Fix up the MIME analyzer

Description

The mime analyzer has a lot of inconsistency issues and is broken in a few places.

  • mime_all_headers loops and could potentially be a bad idea. More prone to DoS as well. Delete it?

  • mime_all_data is probably also a bad idea. Especially for large files. Delete it?

  • mime_entity_data seems very similar to mime_all_data and is not chunked as the similarity to the http_entity_data would imply. The current mime_entity_data should be removed and the current mime_all_data should be renamed to mime_entity_data.

  • mime_next_entity is never generated by the core or policy scripts and should either be fixed or deleted.

  • mime_one_header should probably be renamed to mime_header for consistency.

  • I have no clue what mime_event is for. Is it necessary?

  • mime_content_hash gives a non printable hash value and it could be removed since hash generation is done in the script now and eventually will be done in the file analyzer.

  • The wrong ifdef is used in the source: #ifdef DEBUG_BRO used instead of #ifdef DEBUG

  • mime_end_entity is generated generated multiple times in some cases when it shouldn't be. It's something to keep an eye out for, I never dug into it enough to find out what caused it.

  • It seems like the MIME analyzer should be doing this decoding for us directly.
    http://en.wikipedia.org/wiki/MIME#Encoded-Word

Environment

None

Assignee

Unassigned

Reporter

Seth Hall

Labels

External issue ID

465

Components

Affects versions

Priority

Normal
Configure