[Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event

Wed, 11 Mar 2015 08:21:17 -0700 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19927#comment-19927
 ] 

Jon Siwek commented on BIT-1338:
--------------------------------

The earliest point that new mime type information is available is in the 
file_mime_type event which now comes after file_new/file_over_new_connection.  
Can you extract what you need at that time?  E.g.:

{code}
event file_mime_type(f: fa_file, mime_type: string)
    {
    if ( f?$http )
        print "file_mime_type", f$http;
    }
{code}

> http response mime types uninitialized in file_over_new_connection event
> ------------------------------------------------------------------------
>
>                 Key: BIT-1338
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1338
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Paul Pearce
>              Labels: mime
>
> http resp_mime_types (accessed via: connection$http$resp_mime_types) are no 
> longer initialized during the file_over_new_connection event. This is new 
> behavior between Bro v2.3 and git/master.
> The following snippet shows the new behavior on one of the included bro test 
> traces.
> {code:bash}
> $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, 
> is_orig:bool){ print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> T
> $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, 
> is_orig:bool){ print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> F
> {code}
> It's worth pointing out that ultimately the resp_mime_types field does get 
> set for subsequent events.
> {code:bash}
> $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool,  stat: 
> http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> T
> $ bro_git -e 'event http_message_done (c: connection, is_orig: bool,  stat: 
> http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> T
> {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to