ASCII response filetype

Hi Folks,
I’ve been mulling over an addition to the file mime type signature that consists of “1 to 16 ASCII readable characters”. 16 is an arbitrary length cutoff. The purpose of this signature would be to log instances where a short status code is returned by a web service. I see lots of responses like “[]” or “OK” or “Success” and currently these are logged in files.log as unknown file types. I think Bro would be improved by logging a filetype for these responses.
Using the entire set of readable ASCII characters would make this flexible enough to handle various responses w/o trying to enumerate all possibilities. A downside would be differentiating a short text file. I don’t have much of a solution for that problem at this point, but I’d be open to suggestions. I’m sure there are other downsides I’m not seeing. Thoughts?

  • Keith

What about creating a mime type for an enumerated list of all of the ones you find? With a pattern like /^(OK|Success|0|1)$/

That was you could avoid other short responses from getting caught up in the net. I also suspect that [] should be something different because if you see that over HTTP, it's probably in most cases just an empty JSON array.