emre....@btpsec.com
unread,Aug 25, 2016, 6:25:38 AM8/25/16Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to security-onion
Hi all,
How does bro identify mime_type?
Heuristically or looking to any header?
I want to extract swf files.
I configured extract.bro like
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/x-shockwave-flash"] = "swf",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type || meta$mime_type != "x-shockwave-flash")
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
But it does not extract swf file, actually anything.
On the other hand, if I configure like that (look at the condition),
global ext_map: table[string] of string = {
["application/x-dosexec"] = "exe",
["application/x-shockwave-flash"] = "swf",
["text/plain"] = "txt",
["image/jpeg"] = "jpg",
["image/png"] = "png",
["text/html"] = "html",
} &default ="";
event file_sniff(f: fa_file, meta: fa_metadata)
{
if ( ! meta?$mime_type )
return;
local ext = "";
if ( meta?$mime_type )
ext = ext_map[meta$mime_type];
local fname = fmt("/nsm/bro/extracted/%s-%s.%s", f$source, f$id, ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
}
Now it extracts everything, including swf file.
What do you think about that?