Mime type reload v2.4 #13727
Open
Mime type reload v2.4 #13727
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Following commit will add a new value that will overflow the actual size. Ticket: 7816
File magic is known to have performance issue. When looking for an alternative, I've been pointed to the tree_magic_mini crate that output the mime type of a binary stream. This is different from magic but it has multiple advantages as it is a standard so it can be correlated with other tools. So instead of replacing magic, this patch adds a new mime type output to fileinfo events. This patch also adds the `file.mimetype` sticky buffer. Mime type has 2 advantages over file magic. First it is really faster and second, the result are easier to use as the MIME type are well defined. But it provides less information than magic for example with regards to the size of images. This patch is using version 3.2.0 of tree_magic_mini that provides capabilities to load mime files from a give directory. This patch is embedding the GPL database if an explicit flag is passed to configure (--enable-bundled-gpl-mimetype). In this case the mime type files comes from `tree_magic_mini` dependencies. The patch adds the mime definition in Suricata source code. This means that if the user uses this data, then we have no dependency in term of results on the operating system and on the evolution of the crate. Updating the mime type definition on the target system will be done by installing the files present in Suricata code. Installation of the mime type files is done via `make install-conf` to the mimetype/ directory below data directory. This directory is used by default even if the suricata.yaml is not updated with the new `mimetype-dir` config variable. The new Makefile target `upgrade-data` takes care of upgrading the file. Users will be able to use it when there is a new version available. The `mimetype-dir` YAML variable can be used to set up a different directory with data under control by the user. Ticket: 7816
Add some builds with mimetype activated and suricata-verify so we can test feature. Test with and without embedded GPL data are done.
regit
requested review from
jasonish,
jufajardini,
victorjulien and
a team
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #13727 +/- ##
==========================================
+ Coverage 82.99% 83.72% +0.72%
==========================================
Files 1001 1014 +13
Lines 272978 275266 +2288
==========================================
+ Hits 226556 230461 +3905
+ Misses 46422 44805 -1617
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
catenacyber
reviewed
Aug 26, 2025
.github/workflows/rust.yml
Outdated
| - run: ./scripts/bundle.sh | ||
| - run: ./autogen.sh | ||
| - run: ./configure --enable-warnings | ||
| - run: ./configure --enable-warnings --enable-mimetype |
There was a problem hiding this comment.
I wonder : could this be a plugin ?
There was a problem hiding this comment.
To rephrase, what are we missing in Suricata so that it could be a plugin ?..
catenacyber
reviewed
Aug 26, 2025
| } | ||
|
|
||
| if ((s->file_flags & FILE_SIG_NEED_MIMETYPE) && file_size == 0) { | ||
| SCLogDebug("sig needs file content, but we don't have any"); |
There was a problem hiding this comment.
debug log message is bad copy/paste
catenacyber
reviewed
Aug 26, 2025
| int list_id; | ||
| const MpmCtx *mpm_ctx; | ||
| const DetectEngineTransforms *transforms; | ||
| } PrefilterMpmFileMimetype; |
There was a problem hiding this comment.
Why not reuse PrefilterMpmListId ?
catenacyber
reviewed
Aug 26, 2025
|
|
||
| file.mimetype; content:"application/vnd.microsoft.portable-executable"; | ||
|
|
||
| ``file.mimetype`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. |
There was a problem hiding this comment.
needs to be added as well in doc//userguide/rules/multi-buffer-matching.rst see #13752
catenacyber
reviewed
Aug 27, 2025
| }, | ||
| "mimetype": { | ||
| "type": "string", | ||
| "description": "The MIME type of the file (e.g., application/pdf, image/png, etc.)" |
There was a problem hiding this comment.
maybe say how it is found (not from headers, but from content) ?
catenacyber
reviewed
Aug 27, 2025
| hashes. | ||
|
|
||
| The type of the file can also be determined by doing an analysis of the beginning of the content | ||
| of the file. This is done by using libmagic and/or libmimetype. Magic is slower than mimetype, but |
There was a problem hiding this comment.
nit: space at end of line
catenacyber
reviewed
Aug 27, 2025
There was a problem hiding this comment.
CI : ✅
Code : need to check
Commits segmentation : ok (I would squash the doc commits)
Commit messages : good
Git ID set : looks fine for me
CLA : you already contributed
Doc update : good (some comments)
Redmine ticket : ok
Rustfmt : 🟠 rustfmt rust/src/filemimetype.rs has a diff
Tests : cool
Dependencies added:
catenacyber
requested changes
Sep 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update of #13715 addressing comments from @jufajardini. As it seems it was not an in depth review. I'm reproducing here the details of changes from previous PR.
Contribution style:
https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html
Our Contribution agreements:
https://suricata.io/about/contribution-agreement/ (note: this is only required once)
Changes (if applicable):
(including schema descriptions)
https://redmine.openinfosecfoundation.org/projects/suricata/issues
Link to ticket: https://redmine.openinfosecfoundation.org/issues/7816
Describe changes:
make install-confinstall mime type filesmake upgrade-dataupdate mime type filesSV_BRANCH=OISF/suricata-verify#2606