file identification modification

I see that:

scripts/base/protocols/http/file-ident.sig

lets me create magic byte signatures for filetypes I have an interest in. This seems to be specific to http.

My problem is that I want to detect files sent via smtp. Right now, files.log does NOT have filenames for things I am sending as attachments, such as mytext.ext. When I send this as attachment, there is no filename *.ext… As such, I would like to attach this to the file analyzer so that I can get notices for files that have the magic byte headers I am concerned with. Is there an easy way to do this for smtp and ftp?

Actually, I do not see file-ident.sig anywhere in the source tree, or my deployment tree. Where is this kept? Thanks!

This was broken out a couple of releases ago. There are a bunch of file signature files in base/frameworks/files/magic/

  .Seth

Hmm. So I modified the msoffice.sig with this

/\x21\x42\x44\x4E/

but the sig doesnt fire. However when I do

/!BDN/

it does. What gives? :slight_smile: Also, whats the number after the mimetype association mean? My mimetype is

application/outlook, 5

Thanks!

Sorry, thats /^… and /^!..

/\x21\x42\x44\x4E/

but the sig doesnt fire. However when I do

/!BDN/

it does. What gives? :slight_smile:

I'm not sure offhand why that wouldn't work.

Also, whats the number after the mimetype association mean? My mimetype is

application/outlook, 5

That's a priority. Since multiple matches can happen, we've tried to make the signatures that should be more specific and reliable be higher priority. The current numbers are a bit haphazard though.

  .Seth