Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 20:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

FileAnalysis: refactor unit tests to use a common script.

Browse source
This commit is contained in:
Jon Siwek 2013-03-22 17:27:16 -05:00
parent 71f0e2d276
commit 00a1de3593
15 changed files with 209 additions and 931 deletions
Download patch file Download diff file Expand all files Collapse all files

56
testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro
View file

@ -1,56 +1,4 @@
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >out
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
# @TEST-EXEC: btest-diff out
event file_chunk(info: FileAnalysis::Info, data: string, off: count)
{
print "file_chunk", info$file_id, |data|, off, data;
}
event file_stream(info: FileAnalysis::Info, data: string)
{
print "file_stream", info$file_id, |data|, data;
}
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
print FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_DATA_EVENT,
$chunk_event=file_chunk,
$stream_event=file_stream]);
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
break;
}
}
redef test_print_file_data_events = T;

97
testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro
View file

@ -1,91 +1,30 @@
# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap %INPUT
# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT
# @TEST-EXEC: btest-bg-wait 8
# @TEST-EXEC: btest-diff bro/.stdout
global actions: set[FileAnalysis::ActionArgs];
global cnt: count = 0;
global timeout_cnt: count = 0;
redef FileAnalysis::default_timeout_interval=2sec;
redef test_file_analysis_source = "HTTP";
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
local rval: string = fmt("%s-file%d", info$file_id, cnt);
++cnt;
return rval;
};
redef exit_only_after_terminate = T;
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
if ( trig != FileAnalysis::TRIGGER_TIMEOUT ) return;
switch ( trig ) {
case FileAnalysis::TRIGGER_TIMEOUT:
if ( timeout_cnt < 1 )
FileAnalysis::postpone_timeout(info$file_id);
else
terminate();
++timeout_cnt;
break;
case FileAnalysis::TRIGGER_NEW:
info$timeout_interval=2sec;
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file%d", info$file_id, cnt);
++cnt;
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
if ( info$actions[act]?$md5 )
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
if ( info$actions[act]?$sha1 )
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
if ( info$actions[act]?$sha256 )
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
if ( timeout_cnt < 1 )
FileAnalysis::postpone_timeout(info$file_id);
else
terminate();
++timeout_cnt;
}

92
testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro
View file

@ -1,84 +1,20 @@
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
# @TEST-EXEC: btest-diff get.out
global actions: set[FileAnalysis::ActionArgs];
redef test_file_analysis_source = "HTTP";
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
return fmt("%s-file", info$file_id);
};
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
local filename: string;
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
filename = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
for ( act in actions )
FileAnalysis::remove_action(info$file_id, act);
filename = fmt("%s-file", info$file_id);
FileAnalysis::remove_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
if ( info$actions[act]?$md5 )
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
if ( info$actions[act]?$sha1 )
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
if ( info$actions[act]?$sha256 )
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
for ( act in test_file_actions )
FileAnalysis::remove_action(info$file_id, act);
local filename = test_get_file_name(info);
FileAnalysis::remove_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}

73
testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro
View file

@ -1,76 +1,9 @@
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
# @TEST-EXEC: btest-diff get.out
# @TEST-EXEC: test ! -s Cx92a0ym5R8-file
global actions: set[FileAnalysis::ActionArgs];
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
FileAnalysis::stop(info$file_id);
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
if ( trig != FileAnalysis::TRIGGER_NEW ) return;
FileAnalysis::stop(info$file_id);
}

69
testing/btest/scripts/base/frameworks/file-analysis/ftp.bro
View file

@ -1,69 +1,10 @@
# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace %INPUT >out
# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff thefile
global actions: set[FileAnalysis::ActionArgs];
redef test_file_analysis_source = "FTP_DATA";
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "FTP_DATA" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename="thefile"]];
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
return "thefile";
};

76
testing/btest/scripts/base/frameworks/file-analysis/http/get.bro
View file

@ -1,77 +1,13 @@
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace %INPUT >get-gzip.out
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out
# @TEST-EXEC: btest-diff get.out
# @TEST-EXEC: btest-diff get-gzip.out
# @TEST-EXEC: btest-diff Cx92a0ym5R8-file
# @TEST-EXEC: btest-diff kg59rqyYxN-file
global actions: set[FileAnalysis::ActionArgs];
redef test_file_analysis_source = "HTTP";
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
return fmt("%s-file", info$file_id);
};

85
testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro
View file

@ -1,90 +1,25 @@
# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap %INPUT >a.out
# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out
# @TEST-EXEC: btest-diff a.out
# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 >a.size
# @TEST-EXEC: btest-diff a.size
# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap %INPUT >b.out
# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out
# @TEST-EXEC: btest-diff b.out
# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 >b.size
# @TEST-EXEC: btest-diff b.size
# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap %INPUT >c.out
# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out
# @TEST-EXEC: btest-diff c.out
# @TEST-EXEC: wc -c uHS14uhRKGe-file0 >c.size
# @TEST-EXEC: btest-diff c.size
global actions: set[FileAnalysis::ActionArgs];
global cnt: count = 0;
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
redef test_file_analysis_source = "HTTP";
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file%d", info$file_id, cnt);
++cnt;
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
if ( info$actions[act]?$md5 )
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
if ( info$actions[act]?$sha1 )
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
if ( info$actions[act]?$sha256 )
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
local rval: string = fmt("%s-file%d", info$file_id, cnt);
++cnt;
return rval;
};

74
testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro
View file

@ -1,4 +1,4 @@
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT >out
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff aFQKI8SPOL2-file
# @TEST-EXEC: btest-diff CCU3vUEr06l-file
@ -6,73 +6,9 @@
# @TEST-EXEC: btest-diff a1Zu1fteVEf-file
# @TEST-EXEC: btest-diff xXlF7wFdsR-file
global actions: set[FileAnalysis::ActionArgs];
redef test_file_analysis_source = "HTTP";
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
return fmt("%s-file", info$file_id);
};

74
testing/btest/scripts/base/frameworks/file-analysis/http/post.bro
View file

@ -1,75 +1,11 @@
# @TEST-EXEC: bro -r $TRACES/http/post.trace %INPUT >out
# @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff v5HLI7MxPQh-file
# @TEST-EXEC: btest-diff PZS1XGHkIf1-file
global actions: set[FileAnalysis::ActionArgs];
redef test_file_analysis_source = "HTTP";
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
return fmt("%s-file", info$file_id);
};

82
testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro
View file

@ -1,10 +1,15 @@
# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
# @TEST-EXEC: btest-bg-run bro bro -b $SCRIPTS/file-analysis-test.bro %INPUT
# @TEST-EXEC: btest-bg-wait 8
# @TEST-EXEC: btest-diff bro/.stdout
# @TEST-EXEC: diff -q bro/nYgPNGLrZf9-file input.log
redef exit_only_after_terminate = T;
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
return fmt("%s-file", info$file_id);
};
@TEST-START-FILE input.log
#separator \x09
#path ssh
@ -37,79 +42,10 @@ event bro_init()
Input::remove("input");
}
global actions: set[FileAnalysis::ActionArgs];
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
&priority=-10
{
local filename: string;
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
filename = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
for ( act in actions )
FileAnalysis::remove_action(info$file_id, act);
filename = fmt("%s-file", info$file_id);
FileAnalysis::remove_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
if ( info$actions[act]?$md5 )
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
if ( info$actions[act]?$sha1 )
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
if ( info$actions[act]?$sha256 )
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
terminate();
break;
}
if ( trig != FileAnalysis::TRIGGER_EOF ) return;
terminate();
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}

69
testing/btest/scripts/base/frameworks/file-analysis/irc.bro
View file

@ -1,69 +1,10 @@
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT >out
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff thefile
global actions: set[FileAnalysis::ActionArgs];
redef test_file_analysis_source = "IRC_DATA";
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "IRC_DATA" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename="thefile"]];
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
return "thefile";
};

103
testing/btest/scripts/base/frameworks/file-analysis/logging.bro
View file

@ -1,100 +1,9 @@
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT
# @TEST-EXEC: btest-diff file_analysis.log
global actions: set[FileAnalysis::ActionArgs];
redef test_file_analysis_source = "HTTP";
event file_chunk(info: FileAnalysis::Info, data: string, off: count)
{
print "file_chunk", info$file_id, |data|, off, data;
}
event file_stream(info: FileAnalysis::Info, data: string)
{
print "file_stream", info$file_id, |data|, data;
}
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "HTTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("%s-file", info$file_id);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_DATA_EVENT,
$chunk_event=file_chunk,
$stream_event=file_stream]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
fallthrough;
case FileAnalysis::TRIGGER_DONE:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
&priority=-5
{
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
# avoids libmagic variances across systems
if ( info?$mime_type )
info$mime_type = "set";
if ( info?$file_type )
info$file_type = "set";
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
return fmt("%s-file", info$file_id);
};

77
testing/btest/scripts/base/frameworks/file-analysis/smtp.bro
View file

@ -1,75 +1,16 @@
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT >out
# @TEST-EXEC: bro -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff thefile0
# @TEST-EXEC: btest-diff thefile1
# @TEST-EXEC: btest-diff thefile2
global actions: set[FileAnalysis::ActionArgs];
global cnt: count = 0;
redef test_file_analysis_source = "SMTP";
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
global mycnt: count = 0;
redef test_get_file_name = function(info: FileAnalysis::Info): string
{
print trig;
switch ( trig ) {
case FileAnalysis::TRIGGER_NEW:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info$source == "SMTP" )
{
for ( act in actions )
FileAnalysis::add_action(info$file_id, act);
local filename: string = fmt("thefile%d", cnt);
++cnt;
FileAnalysis::add_action(info$file_id,
[$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=filename]);
}
break;
case FileAnalysis::TRIGGER_BOF_BUFFER:
if ( info?$bof_buffer )
print info$bof_buffer[0:10];
break;
case FileAnalysis::TRIGGER_TYPE:
# not actually printing the values due to libmagic variances
if ( info?$file_type )
print "file type is set";
if ( info?$mime_type )
print "mime type is set";
break;
case FileAnalysis::TRIGGER_EOF:
print info$file_id, info$seen_bytes, info$missing_bytes;
if ( info?$conns )
for ( cid in info$conns )
print cid;
if ( info?$total_bytes )
print "total bytes: " + fmt("%s", info$total_bytes);
if ( info?$source )
print "source: " + info$source;
for ( act in info$actions )
switch ( act$act ) {
case FileAnalysis::ACTION_MD5:
print fmt("MD5: %s", info$actions[act]$md5);
break;
case FileAnalysis::ACTION_SHA1:
print fmt("SHA1: %s", info$actions[act]$sha1);
break;
case FileAnalysis::ACTION_SHA256:
print fmt("SHA256: %s", info$actions[act]$sha256);
break;
}
break;
}
}
event bro_init()
{
add actions[[$act=FileAnalysis::ACTION_MD5]];
add actions[[$act=FileAnalysis::ACTION_SHA1]];
add actions[[$act=FileAnalysis::ACTION_SHA256]];
}
local rval: string = fmt("thefile%d", mycnt);
++mycnt;
return rval;
};