3 Replies Latest reply: Apr 29, 2013 1:55 AM by alexott RSS

    MediaType Detection


      Need some input on media type detection.


      I want to identify instances where the client User-Agent matches "java" and the request results in the download of a certain type of file.


      I have a rule set with criteria Cycle.TopName equals "Response" which applies to Responses and Embedded Objects. I'm pretty sure that for the final rule I can eliminate Responses, but I think that having that criteria included may have given me some insight into how things work/are working. On the other hand, it may be completely skewing my testing.


      My first rule ignores java downloads for specific destinations. This works.


      Under the first rule I have a rule set for Java downloads w/user-agent criteria.


      My second rule looks for MediaType.EnsuredTypes at least one in list Java Downloads.


      Java Downloads contains:







      If I match on the second rule, I write a log line.


      One of the current problems is that .jar files are getting logged as matching the critera.


      What am I missing?

        • 1. Re: MediaType Detection

          .jar files are going to have multiple ensured types.


          I have a routine where I send a file thru ICAP and get back all the data from the response and the embedded cycles, including ensured media types. When I send a jar file, i receive:



          X-File-Name: ICAPSScanner.jar

          X-Media-Type: application/java-archive, application/zip

          X-File-Info: META-INF/MANIFEST.MF|55|text/plain

          X-File-Info: scan/ICAPSResponse.class|3557|application/java-vm

          X-File-Info: scan/ICAPSResponse.java|3068|text/plain

          X-File-Info: scan/ICAPSTester$1.class|739|application/java-vm

          X-File-Info: scan/ICAPSTester$2.class|734|application/java-vm

          X-File-Info: scan/ICAPSTester$3.class|734|application/java-vm

          X-File-Info: scan/ICAPSTester$4.class|734|application/java-vm

          X-File-Info: scan/ICAPSTester$5.class|734|application/java-vm

          X-File-Info: scan/ICAPSTester.class|12767|application/java-vm

          X-File-Info: scan/ICAPSTester.java|21306|text/plain

          X-File-Info: scan/ICAPSClient$1.class|930|application/java-vm

          X-File-Info: scan/ICAPSClient.class|9714|application/java-vm

          X-File-Info: scan/ICAPSClient.java|9773|text/plain


            X-File-Name and X-Media-Type are the jar file itself and the other entries are the filename|size|ensured type inside the jar.


          So you are probably matcihing on at least one in list for application/zip because the ensured type includes that.


          And you will probably need some exclusion for EnsureTypes contains application/jar to skip over the jar+zip combination.


          Message was edited by: eelsasser typos and additional thoughts. on 4/26/13 12:48:28 PM EDT
          • 2. Re: MediaType Detection

            What I'm trying to accomplish is to catch java exploits @ the point at which the Java executable tries to download a payload.


            Any specific suggestions?

            • 3. Re: MediaType Detection

              Media type detector can return several mime types for one file - this is by design. Jar file is a subtype of zip archive, so we return mime types for jar & zip.

              You need to add subcondition like "MediaType.EnsuredTypes" doesn't contain "application/java-archive"