In that case, what's gained from Bro having it's own file magic
signatures instead of just using libmagic by itself?
I was thinking better control over the matching, but I guess there's
not really that much to gain in addition.
If Bro did completely switch to its own magic sigs, I think we have to
do a best effort approach to porting all the current MIME magics.
Can this be (semi-)automated, i.e., converting the magic mime db into
Bro regular expressions?
Also, we should investigate performance: Bro's signature engine
doesn't have a reputation for being the fastest in the world. Hard
to predict how it performs compared to libmagic; but then I also don't
know if it mattered much if the file type detection got slower.
One more caveat, something I actually didn't think about so far: the
signature engine has some depenedencies on connection state, not sure
if using files as the analysis units goes without pain.
Tests for everything would be nice, but I don't think a test per MIME
is a requirement for now.
So if we can basically keep detecting all the MIME types we currently
find, without hurting performance in a significant way, I'm fine fully