Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
628 Views 3 Replies Latest reply: Apr 29, 2013 1:55 AM by alexott RSS
btlyric Apprentice 184 posts since
Aug 1, 2012
Currently Being Moderated

Apr 26, 2013 10:58 AM

MediaType Detection

Need some input on media type detection.

 

I want to identify instances where the client User-Agent matches "java" and the request results in the download of a certain type of file.

 

I have a rule set with criteria Cycle.TopName equals "Response" which applies to Responses and Embedded Objects. I'm pretty sure that for the final rule I can eliminate Responses, but I think that having that criteria included may have given me some insight into how things work/are working. On the other hand, it may be completely skewing my testing.

 

My first rule ignores java downloads for specific destinations. This works.

 

Under the first rule I have a rule set for Java downloads w/user-agent criteria.

 

My second rule looks for MediaType.EnsuredTypes at least one in list Java Downloads.

 

Java Downloads contains:

 

application/rar

application/zip

application/executable

application/screen-saver

 

If I match on the second rule, I write a log line.

 

One of the current problems is that .jar files are getting logged as matching the critera.

 

What am I missing?

  • eelsasser McAfee SME 842 posts since
    Mar 24, 2010
    Currently Being Moderated
    1. Apr 26, 2013 11:48 AM (in response to btlyric)
    Re: MediaType Detection

    .jar files are going to have multiple ensured types.

     

    I have a routine where I send a file thru ICAP and get back all the data from the response and the embedded cycles, including ensured media types. When I send a jar file, i receive:

     

     

    X-File-Name: ICAPSScanner.jar

    X-Media-Type: application/java-archive, application/zip

    X-File-Info: META-INF/MANIFEST.MF|55|text/plain

    X-File-Info: scan/ICAPSResponse.class|3557|application/java-vm

    X-File-Info: scan/ICAPSResponse.java|3068|text/plain

    X-File-Info: scan/ICAPSTester$1.class|739|application/java-vm

    X-File-Info: scan/ICAPSTester$2.class|734|application/java-vm

    X-File-Info: scan/ICAPSTester$3.class|734|application/java-vm

    X-File-Info: scan/ICAPSTester$4.class|734|application/java-vm

    X-File-Info: scan/ICAPSTester$5.class|734|application/java-vm

    X-File-Info: scan/ICAPSTester.class|12767|application/java-vm

    X-File-Info: scan/ICAPSTester.java|21306|text/plain

    X-File-Info: scan/ICAPSClient$1.class|930|application/java-vm

    X-File-Info: scan/ICAPSClient.class|9714|application/java-vm

    X-File-Info: scan/ICAPSClient.java|9773|text/plain

     

      X-File-Name and X-Media-Type are the jar file itself and the other entries are the filename|size|ensured type inside the jar.

     

    So you are probably matcihing on at least one in list for application/zip because the ensured type includes that.

     

    And you will probably need some exclusion for EnsureTypes contains application/jar to skip over the jar+zip combination.

     

    Message was edited by: eelsasser typos and additional thoughts. on 4/26/13 12:48:28 PM EDT
  • alexott McAfee Employee 125 posts since
    Jan 19, 2011
    Currently Being Moderated
    3. Apr 29, 2013 1:55 AM (in response to btlyric)
    Re: MediaType Detection

    Media type detector can return several mime types for one file - this is by design. Jar file is a subtype of zip archive, so we return mime types for jar & zip.

    You need to add subcondition like "MediaType.EnsuredTypes" doesn't contain "application/java-archive"

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points