From 00a1de3593eb308ce617c6faa85378132b3a7858 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Fri, 22 Mar 2013 17:27:16 -0500 Subject: [PATCH] FileAnalysis: refactor unit tests to use a common script. --- .../out | 4 +- .../file-analysis/actions/data_event.bro | 56 +-------- .../file-analysis/bifs/postpone_timeout.bro | 97 +++------------- .../file-analysis/bifs/remove_action.bro | 92 +++------------ .../frameworks/file-analysis/bifs/stop.bro | 73 +----------- .../base/frameworks/file-analysis/ftp.bro | 69 +---------- .../frameworks/file-analysis/http/get.bro | 76 +----------- .../file-analysis/http/partial-content.bro | 85 ++------------ .../file-analysis/http/pipeline.bro | 74 +----------- .../frameworks/file-analysis/http/post.bro | 74 +----------- .../frameworks/file-analysis/input/basic.bro | 82 ++----------- .../base/frameworks/file-analysis/irc.bro | 69 +---------- .../base/frameworks/file-analysis/logging.bro | 103 +---------------- .../base/frameworks/file-analysis/smtp.bro | 77 ++----------- testing/scripts/file-analysis-test.bro | 109 ++++++++++++++++++ 15 files changed, 209 insertions(+), 931 deletions(-) create mode 100644 testing/scripts/file-analysis-test.bro diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out index 6311f768f2..2f26373b88 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out @@ -1,6 +1,5 @@ FileAnalysis::TRIGGER_NEW Cx92a0ym5R8, 0, 0 -T FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER ^J0.26 | 201 @@ -20,6 +19,9 @@ Cx92a0ym5R8, 4705, 0 [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] total bytes: 4705 source: HTTP +SHA1: 1dd7ac0398df6cbc0696445a91ec681facf4dc47 +MD5: 397168fd09991a0e712254df7bc639ac +SHA256: 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 file_stream, Cx92a0ym5R8, 476, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J file_chunk, Cx92a0ym5R8, 476, 4024, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J file_stream, Cx92a0ym5R8, 205, ^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J diff --git a/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro b/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro index cc74f5f5c2..bcecbd8aa3 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro @@ -1,56 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out -event file_chunk(info: FileAnalysis::Info, data: string, off: count) - { - print "file_chunk", info$file_id, |data|, off, data; - } - -event file_stream(info: FileAnalysis::Info, data: string) - { - print "file_stream", info$file_id, |data|, data; - } - -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) - { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - print FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_DATA_EVENT, - $chunk_event=file_chunk, - $stream_event=file_stream]); - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - break; - } - } +redef test_print_file_data_events = T; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro index 0082f9ee11..a19fd621a4 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro @@ -1,91 +1,30 @@ -# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap %INPUT +# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT # @TEST-EXEC: btest-bg-wait 8 # @TEST-EXEC: btest-diff bro/.stdout -global actions: set[FileAnalysis::ActionArgs]; global cnt: count = 0; global timeout_cnt: count = 0; +redef FileAnalysis::default_timeout_interval=2sec; + +redef test_file_analysis_source = "HTTP"; + +redef test_get_file_name = function(info: FileAnalysis::Info): string + { + local rval: string = fmt("%s-file%d", info$file_id, cnt); + ++cnt; + return rval; + }; + redef exit_only_after_terminate = T; hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) { - print trig; + if ( trig != FileAnalysis::TRIGGER_TIMEOUT ) return; - switch ( trig ) { - case FileAnalysis::TRIGGER_TIMEOUT: - if ( timeout_cnt < 1 ) - FileAnalysis::postpone_timeout(info$file_id); - else - terminate(); - ++timeout_cnt; - break; - case FileAnalysis::TRIGGER_NEW: - info$timeout_interval=2sec; - - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("%s-file%d", info$file_id, cnt); - ++cnt; - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - if ( info$actions[act]?$md5 ) - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - if ( info$actions[act]?$sha1 ) - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - if ( info$actions[act]?$sha256 ) - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; + if ( timeout_cnt < 1 ) + FileAnalysis::postpone_timeout(info$file_id); + else + terminate(); + ++timeout_cnt; } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro index 24e9e4ca66..a2e97a31a4 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro @@ -1,84 +1,20 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out # @TEST-EXEC: btest-diff get.out -global actions: set[FileAnalysis::ActionArgs]; +redef test_file_analysis_source = "HTTP"; + +redef test_get_file_name = function(info: FileAnalysis::Info): string + { + return fmt("%s-file", info$file_id); + }; hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) { - local filename: string; - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - filename = fmt("%s-file", info$file_id); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - for ( act in actions ) - FileAnalysis::remove_action(info$file_id, act); - filename = fmt("%s-file", info$file_id); - FileAnalysis::remove_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - if ( info$actions[act]?$md5 ) - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - if ( info$actions[act]?$sha1 ) - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - if ( info$actions[act]?$sha256 ) - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; + if ( trig != FileAnalysis::TRIGGER_TYPE ) return; + for ( act in test_file_actions ) + FileAnalysis::remove_action(info$file_id, act); + local filename = test_get_file_name(info); + FileAnalysis::remove_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro index 53dc52455b..c12ff08590 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro @@ -1,76 +1,9 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: test ! -s Cx92a0ym5R8-file -global actions: set[FileAnalysis::ActionArgs]; - hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - FileAnalysis::stop(info$file_id); - - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("%s-file", info$file_id); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; + if ( trig != FileAnalysis::TRIGGER_NEW ) return; + FileAnalysis::stop(info$file_id); } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro b/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro index 38665c66a2..9c2134bfa8 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/ftp.bro @@ -1,69 +1,10 @@ -# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace %INPUT >out +# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile -global actions: set[FileAnalysis::ActionArgs]; +redef test_file_analysis_source = "FTP_DATA"; -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) +redef test_get_file_name = function(info: FileAnalysis::Info): string { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "FTP_DATA" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename="thefile"]]; - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } + return "thefile"; + }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro index 38d4c444da..e9439bd3b8 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/get.bro @@ -1,77 +1,13 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out -# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace %INPUT >get-gzip.out +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out +# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out # @TEST-EXEC: btest-diff get.out # @TEST-EXEC: btest-diff get-gzip.out # @TEST-EXEC: btest-diff Cx92a0ym5R8-file # @TEST-EXEC: btest-diff kg59rqyYxN-file -global actions: set[FileAnalysis::ActionArgs]; +redef test_file_analysis_source = "HTTP"; -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) +redef test_get_file_name = function(info: FileAnalysis::Info): string { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("%s-file", info$file_id); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } + return fmt("%s-file", info$file_id); + }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro index f5a8ac11d0..9361184881 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro @@ -1,90 +1,25 @@ -# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap %INPUT >a.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out # @TEST-EXEC: btest-diff a.out # @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 >a.size # @TEST-EXEC: btest-diff a.size -# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap %INPUT >b.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out # @TEST-EXEC: btest-diff b.out # @TEST-EXEC: wc -c oDwT1BbzjM1-file0 >b.size # @TEST-EXEC: btest-diff b.size -# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap %INPUT >c.out +# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out # @TEST-EXEC: btest-diff c.out # @TEST-EXEC: wc -c uHS14uhRKGe-file0 >c.size # @TEST-EXEC: btest-diff c.size -global actions: set[FileAnalysis::ActionArgs]; global cnt: count = 0; -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) +redef test_file_analysis_source = "HTTP"; + +redef test_get_file_name = function(info: FileAnalysis::Info): string { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("%s-file%d", info$file_id, cnt); - ++cnt; - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - if ( info$actions[act]?$md5 ) - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - if ( info$actions[act]?$sha1 ) - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - if ( info$actions[act]?$sha256 ) - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } + local rval: string = fmt("%s-file%d", info$file_id, cnt); + ++cnt; + return rval; + }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro index 010d99c33d..1bbfdb6b13 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro @@ -1,4 +1,4 @@ -# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff aFQKI8SPOL2-file # @TEST-EXEC: btest-diff CCU3vUEr06l-file @@ -6,73 +6,9 @@ # @TEST-EXEC: btest-diff a1Zu1fteVEf-file # @TEST-EXEC: btest-diff xXlF7wFdsR-file -global actions: set[FileAnalysis::ActionArgs]; +redef test_file_analysis_source = "HTTP"; -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) +redef test_get_file_name = function(info: FileAnalysis::Info): string { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("%s-file", info$file_id); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } + return fmt("%s-file", info$file_id); + }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro index a31f7129b8..55fd1ed9c0 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/http/post.bro @@ -1,75 +1,11 @@ -# @TEST-EXEC: bro -r $TRACES/http/post.trace %INPUT >out +# @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff v5HLI7MxPQh-file # @TEST-EXEC: btest-diff PZS1XGHkIf1-file -global actions: set[FileAnalysis::ActionArgs]; +redef test_file_analysis_source = "HTTP"; -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) +redef test_get_file_name = function(info: FileAnalysis::Info): string { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("%s-file", info$file_id); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } + return fmt("%s-file", info$file_id); + }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro index 568a2a47da..3a9b529ab0 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro @@ -1,10 +1,15 @@ -# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-run bro bro -b $SCRIPTS/file-analysis-test.bro %INPUT # @TEST-EXEC: btest-bg-wait 8 # @TEST-EXEC: btest-diff bro/.stdout # @TEST-EXEC: diff -q bro/nYgPNGLrZf9-file input.log redef exit_only_after_terminate = T; +redef test_get_file_name = function(info: FileAnalysis::Info): string + { + return fmt("%s-file", info$file_id); + }; + @TEST-START-FILE input.log #separator \x09 #path ssh @@ -37,79 +42,10 @@ event bro_init() Input::remove("input"); } -global actions: set[FileAnalysis::ActionArgs]; - hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + &priority=-10 { - local filename: string; - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - - print info$file_id, info$seen_bytes, info$missing_bytes; - - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - filename = fmt("%s-file", info$file_id); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - for ( act in actions ) - FileAnalysis::remove_action(info$file_id, act); - filename = fmt("%s-file", info$file_id); - FileAnalysis::remove_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - if ( info$actions[act]?$md5 ) - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - if ( info$actions[act]?$sha1 ) - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - if ( info$actions[act]?$sha256 ) - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - terminate(); - break; - } + if ( trig != FileAnalysis::TRIGGER_EOF ) return; + terminate(); } -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/irc.bro b/testing/btest/scripts/base/frameworks/file-analysis/irc.bro index e6d2fc29ac..69fd2a93c9 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/irc.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/irc.bro @@ -1,69 +1,10 @@ -# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT >out +# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile -global actions: set[FileAnalysis::ActionArgs]; +redef test_file_analysis_source = "IRC_DATA"; -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) +redef test_get_file_name = function(info: FileAnalysis::Info): string { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "IRC_DATA" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename="thefile"]]; - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } + return "thefile"; + }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/logging.bro b/testing/btest/scripts/base/frameworks/file-analysis/logging.bro index 8f48ccb38a..275fc20ea5 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/logging.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/logging.bro @@ -1,100 +1,9 @@ -# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT # @TEST-EXEC: btest-diff file_analysis.log -global actions: set[FileAnalysis::ActionArgs]; +redef test_file_analysis_source = "HTTP"; -event file_chunk(info: FileAnalysis::Info, data: string, off: count) - { - print "file_chunk", info$file_id, |data|, off, data; - } - -event file_stream(info: FileAnalysis::Info, data: string) - { - print "file_stream", info$file_id, |data|, data; - } - -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) - { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "HTTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("%s-file", info$file_id); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_DATA_EVENT, - $chunk_event=file_chunk, - $stream_event=file_stream]); - - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - fallthrough; - case FileAnalysis::TRIGGER_DONE: - - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) - &priority=-5 - { - if ( trig != FileAnalysis::TRIGGER_TYPE ) return; - - # avoids libmagic variances across systems - if ( info?$mime_type ) - info$mime_type = "set"; - if ( info?$file_type ) - info$file_type = "set"; - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } +redef test_get_file_name = function(info: FileAnalysis::Info): string + { + return fmt("%s-file", info$file_id); + }; diff --git a/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro b/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro index 57a17a5339..64c5e9f0d7 100644 --- a/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro +++ b/testing/btest/scripts/base/frameworks/file-analysis/smtp.bro @@ -1,75 +1,16 @@ -# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT >out +# @TEST-EXEC: bro -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.bro %INPUT >out # @TEST-EXEC: btest-diff out # @TEST-EXEC: btest-diff thefile0 # @TEST-EXEC: btest-diff thefile1 # @TEST-EXEC: btest-diff thefile2 -global actions: set[FileAnalysis::ActionArgs]; -global cnt: count = 0; +redef test_file_analysis_source = "SMTP"; -hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) +global mycnt: count = 0; + +redef test_get_file_name = function(info: FileAnalysis::Info): string { - print trig; - - switch ( trig ) { - case FileAnalysis::TRIGGER_NEW: - print info$file_id, info$seen_bytes, info$missing_bytes; - - if ( info$source == "SMTP" ) - { - for ( act in actions ) - FileAnalysis::add_action(info$file_id, act); - local filename: string = fmt("thefile%d", cnt); - ++cnt; - FileAnalysis::add_action(info$file_id, - [$act=FileAnalysis::ACTION_EXTRACT, - $extract_filename=filename]); - } - break; - - case FileAnalysis::TRIGGER_BOF_BUFFER: - if ( info?$bof_buffer ) - print info$bof_buffer[0:10]; - break; - - case FileAnalysis::TRIGGER_TYPE: - # not actually printing the values due to libmagic variances - if ( info?$file_type ) - print "file type is set"; - if ( info?$mime_type ) - print "mime type is set"; - break; - - case FileAnalysis::TRIGGER_EOF: - print info$file_id, info$seen_bytes, info$missing_bytes; - if ( info?$conns ) - for ( cid in info$conns ) - print cid; - - if ( info?$total_bytes ) - print "total bytes: " + fmt("%s", info$total_bytes); - if ( info?$source ) - print "source: " + info$source; - - for ( act in info$actions ) - switch ( act$act ) { - case FileAnalysis::ACTION_MD5: - print fmt("MD5: %s", info$actions[act]$md5); - break; - case FileAnalysis::ACTION_SHA1: - print fmt("SHA1: %s", info$actions[act]$sha1); - break; - case FileAnalysis::ACTION_SHA256: - print fmt("SHA256: %s", info$actions[act]$sha256); - break; - } - break; - } - } - -event bro_init() - { - add actions[[$act=FileAnalysis::ACTION_MD5]]; - add actions[[$act=FileAnalysis::ACTION_SHA1]]; - add actions[[$act=FileAnalysis::ACTION_SHA256]]; - } + local rval: string = fmt("thefile%d", mycnt); + ++mycnt; + return rval; + }; diff --git a/testing/scripts/file-analysis-test.bro b/testing/scripts/file-analysis-test.bro new file mode 100644 index 0000000000..2e1d107ffb --- /dev/null +++ b/testing/scripts/file-analysis-test.bro @@ -0,0 +1,109 @@ + +global test_file_analysis_source: string = "" &redef; + +global test_file_actions: set[FileAnalysis::ActionArgs]; + +global test_get_file_name: function(info: FileAnalysis::Info): string = + function(info: FileAnalysis::Info): string { return ""; } &redef; + +global test_print_file_data_events: bool = F &redef; + +event file_chunk(info: FileAnalysis::Info, data: string, off: count) + { + if ( test_print_file_data_events ) + print "file_chunk", info$file_id, |data|, off, data; + } + +event file_stream(info: FileAnalysis::Info, data: string) + { + if ( test_print_file_data_events ) + print "file_stream", info$file_id, |data|, data; + } + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + { + print trig; + + switch ( trig ) { + case FileAnalysis::TRIGGER_NEW: + print info$file_id, info$seen_bytes, info$missing_bytes; + + if ( test_file_analysis_source == "" || + info$source == test_file_analysis_source ) + { + for ( act in test_file_actions ) + FileAnalysis::add_action(info$file_id, act); + + local filename: string = test_get_file_name(info); + if ( filename != "" ) + FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); + FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_DATA_EVENT, + $chunk_event=file_chunk, + $stream_event=file_stream]); + + } + break; + + case FileAnalysis::TRIGGER_BOF_BUFFER: + if ( info?$bof_buffer ) + print info$bof_buffer[0:10]; + break; + + case FileAnalysis::TRIGGER_TYPE: + # not actually printing the values due to libmagic variances + if ( info?$file_type ) + print "file type is set"; + if ( info?$mime_type ) + print "mime type is set"; + break; + + case FileAnalysis::TRIGGER_EOF: + fallthrough; + case FileAnalysis::TRIGGER_DONE: + print info$file_id, info$seen_bytes, info$missing_bytes; + if ( info?$conns ) + for ( cid in info$conns ) + print cid; + + if ( info?$total_bytes ) + print "total bytes: " + fmt("%s", info$total_bytes); + if ( info?$source ) + print "source: " + info$source; + + for ( act in info$actions ) + switch ( act$act ) { + case FileAnalysis::ACTION_MD5: + print fmt("MD5: %s", info$actions[act]$md5); + break; + case FileAnalysis::ACTION_SHA1: + print fmt("SHA1: %s", info$actions[act]$sha1); + break; + case FileAnalysis::ACTION_SHA256: + print fmt("SHA256: %s", info$actions[act]$sha256); + break; + } + break; + } + } + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + &priority=-5 + { + if ( trig != FileAnalysis::TRIGGER_TYPE ) return; + + # avoids libmagic variances across systems + if ( info?$mime_type ) + info$mime_type = "set"; + if ( info?$file_type ) + info$file_type = "set"; + } + +event bro_init() + { + add test_file_actions[[$act=FileAnalysis::ACTION_MD5]]; + add test_file_actions[[$act=FileAnalysis::ACTION_SHA1]]; + add test_file_actions[[$act=FileAnalysis::ACTION_SHA256]]; + }