libmagic for HTTP

Eric_Thomas · May 30, 2008, 5:41pm

I like FileAnalyzer and its use of libmagic. But I'd like to explore ways it can be used for protocols other than FTP, SMTP, etc. Would it be possible to expose some BIFs so that the magic number analyzer could be used elsewhere, such as http_entity_data? Or is this already there and I'm just missing it? Thanks!

Eric
edthoma@sandia.gov

Seth_Hall4 · May 30, 2008, 6:09pm

Here is a patch for Bro's trunk to add two libmagic BiFs. (identify_magic_descr, identify_magic_mime). I have a corresponding Bro script for identifying files transferred over HTTP if you're interested in it too.

.Seth

libmagic_bifs.patch (1.83 KB)

Seth_Hall4 · May 31, 2008, 1:10am

(I'm sending this to the list again since I sent it to the wrong list last time)

http-identified-files.bro (2.93 KB)

Topic		Replies	Views
[JIRA] (BIT-1143) Investigate replacing libmagic w/ signatures for file identificaiton Development development	1	88	May 6, 2022
CIFS/SMB protocol analyzer Development development	3	123	May 6, 2022
extract jar files from HTTP stream Zeek	9	85	May 6, 2022
Extract files based on magic number using Bro 2.2 Zeek	3	56	May 6, 2022
File extraction after checking hash. Zeek	7	120	May 6, 2022

libmagic for HTTP

Related Topics