zeek/scripts/base/frameworks/files/magic/general.sig at 8dad5026fdf7a5190414671d372e52396922c6a2 - Mirror/zeek - git.uphillsecurity.com: We code.

Mirror/zeek

mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00

Jon Siwek 8dad5026fd File type detection changes and fix https.log {orig,resp}_fuids fields.

- Removed "binary" and "octet-stream" mime type detections. They don't
  provide any more information than an uninitialized mime_type field
  which implicitly means no magic signature matches and so the media
  type is unknown to Bro.

- Slight change to "text/plain" signature.  It's still not the most
  accurate, which is reflected in its -20 strength value.

- The logic for adding file ids to {orig,resp}_fuids fields of
  the http.log incorrectly depended on the state of
  {orig,resp}_mime_types fields, so sometimes not all file ids
  associated w/ the session were logged.

2014-03-25 12:44:11 -05:00

11 lines

279 B

Standard ML

Raw Blame History

 # General purpose file magic signatures.
 signature file-plaintext {
     file-magic /([[:print:][:space:]]{10})/
     file-mime "text/plain", -20
 }
 signature file-tar {
     file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/
     file-mime "application/x-tar", 150
 }