[Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event

[Jon Siwek (JIRA)]

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19932#comment-19932
 ] 

Jon Siwek commented on BIT-1338:
--------------------------------

{quote}
The connection object is not available directly from fa_file.
{quote}

The "conns" field of fa_file should hold all the connection records over which 
the file was transferred, if any.  Does that help simplify your analysis?  E.g.:

{code}
event file_mime_type(f: fa_file, mime_type: string)
    {
    if ( ! f?$conns ) return;

    for ( cid in f$conns )
        {
        local c: connection = f$conns[cid];
        # Do stuff with 'c' ...
        }
    }
{code}

{quote}
One suggestion I'd make is 2.4 release notes do not adequately convey this 
event change 
(https://www.bro.org/sphinx-git/install/release-notes.html#changed-functionality),
 at least to me. A note about changes in when information is available in event 
progression would have helped me.
{quote}

Definitely, I'll add that note.  Thanks.

> http response mime types uninitialized in file_over_new_connection event
> ------------------------------------------------------------------------
>
>                 Key: BIT-1338
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1338
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Paul Pearce
>              Labels: mime
>             Fix For: 2.4
>
>
> http resp_mime_types (accessed via: connection$http$resp_mime_types) are no 
> longer initialized during the file_over_new_connection event. This is new 
> behavior between Bro v2.3 and git/master.
> The following snippet shows the new behavior on one of the included bro test 
> traces.
> {code:bash}
> $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, 
> is_orig:bool){ print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> T
> $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, 
> is_orig:bool){ print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> F
> {code}
> It's worth pointing out that ultimately the resp_mime_types field does get 
> set for subsequent events.
> {code:bash}
> $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool,  stat: 
> http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> T
> $ bro_git -e 'event http_message_done (c: connection, is_orig: bool,  stat: 
> http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r 
> bro/testing/btest/Traces/http/get.trace 
> T
> {code}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev