[
https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15566#comment-15566
]
Jon Siwek commented on BIT-1143:
--------------------------------
A question about requirements.
Bro currently uses libmagic for two types of file information -- simple mime
type identification and also more verbose descriptions. E.g. "image/png"
versus "PNG image data, 1435 x 170, 8-bit/color RGB, non-interlaced".
Both types are exposed to users via the {{identify_data}} BIF. The generic
file-over-tcp analyzer also can raise a {{file_transferred}} event that
contains both types of info. Finally, the files framework only relies on the
mime type.
How necessary is it to keep the verbose file description functionality in
absence of libmagic? The way to support it seems like it would be for the file
signature regexes to include capture groups to extract all the variable info,
but is that possible with Bro's regular expressions?
> Investigate replacing libmagic w/ signatures for file identificaiton
> --------------------------------------------------------------------
>
> Key: BIT-1143
> URL: https://bro-tracker.atlassian.net/browse/BIT-1143
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Jon Siwek
> Fix For: 2.3
>
>
> I think it makes sense to try to make the switch from libmagic to using Bro's
> own signature engine for file identification before the next release. Don't
> want people getting used to magic file format for their own custom file
> identification rules.
--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
