[Bro-Dev] [JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton

Thu, 20 Feb 2014 15:01:24 -0800 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15572#comment-15572
 ] 

Jon Siwek commented on BIT-1143:
--------------------------------

{quote}
Could we do a middle way: try our own signatures first and if they yield 
something, that's what we take. If not, use whatever libmagic reports 
(potentially also filtering out those cases for which we do have signatures so 
that libmagic won't overrule them).
{quote}

In that case, what's gained from Bro having it's own file magic signatures 
instead of just using libmagic by itself?

If Bro did completely switch to its own magic sigs, I think we have to do a 
best effort approach to porting all the current MIME magics.  Tests for 
everything would be nice, but I don't think a test per MIME is a requirement 
for now.  libmagic isn't exactly thoroughly tested at the moment either.  We 
could probably just test have tests for common cases first and do obscure ones 
later.  And I actually see keeping the dependence on libmagic as a somewhat 
higher maintainability cost than switching to signatures.

The effort to port the magics is still unknown, but hopefully it could be done 
systematically or at least go fast once one understands the process of manually 
converting them.

> Investigate replacing libmagic w/ signatures for file identificaiton
> --------------------------------------------------------------------
>
>                 Key: BIT-1143
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1143
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Jon Siwek
>             Fix For: 2.3
>
>
> I think it makes sense to try to make the switch from libmagic to using Bro's 
> own signature engine for file identification before the next release.  Don't 
> want people getting used to magic file format for their own custom file 
> identification rules.



--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to