Bro file extraction, mime_type identification
461 views
Skip to first unread message
emre....@btpsec.com
Aug 25, 2016, 6:25:38 AM8/25/16
to security-onion
Hi all,
How does bro identify mime_type?
Heuristically or looking to any header?
I want to extract swf files.
I configured extract.bro like
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/x-shockwave-flash"] = "swf",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type || meta$mime_type != "x-shockwave-flash")
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
But it does not extract swf file, actually anything.
On the other hand, if I configure like that (look at the condition),
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/x-shockwave-flash"] = "swf",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
Now it extracts everything, including swf file.
What do you think about that?
How does bro identify mime_type?
Heuristically or looking to any header?
I want to extract swf files.
I configured extract.bro like
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/x-shockwave-flash"] = "swf",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type || meta$mime_type != "x-shockwave-flash")
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
But it does not extract swf file, actually anything.
On the other hand, if I configure like that (look at the condition),
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/x-shockwave-flash"] = "swf",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
Now it extracts everything, including swf file.
What do you think about that?
Wes
Aug 25, 2016, 6:43:40 AM8/25/16
to security-onion
Have you tried using "application/x-shockwave-flash" instead of "x-shockwave-flash"?
https://groups.google.com/d/msg/security-onion/1vvTFq0c6Lc/_tea01gNAQAJ
Thanks,
Wes
emre....@btpsec.com
Aug 25, 2016, 7:03:53 AM8/25/16
to security-onion
Hi Wes,
Now, I have tried application/x-shockwave-flash instead of x-shockwave-flash.
It works, thanks for your attention.
Seth Hall
Aug 25, 2016, 9:57:43 PM8/25/16
to securit...@googlegroups.com
> On Aug 25, 2016, at 7:03 AM, emre....@btpsec.com wrote:
>
> Now, I have tried application/x-shockwave-flash instead of x-shockwave-flash.
> It works, thanks for your attention.
https://github.com/bro/bro/tree/master/scripts/base/frameworks/files/magic
You can find the exact shockwave mime type here:
https://github.com/bro/bro/blob/master/scripts/base/frameworks/files/magic/general.sig#L156
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
Reply all
Reply to author
Forward
0 new messages