Skip to content

Mime type reload v2.1 #13689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 10 commits into from
Closed

Mime type reload v2.1 #13689

wants to merge 10 commits into from

Conversation

regit
Copy link
Contributor

@regit regit commented Aug 5, 2025

Update of #13647 addressing comments

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7816

Describe changes:

  • rebase on latest master
  • build mimetype if --enable-mimetype is passed
  • don't embed GPL data if --disable-blundled-gpl-mimetype is passed
  • conditional build of the tree_magic_mini crate

SV_BRANCH=OISF/suricata-verify#2606

regit added 10 commits August 4, 2025 21:13
@regit
detect: convert file_flags to a uint16_t
76727da 
Following commit will add a new value that will overflow the actual
size.

Ticket: 7816
@regit
file: mime type as alternative to magic
ce977d9 
File magic is known to have performance issue. When looking for
an alternative, I've been pointed to the tree_magic_mini crate
that output the mime type of a binary stream. This is different
from magic but it has multiple advantages as it is a standard
so it can be correlated with other tools.

So instead of replacing magic, this patch adds a new mime type
output to fileinfo events.

This patch also adds the `file.mimetype` sticky buffer.

Mime type has 2 advantages over file magic. First it is really
faster and second, the result are easier to use as the MIME type
are well defined. But it provides less information than magic for
example with regards to the size of images.

Ticket: 7816
@regit
configure: add GPL inclusion flag
0b4807b 
This patch adds a flag `--enable-gpl-mimetype` to force the
usage of `tree_magic_db` that is GPL license and will not allow
double licensing.

This will allow the built Suricata to have mime type identification
not dependant of the operating system database.

Ticket: 7816
@regit
file: add HAVE_MIMETYPE feature
dbefe7c 
This can be used with the requires keyword to avoid signatures
load failure.

Ticket: 7816
@regit
eve/alert: compute mimetype if needed
6d0df64 
As file data may have not been inspected yet, this is going to miss
in the event even if it could be available. Let's compute it before
logging the file.

Ticket: 7816
@regit
doc/userguide: add information about file.mimetype
e878717 
Ticket: 7816
@regit
configure: add display about mimetype db inclusion
022cbea
@regit
detect/mimetype: optional build
d4cc8d6
@regit
ci: add a build with mimetype for S-V
f9b4095
@regit
configure: conditional build of mimetype
a087e77 
Only build the tree_magic_mini crate if needed.
@regit regit requested review from jasonish, jufajardini, victorjulien and a team as code owners August 5, 2025 07:41
@victorjulien
Copy link
Member

I'm missing a clear explanation here and in the docs of what the practical effect of with and w/o the gpl data means for the matching capabilities and the output.

@regit
Copy link
Contributor Author

regit commented Aug 5, 2025

I'm missing a clear explanation here and in the docs of what the practical effect of with and w/o the gpl data means for the matching capabilities and the output.

It makes sense. I will document in the user doc how to use it without embedded data.

jasonish
jasonish reviewed Aug 5, 2025
View reviewed changes
.github/workflows/builds.yml
- run: tar xf prep/suricata-verify.tar.gz
- run: ./autogen.sh
- run: ./configure --enable-unittests --enable-coccinelle
- run: ./configure --enable-unittests --enable-coccinelle --enable-mimetype --enable-bundled-gpl-mimetype
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--enable-bundled-gpl-mimetype doesn't exist in this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

outch, sorry

jasonish
jasonish reviewed Aug 5, 2025
View reviewed changes
.github/workflows/rust.yml
- run: ./scripts/bundle.sh
- run: ./autogen.sh
- run: ./configure --enable-warnings
- run: ./configure --enable-warnings --enable-mimetype --enable-bundled-gpl-mimetype
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--enable-bundled-gpl-mimetype doesn't exist in this PR.

jasonish
jasonish reviewed Aug 5, 2025
View reviewed changes
src/detect-file-mimetype.c

static int DetectFileMimetypeSetupNoSupport(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
SCLogError("no libmagic support built in, needed for filemagic keyword");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libmagic -> mimetype? Or something like that.

@regit regit mentioned this pull request Aug 6, 2025
Closed
5 tasks
@regit regit closed this Aug 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish jasonish left review comments

@jufajardini jufajardini Awaiting requested review from jufajardini

@victorjulien victorjulien Awaiting requested review from victorjulien

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@regit @victorjulien @jasonish