[
https://bro-tracker.atlassian.net/browse/BIT-1143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15568#comment-15568
]
Robin Sommer commented on BIT-1143:
-----------------------------------
Agree with Seth on the verbose descriptions. While they are nice having (it's
kind of cool to look at the logs and see what level of detail Bro has figured
out), they don't seem worth the trouble.
However I remain torn on completely replacing the MIME type detection with our
own signatures. I'm concerned that we loose valuable information that way:
right now, we can detect a variety of MIME types. While we don't use many of
them further, even the more obscure ones get logged at least, and that seems
useful. If we switch to signatures, we either have to limit the set
significantly to the main cases, or we'd need to write tons of rarely used
signatures that will be hard to test and maintain.
Could we do a middle way: try our own signatures first and if they yield
something, that's what we take. If not, use whatever libmagic reports
(potentially also filtering out those cases for which we do have signatures so
that libmagic won't overrule them).
> Investigate replacing libmagic w/ signatures for file identificaiton
> --------------------------------------------------------------------
>
> Key: BIT-1143
> URL: https://bro-tracker.atlassian.net/browse/BIT-1143
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Jon Siwek
> Fix For: 2.3
>
>
> I think it makes sense to try to make the switch from libmagic to using Bro's
> own signature engine for file identification before the next release. Don't
> want people getting used to magic file format for their own custom file
> identification rules.
--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
