cancel
Showing results for 
Search instead for 
Did you mean: 
btlyric
Level 12

MediaType Detection

Need some input on media type detection.

I want to identify instances where the client User-Agent matches "java" and the request results in the download of a certain type of file.

I have a rule set with criteria Cycle.TopName equals "Response" which applies to Responses and Embedded Objects. I'm pretty sure that for the final rule I can eliminate Responses, but I think that having that criteria included may have given me some insight into how things work/are working. On the other hand, it may be completely skewing my testing.

My first rule ignores java downloads for specific destinations. This works.

Under the first rule I have a rule set for Java downloads w/user-agent criteria.

My second rule looks for MediaType.EnsuredTypes at least one in list Java Downloads.

Java Downloads contains:

application/rar

application/zip

application/executable

application/screen-saver

If I match on the second rule, I write a log line.

One of the current problems is that .jar files are getting logged as matching the critera.

What am I missing?

0 Kudos
3 Replies
eelsasser
Level 15

Re: MediaType Detection

.jar files are going to have multiple ensured types.

I have a routine where I send a file thru ICAP and get back all the data from the response and the embedded cycles, including ensured media types. When I send a jar file, i receive:

X-File-Name: ICAPSScanner.jar

X-Media-Type: application/java-archive, application/zip

X-File-Info: META-INF/MANIFEST.MF|55|text/plain

X-File-Info: scan/ICAPSResponse.class|3557|application/java-vm

X-File-Info: scan/ICAPSResponse.java|3068|text/plain

X-File-Info: scan/ICAPSTester$1.class|739|application/java-vm

X-File-Info: scan/ICAPSTester$2.class|734|application/java-vm

X-File-Info: scan/ICAPSTester$3.class|734|application/java-vm

X-File-Info: scan/ICAPSTester$4.class|734|application/java-vm

X-File-Info: scan/ICAPSTester$5.class|734|application/java-vm

X-File-Info: scan/ICAPSTester.class|12767|application/java-vm

X-File-Info: scan/ICAPSTester.java|21306|text/plain

X-File-Info: scan/ICAPSClient$1.class|930|application/java-vm

X-File-Info: scan/ICAPSClient.class|9714|application/java-vm

X-File-Info: scan/ICAPSClient.java|9773|text/plain

  X-File-Name and X-Media-Type are the jar file itself and the other entries are the filename|size|ensured type inside the jar.

So you are probably matcihing on at least one in list for application/zip because the ensured type includes that.

And you will probably need some exclusion for EnsureTypes contains application/jar to skip over the jar+zip combination.

Message was edited by: eelsasser
typos and additional thoughts. on 4/26/13 12:48:28 PM EDT
0 Kudos
btlyric
Level 12

Re: MediaType Detection

What I'm trying to accomplish is to catch java exploits @ the point at which the Java executable tries to download a payload.

Any specific suggestions?

0 Kudos
alexott
Level 11

Re: MediaType Detection

Media type detector can return several mime types for one file - this is by design. Jar file is a subtype of zip archive, so we return mime types for jar & zip.

You need to add subcondition like "MediaType.EnsuredTypes" doesn't contain "application/java-archive"

0 Kudos