File log

Is it normal for the ‘filename’ field to always be empty? The mime_type is almost always identified but the filename field is always ‘-’

application/vnd.ms-cab-compressed -
application/x-dosexec -
text/plain -
application/x-dosexec -
text/plain -
application/vnd.ms-fontobject -
application/vnd.ms-fontobject -
application/vnd.ms-fontobject -
application/octet-stream -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/x-dosexec -
application/vnd.ms-cab-compressed -
image/jpeg -
image/jpeg -
image/jpeg -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/x-dosexec -
application/vnd.ms-cab-compressed -
text/plain -
text/html -
text/html -
application/x-dosexec -
application/vnd.ms-cab-compressed -
application/x-dosexec -
application/vnd.ms-cab-compressed -
application/x-dosexec -
image/jpeg -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/x-dosexec -
text/plain -
image/jpeg -
application/vnd.ms-cab-compressed -
application/octet-stream -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
image/jpeg -
image/jpeg -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
image/jpeg -
application/x-dosexec -
application/x-dosexec -
application/vnd.ms-cab-compressed -
application/vnd.ms-cab-compressed -
text/html -
text/html -

Thanks.

This is normal. Filename is used for protocols that identify the file name when it is in transit on the network (like HTTP). Generally though… you don’t actually want the filename, so this doesn’t have much impact on Bro’s ability to do cool stuff with files (how would you deal with a trillion copies of index.html, for example?).

Good to know. Out of curiosity though, if the field is of little value then why even have it? (I have to deal with a trillion copies of ‘-’)

For a little more explanation, I'll point to a mailing list post I did a while ago:
  http://marc.info/?l=bro&m=139882790812212&w=2

I'm not sure that I'd say that the field is of little value though. It's actually pretty valuable, the only problem is that for the most frequently seen protocol in your files log (HTTP), filename are rarely made available. If you look at SMTP traffic, you will much more frequently see that attachments have filenames.

Also, for the upcoming SMB analyzer, filenames are always (or should always) be available.

  .Seth