I’ve been mulling over an addition to the file mime type signature that consists of “1 to 16 ASCII readable characters”. 16 is an arbitrary length cutoff. The purpose of this signature would be to log instances where a short status code is returned by a web service. I see lots of responses like “” or “OK” or “Success” and currently these are logged in files.log as unknown file types. I think Bro would be improved by logging a filetype for these responses.
Using the entire set of readable ASCII characters would make this flexible enough to handle various responses w/o trying to enumerate all possibilities. A downside would be differentiating a short text file. I don’t have much of a solution for that problem at this point, but I’d be open to suggestions. I’m sure there are other downsides I’m not seeing. Thoughts?