ASCII response filetype

Keith_Lehigh · September 18, 2017, 8:43pm

Hi Folks,
I’ve been mulling over an addition to the file mime type signature that consists of “1 to 16 ASCII readable characters”. 16 is an arbitrary length cutoff. The purpose of this signature would be to log instances where a short status code is returned by a web service. I see lots of responses like “[]” or “OK” or “Success” and currently these are logged in files.log as unknown file types. I think Bro would be improved by logging a filetype for these responses.
Using the entire set of readable ASCII characters would make this flexible enough to handle various responses w/o trying to enumerate all possibilities. A downside would be differentiating a short text file. I don’t have much of a solution for that problem at this point, but I’d be open to suggestions. I’m sure there are other downsides I’m not seeing. Thoughts?

Keith

Seth_Hall2 · September 18, 2017, 8:59pm

What about creating a mime type for an enumerated list of all of the ones you find? With a pattern like /^(OK|Success|0|1)$/

That was you could avoid other short responses from getting caught up in the net. I also suspect that [] should be something different because if you see that over HTTP, it's probably in most cases just an empty JSON array.

.Seth

Topic		Replies	Views
Empty mime type in http.log Zeek	1	78	May 6, 2022
Bro's escaping of non-printable characters behaves unexpected Zeek	5	41	May 6, 2022
http-ext-identified-files Zeek	4	100	May 6, 2022
Json output Zeek	3	96	May 6, 2022
How to convert name field in smb_files.log to "readable" string? Zeek	5	69	May 6, 2022

ASCII response filetype

Related Topics