On 18 Sep 2017, at 16:43, Keith Lehigh wrote:
> Hi Folks, > I’ve been mulling over an addition to the file mime type > signature that consists of “1 to 16 ASCII readable characters”. > 16 is an arbitrary length cutoff. The purpose of this signature would > be to log instances where a short status code is returned by a web > service. I see lots of responses like “[]” or “OK” or > “Success” and currently these are logged in files.log as unknown > file types. I think Bro would be improved by logging a filetype for > these responses. What about creating a mime type for an enumerated list of all of the ones you find? With a pattern like /^(OK|Success|0|1)$/ That was you could avoid other short responses from getting caught up in the net. I also suspect that [] should be something different because if you see that over HTTP, it's probably in most cases just an empty JSON array. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
