00\x4D\x00\x6F\x00\x64\x00\x65\x00\x6C\x00/
 	file-mime "application/skp", 100
 }
+
+signature file-elf-object {
+	file-mime "application/x-object", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x01\x00|\x02.{10}\x00\x01)/
+}
+
+signature file-elf {
+	file-mime "application/x-executable", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x02\x00|\x02.{10}\x00\x02)/
+}
+
+signature file-elf-sharedlib {
+	file-mime "application/x-sharedlib", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x03\x00|\x02.{10}\x00\x03)/
+}
+
+signature file-elf-coredump {
+	file-mime "application/x-coredump", 50
+	file-magic /\x7fELF[\x01\x02](\x01.{10}\x04\x00|\x02.{10}\x00\x04)/
+}

scripts/base/frameworks/files/magic/image.sig

@@ -0,0 +1,178 @@
+
+signature file-tiff {
+	file-mime "image/tiff", 70
+	file-magic /^(MM\x00[\x2a\x2b]|II[\x2a\x2b]\x00)/
+}
+
+signature file-gif {
+	file-mime "image/gif", 70
+	file-magic /^GIF8/
+}
+
+
+# >0  beshort&,=-40 (0xffd8), ["JPEG image data"], swap_endian=0
+signature file-magic-auto427 {
+	file-mime "image/jpeg", 52
+	file-magic /(\xff\xd8)/
+}
+
+signature file-bmp {
+	file-mime "image/x-ms-bmp", 50
+	file-magic /BM.{12}[\x0c\x28\x40\x6c\x7c\x80]\x00/
+}
+
+signature file-ico {
+	file-magic /^\x00\x00\x01\x00/
+	file-mime "image/x-icon", 70
+}
+
+signature file-cur {
+	file-magic /^\x00\x00\x02\x00/
+	file-mime "image/x-cursor", 70
+}
+
+# >0  string,=8BPS (len=4), ["Adobe Photoshop Image"], swap_endian=0
+signature file-magic-auto289 {
+	file-mime "image/vnd.adobe.photoshop", 70
+	file-magic /(8BPS)/
+}
+
+signature file-png {
+	file-mime "image/png", 110
+	file-magic /^\x89PNG\x0d\x0a\x1a\x0a/
+}
+
+# JPEG 2000
+signature file-jp2 {
+	file-mime "image/jp2", 60
+	file-magic /.{4}ftypjp2/
+}
+
+# JPEG 2000
+signature file-jp22 {
+	file-mime "image/jp2", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}jp2 /
+}
+
+# JPEG 2000
+signature file-jpx {
+	file-mime "image/jpx", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}jpx /
+}
+
+# JPEG 2000
+signature file-jpm {
+	file-mime "image/jpm", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}jpm /
+}
+
+# >0  string,=Xcur (len=4), ["Xcursor data"], swap_endian=0
+signature file-magic-auto271 {
+	file-mime "image/x-xcursor", 70
+	file-magic /(Xcur)/
+}
+
+# >0  string,=IIN1 (len=4), ["NIFF image data"], swap_endian=0
+signature file-magic-auto282 {
+	file-mime "image/x-niff", 70
+	file-magic /(IIN1)/
+}
+
+# >0  lelong&,=20000630 (0x01312f76), ["OpenEXR image data,"], swap_endian=0
+signature file-magic-auto291 {
+	file-mime "image/x-exr", 70
+	file-magic /(\x76\x2f\x31\x01)/
+}
+
+# >0  string,=SDPX (len=4), ["DPX image data, big-endian,"], swap_endian=0
+signature file-magic-auto292 {
+	file-mime "image/x-dpx", 70
+	file-magic /(SDPX)/
+}
+
+# >0  string,=CPC\262 (len=4), ["Cartesian Perceptual Compression image"], swap_endian=0
+signature file-magic-auto294 {
+	file-mime "image/x-cpi", 70
+	file-magic /(CPC\xb2)/
+}
+
+
+signature file-orf {
+	file-mime "image/x-olympus-orf", 70
+	file-magic /IIR[OS]|MMOR/
+}
+
+# >0  string,=FOVb (len=4), ["Foveon X3F raw image data"], swap_endian=0
+signature file-magic-auto298 {
+	file-mime "image/x-x3f", 70
+	file-magic /(FOVb)/
+}
+
+# >0  string,=PDN3 (len=4), ["Paint.NET image data"], swap_endian=0
+signature file-magic-auto299 {
+	file-mime "image/x-paintnet", 70
+	file-magic /(PDN3)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=CDRA (len=4), [", Corel Draw Picture"], swap_endian=0
+signature file-magic-auto355 {
+	file-mime "image/x-coreldraw", 70
+	file-magic /(RIFF)(.{4})(CDRA)/
+}
+
+# >0  string,=RIFF (len=4), ["RIFF (little-endian) data"], swap_endian=0
+# >>8  string,=CDR6 (len=4), [", Corel Draw Picture, version 6"], swap_endian=0
+signature file-magic-auto356 {
+	file-mime "image/x-coreldraw", 70
+	file-magic /(RIFF)(.{4})(CDR6)/
+}
+
+# >0  string,=P7 (len=2), ["Netpbm PAM image file"], swap_endian=0
+signature file-magic-auto484 {
+	file-mime "image/x-portable-pixmap", 50
+	file-magic /(P7)/
+}
+
+# >4  string/W,=jP (len=2), ["JPEG 2000 image"], swap_endian=0
+signature file-magic-auto497 {
+	file-mime "image/jp2", 50
+	file-magic /(.{4})(jP)/
+}
+
+# DjVU Images
+signature file-djvu {
+	file-mime "image/vnd.djvu", 70
+	file-magic /AT\x26TFORM.{4}(DJV[MUI]|THUM)/
+}
+
+# DWG AutoDesk AutoCAD
+signature file-dwg {
+	file-mime "image/vnd.dwg", 90
+	file-magic /^(AC[12]\.|AC10)/
+}
+
+# >0  string,=gimp xcf (len=8), ["GIMP XCF image data,"], swap_endian=0
+signature file-magic-auto115 {
+	file-mime "image/x-xcf", 110
+	file-magic /(gimp xcf)/
+}
+
+# >0  string/t,=[BitmapInfo2] (len=13), ["Polar Monitor Bitmap text"], swap_endian=0
+signature file-magic-auto62 {
+	file-mime "image/x-polar-monitor-bitmap", 160
+	file-magic /(\x5bBitmapInfo2\x5d)/
+}
+
+# >0  string,=AWBM (len=4), [""], swap_endian=0
+# >>4  leshort&,<1981 (0x07bd), ["Award BIOS bitmap"], swap_endian=0
+signature file-magic-auto208 {
+	file-mime "image/x-award-bmp", 20
+	file-magic /(AWBM)(.{2})/
+}
+
+# >0  string,=\021\006 (len=2), ["Award BIOS Logo, 136 x 84"], swap_endian=0
+signature file-magic-auto483 {
+	file-mime "image/x-award-bioslogo", 50
+	file-magic /^\x11[\x06\x09]/
+}

scripts/base/frameworks/files/magic/msoffice.sig

@@ -26,3 +26,9 @@ signature file-pptx {
 	file-magic /^PK\x03\x04.{26}(\[Content_Types\]\.xml|_rels\x2f\.rels|ppt\x2f).*PK\x03\x04.{26}ppt\x2f/
 	file-mime "application/vnd.openxmlformats-officedocument.presentationml.presentation", 80
 }
+
+signature file-msaccess {
+	file-mime "application/x-msaccess", 180
+	file-magic /.{4}Standard (Jet|ACE) DB\x00/
+}
+

scripts/base/frameworks/files/magic/video.sig

@@ -0,0 +1,218 @@
+# >0  string,=FLV (len=3), ["Macromedia Flash Video"], swap_endian=0
+signature file-magic-auto400 {
+	file-mime "video/x-flv", 60
+	file-magic /(FLV)/
+}
+
+# >4  leshort&,=-20719 (0xaf11), [""], swap_endian=0
+# >>8  leshort&,=320 (0x0140), [""], swap_endian=0
+# >>>10  leshort&,=200 (0x00c8), [""], swap_endian=0
+# >>>>12  leshort&,=8 (0x0008), ["FLI animation, 320x200x8"], swap_endian=0
+signature file-magic-auto452 {
+	file-mime "video/x-fli", 50
+	file-magic /(.{4})(\x11\xaf)(.{2})(\x40\x01)(\xc8\x00)(\x08\x00)/
+}
+
+# >4  leshort&,=-20718 (0xaf12), [""], swap_endian=0
+# >>12  leshort&,=8 (0x0008), ["FLC animation"], swap_endian=0
+signature file-magic-auto453 {
+	file-mime "video/x-flc", 50
+	file-magic /(.{4})(\x12\xaf)(.{6})(\x08\x00)/
+}
+
+# Motion JPEG 2000
+signature file-mj2 {
+	file-mime "video/mj2", 70
+	file-magic /\x00\x00\x00\x0cjP  \x0d\x0a\x87\x0a.{8}mjp2/
+}
+
+# >0  string,=\212MNG (len=4), ["MNG video data,"], swap_endian=0
+signature file-magic-auto274 {
+	file-mime "video/x-mng", 70
+	file-magic /(\x8aMNG)/
+}
+
+# >0  string,=\213JNG (len=4), ["JNG video data,"], swap_endian=0
+signature file-magic-auto275 {
+	file-mime "video/x-jng", 70
+	file-magic /(\x8bJNG)/
+}
+
+# >0  belong&,=443 (0x000001bb), [""], swap_endian=0
+signature file-magic-auto204 {
+	file-mime "video/mpeg", 71
+	file-magic /(\x00\x00\x01\xbb)/
+}
+
+# >0  belong&,=432 (0x000001b0), [""], swap_endian=0
+signature file-magic-auto206 {
+	file-mime "video/mp4v-es", 71
+	file-magic /(\x00\x00\x01\xb0)/
+}
+
+# >0  belong&,=437 (0x000001b5), [""], swap_endian=0
+signature file-magic-auto207 {
+	file-mime "video/mp4v-es", 71
+	file-magic /(\x00\x00\x01\xb5)/
+}
+
+# >0  belong&,=435 (0x000001b3), [""], swap_endian=0
+signature file-magic-auto209 {
+	file-mime "video/mpv", 71
+	file-magic /(\x00\x00\x01\xb3)/
+}
+
+# >0  belong&,=1 (0x00000001), [""], swap_endian=0
+# >>4  byte&0000001f,=0x07, [""], swap_endian=0
+signature file-magic-auto211 {
+	file-mime "video/h264", 41
+	file-magic /(\x00\x00\x00\x01)([\x07\x27\x47\x67\x87\xa7\xc7\xe7])/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xba, ["MPEG sequence"], swap_endian=0
+signature file-magic-auto213 {
+	file-mime "video/mpeg", 40
+	file-magic /(\x00\x00\x01\xba)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb0, ["MPEG sequence, v4"], swap_endian=0
+signature file-magic-auto214 {
+	file-mime "video/mpeg4-generic", 40
+	file-magic /(\x00\x00\x01\xb0)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb5, ["MPEG sequence, v4"], swap_endian=0
+signature file-magic-auto215 {
+	file-mime "video/mpeg4-generic", 40
+	file-magic /(\x00\x00\x01\xb5)/
+}
+
+# >0  belong&ffffffffffffff00,=256 (0x00000100), [""], swap_endian=0
+# >>3  byte&,=0xb3, ["MPEG sequence"], swap_endian=0
+signature file-magic-auto216 {
+	file-mime "video/mpeg", 40
+	file-magic /(\x00\x00\x01\xb3)/
+}
+
+# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
+# >>4  byte&,^0x40, [""], swap_endian=0
+signature file-magic-auto251 {
+	file-mime "video/mpeg", 21
+	file-magic /(\x00\x00\x01\xba)([\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf])/
+}
+
+# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
+# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
+# >>>&1  string,=webm (len=4), ["WebM"], swap_endian=0
+signature file-magic-auto224 {
+	file-mime "video/webm", 70
+	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(webm)/
+}
+
+# >0  belong&,=440786851 (0x1a45dfa3), [""], swap_endian=0
+# >>4  search/4096,=B\202 (len=2), [""], swap_endian=0
+# >>>&1  string,=matroska (len=8), ["Matroska data"], swap_endian=0
+signature file-magic-auto225 {
+	file-mime "video/x-matroska", 110
+	file-magic /(\x1a\x45\xdf\xa3)(.*)(B\x82)(.{1})(matroska)/
+}
+
+# >0  belong&,=442 (0x000001ba), [""], swap_endian=0
+# >>4  byte&,&0x40, [""], swap_endian=0
+signature file-magic-auto250 {
+	file-mime "video/mp2p", 21
+	file-magic /(\x00\x00\x01\xba)([\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff])/
+}
+
+# >0  string,=MOVI (len=4), ["Silicon Graphics movie file"], swap_endian=0
+signature file-magic-auto252 {
+	file-mime "video/x-sgi-movie", 70
+	file-magic /(MOVI)/
+}
+
+# >4  string,=moov (len=4), ["Apple QuickTime"], swap_endian=0
+signature file-magic-auto253 {
+	file-mime "video/quicktime", 70
+	file-magic /(.{4})(moov)/
+}
+
+# >4  string,=mdat (len=4), ["Apple QuickTime movie (unoptimized)"], swap_endian=0
+signature file-magic-auto254 {
+	file-mime "video/quicktime", 70
+	file-magic /(.{4})(mdat)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=isom (len=4), [", MPEG v4 system, version 1"], swap_endian=0
+signature file-magic-auto257 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(isom)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mp41 (len=4), [", MPEG v4 system, version 1"], swap_endian=0
+signature file-magic-auto258 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mp41)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mp42 (len=4), [", MPEG v4 system, version 2"], swap_endian=0
+signature file-magic-auto259 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mp42)/
+}
+
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3ge (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto261 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3ge)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gg (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto262 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gg)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gp (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto263 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gp)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3gs (len=3), [", MPEG v4 system, 3GPP"], swap_endian=0
+signature file-magic-auto264 {
+	file-mime "video/3gpp", 60
+	file-magic /(.{4})(ftyp)(3gs)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=3g2 (len=3), [", MPEG v4 system, 3GPP2"], swap_endian=0
+signature file-magic-auto265 {
+	file-mime "video/3gpp2", 60
+	file-magic /(.{4})(ftyp)(3g2)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=mmp4 (len=4), [", MPEG v4 system, 3GPP Mobile"], swap_endian=0
+signature file-magic-auto266 {
+	file-mime "video/mp4", 70
+	file-magic /(.{4})(ftyp)(mmp4)/
+}
+
+# >4  string,=ftyp (len=4), ["ISO Media"], swap_endian=0
+# >>8  string,=avc1 (len=4), [", MPEG v4 system, 3GPP JVT AVC"], swap_endian=0
+signature file-magic-auto267 {
+	file-mime "video/3gpp", 70
+	file-magic /(.{4})(ftyp)(avc1)/
+}
+

src/file_analysis/AnalyzerSet.cc

@@ -52,9 +52,10 @@ bool AnalyzerSet::Add(file_analysis::Tag tag, RecordVal* args)
 
 	if ( analyzer_map.Lookup(key) )
 		{
-		DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %s skipped for file id"
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s skipped: already exists", 
-		        " %s: already exists", file_mgr->GetComponentName(tag).c_str(),
+		        file->GetID().c_str(),
-		        file->GetID().c_str());
+		        file_mgr->GetComponentName(tag).c_str());
+
 		delete key;
 		return true;
 		}
@@ -92,9 +93,9 @@ bool AnalyzerSet::AddMod::Perform(AnalyzerSet* set)
 	{
 	if ( set->analyzer_map.Lookup(key) )
 		{
-		DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %s skipped for file id"
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Add analyzer %s skipped: already exists", 
-		        " %s: already exists", file_mgr->GetComponentName(a->Tag()).c_str(),
+		        a->GetFile()->GetID().c_str(),
-		        a->GetFile()->GetID().c_str());
+		        file_mgr->GetComponentName(a->Tag()).c_str());
 
 		Abort();
 		return true;
@@ -119,14 +120,14 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key)
 
 	if ( ! a )
 		{
-		DBG_LOG(DBG_FILE_ANALYSIS, "Skip remove analyzer %s for file id %s",
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Skip remove analyzer %s",
-		        file_mgr->GetComponentName(tag).c_str(), file->GetID().c_str());
+		        file->GetID().c_str(), file_mgr->GetComponentName(tag).c_str());
 		return false;
 		}
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Remove analyzer %s for file id %s",
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Remove analyzer %s",
-	        file_mgr->GetComponentName(tag).c_str(),
+	        file->GetID().c_str(),
-	        file->GetID().c_str());
+	        file_mgr->GetComponentName(tag).c_str());
 
 	a->Done();
 	delete a;
@@ -168,8 +169,9 @@ file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(Tag tag,
 
 	if ( ! a )
 		{
-		reporter->Error("Failed file analyzer %s instantiation for file id %s",
+		reporter->Error("[%s] Failed file analyzer %s instantiation",
-		                file_mgr->GetComponentName(tag).c_str(), file->GetID().c_str());
+		                file->GetID().c_str(), 
+		                file_mgr->GetComponentName(tag).c_str());
 		return 0;
 		}
 
@@ -178,8 +180,8 @@ file_analysis::Analyzer* AnalyzerSet::InstantiateAnalyzer(Tag tag,
 
 void AnalyzerSet::Insert(file_analysis::Analyzer* a, HashKey* key)
 	{
-	DBG_LOG(DBG_FILE_ANALYSIS, "Add analyzer %s for file id %s",
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Add analyzer %s",
-	        file_mgr->GetComponentName(a->Tag()).c_str(), file->GetID().c_str());
+	        file->GetID().c_str(), file_mgr->GetComponentName(a->Tag()).c_str());
 	analyzer_map.Insert(key, a);
 	delete key;
 
@@ -191,7 +193,7 @@ void AnalyzerSet::DrainModifications()
 	if ( mod_queue.empty() )
 		return;
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Start analyzer mod queue flush of file id %s",
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Start analyzer mod queue flush",
 	        file->GetID().c_str());
 	do
 		{
@@ -200,6 +202,6 @@ void AnalyzerSet::DrainModifications()
 		delete mod;
 		mod_queue.pop();
 		} while ( ! mod_queue.empty() );
-	DBG_LOG(DBG_FILE_ANALYSIS, "End flushing analyzer mod queue of file id %s",
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] End flushing analyzer mod queue.",
 	        file->GetID().c_str());
 	}

src/file_analysis/File.cc

@@ -304,7 +304,9 @@ bool File::DetectMIME()
 	file_mgr->DetectMIME(data, len, &matches);
 
 	if ( matches.empty() )
+		{
 		return false;
+		}
 
 	if ( FileEventAvailable(file_mime_type) )
 		{
@@ -502,10 +504,10 @@ void File::EndOfFile()
 	// any stream analyzers.
 	if ( ! bof_buffer.full )
 		{
+		DBG_LOG(DBG_FILE_ANALYSIS, "[%s] File over but bof_buffer not full.", id.c_str());
 		bof_buffer.full = true;
 		DeliverStream((const u_char*) "", 0);
 		}
-
 	analyzers.DrainModifications();
 
 	done = true;
@@ -582,7 +584,7 @@ void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	mgr.QueueEvent(h, vl);
 
 	if ( h == file_new || h == file_over_new_connection ||
-	     h == file_mime_type ||
+	     h == file_mime_type || h == file_mime_types ||
 	     h == file_timeout || h == file_extraction_limit )
 		{
 		// immediate feedback is required for these events.

src/file_analysis/Manager.cc

@@ -390,7 +390,7 @@ bool Manager::RemoveFile(const string& file_id)
 	if ( ! f )
 		return false;
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Remove FileID %s", file_id.c_str());
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Remove file", file_id.c_str());
 
 	f->EndOfFile();
 	delete f;
@@ -467,8 +467,8 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const
 		return 0;
 		}
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %s for file %s",
+	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Instantiate analyzer %s",
-		GetComponentName(tag).c_str(), f->id.c_str());
+		f->id.c_str(), GetComponentName(tag).c_str());
 
 	Analyzer* a = c->Factory()(args, f);
 

testing/btest/Baseline/core.tunnels.teredo/http.log

@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2014-04-01-22-57-21
+#open	2015-03-14-01-46-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1210953057.917183	C7XEbhP654jzLoe3a	192.168.2.16	1578	75.126.203.78	80	1	POST	download913.avast.com	/cgi-bin/iavs4stats.cgi	-	Syncer/4.80 (av_pro-1169;f)	589	0	204	<empty>	-	-	-	(empty)	-	-	-	Fp32SIJztq0Szn5Qc	text/plain	-	-
 1210953061.585996	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	1	GET	ipv6.google.com	/	-	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	6640	200	OK	-	-	-	(empty)	-	-	-	-	-	FNFYdH11h5iQcoD3a2	text/html
 1210953073.381474	CwSkQu4eWZCH7OONC1	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	2	GET	ipv6.google.com	/search?hl=en&q=Wireshark+!&btnG=Google+Search	http://ipv6.google.com/	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	25119	200	OK	-	-	-	(empty)	-	-	-	-	-	FHD5nv1iSVFZVM0aH7	text/html
-1210953074.674817	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	-	-	FS7lUf2cJFAVBCu6w6	application/xml
+1210953074.674817	Cab0vO1xNYSS2hJkle	192.168.2.16	1580	67.228.110.120	80	1	GET	www.wireshark.org	/	http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search	Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5	0	11845	200	OK	-	-	-	(empty)	-	-	-	-	-	FS7lUf2cJFAVBCu6w6	text/html
-#close	2014-04-01-22-57-21
+#close	2015-03-14-01-46-26

testing/btest/Baseline/doc.sphinx.mimestats/btest-doc.sphinx.mimestats#1

@@ -16,15 +16,15 @@
       #empty_field	(empty)
       #unset_field	-
       #path	mime_metrics
-      #open	2014-10-08-03-56-52
+      #open	2015-03-14-01-46-11
       #fields	ts	ts_delta	mtype	uniq_hosts	hits	bytes
       #types	time	interval	string	count	count	count
-      1389719059.311698	300.000000	text/html	1	7	68469
+      1389719059.311698	300.000000	text/html	1	2	42231
       1389719059.311698	300.000000	image/jpeg	1	1	186859
       1389719059.311698	300.000000	application/pgp-signature	1	1	836
-      1389719059.311698	300.000000	text/plain	1	10	101763
+      1389719059.311698	300.000000	text/plain	1	15	128001
       1389719059.311698	300.000000	image/gif	1	1	172
       1389719059.311698	300.000000	image/png	1	9	82176
       1389719059.311698	300.000000	image/x-icon	1	2	2300
-      #close	2014-10-08-03-56-52
+      #close	2015-03-14-01-46-11
 

testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log

@@ -3,20 +3,20 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2015-03-04-01-12-47
+#open	2015-03-14-01-47-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
-1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	-	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
+1416942644.593119	CXWv6p3arKYeMETxOg	192.168.4.149	49422	23.92.19.75	443	F0txuw2pvrkZOn04a8	application/pkix-cert	23.92.19.75:443/tcp	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2015-03-04-01-12-47
+#close	2015-03-14-01-47-46
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2015-03-04-01-12-47
+#open	2015-03-14-01-47-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	seen.indicator	seen.indicator_type	seen.where	seen.node	sources
 #types	time	string	addr	port	addr	port	string	string	string	string	enum	enum	string	set[string]
 1170717505.934612	CXWv6p3arKYeMETxOg	192.150.187.164	58868	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
 1170717509.082241	CjhGID4nQcgTWjvg4c	192.150.187.164	58869	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
 1170717512.108799	CCvvfg3TEfuqmmG4bh	192.150.187.164	58870	194.127.84.106	443	-	-	-	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	source1
-#close	2015-03-04-01-12-47
+#close	2015-03-14-01-47-46