mirror of
https://github.com/zeek/zeek.git
synced 2025-10-12 11:38:20 +00:00
FileAnalysis: refactor unit tests to use a common script.
This commit is contained in:
Jon Siwek
parent
71f0e2d276
commit
00a1de3593
15 changed files with 209 additions and 931 deletions
|
|
@ -1,6 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
Cx92a0ym5R8, 0, 0
|
Cx92a0ym5R8, 0, 0
|
||||||
T
|
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
^J0.26 | 201
|
^J0.26 | 201
|
||||||
|
|
@ -20,6 +19,9 @@ Cx92a0ym5R8, 4705, 0
|
||||||
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
||||||
total bytes: 4705
|
total bytes: 4705
|
||||||
source: HTTP
|
source: HTTP
|
||||||
|
SHA1: 1dd7ac0398df6cbc0696445a91ec681facf4dc47
|
||||||
|
MD5: 397168fd09991a0e712254df7bc639ac
|
||||||
|
SHA256: 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
|
||||||
file_stream, Cx92a0ym5R8, 476, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J
|
file_stream, Cx92a0ym5R8, 476, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J
|
||||||
file_chunk, Cx92a0ym5R8, 476, 4024, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J
|
file_chunk, Cx92a0ym5R8, 476, 4024, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J
|
||||||
file_stream, Cx92a0ym5R8, 205, ^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
|
file_stream, Cx92a0ym5R8, 205, ^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
|
||||||
|
|
|
||||||
|
|
@ -1,56 +1,4 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
|
|
||||||
event file_chunk(info: FileAnalysis::Info, data: string, off: count)
|
redef test_print_file_data_events = T;
|
||||||
{
|
|
||||||
print "file_chunk", info$file_id, |data|, off, data;
|
|
||||||
}
|
|
||||||
|
|
||||||
event file_stream(info: FileAnalysis::Info, data: string)
|
|
||||||
{
|
|
||||||
print "file_stream", info$file_id, |data|, data;
|
|
||||||
}
|
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
|
||||||
{
|
|
||||||
print trig;
|
|
||||||
|
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
print FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_DATA_EVENT,
|
|
||||||
$chunk_event=file_chunk,
|
|
||||||
$stream_event=file_stream]);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,91 +1,30 @@
|
||||||
# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap %INPUT
|
# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT
|
||||||
# @TEST-EXEC: btest-bg-wait 8
|
# @TEST-EXEC: btest-bg-wait 8
|
||||||
# @TEST-EXEC: btest-diff bro/.stdout
|
# @TEST-EXEC: btest-diff bro/.stdout
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
|
||||||
global cnt: count = 0;
|
global cnt: count = 0;
|
||||||
global timeout_cnt: count = 0;
|
global timeout_cnt: count = 0;
|
||||||
|
|
||||||
|
redef FileAnalysis::default_timeout_interval=2sec;
|
||||||
|
|
||||||
|
redef test_file_analysis_source = "HTTP";
|
||||||
|
|
||||||
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
|
{
|
||||||
|
local rval: string = fmt("%s-file%d", info$file_id, cnt);
|
||||||
|
++cnt;
|
||||||
|
return rval;
|
||||||
|
};
|
||||||
|
|
||||||
redef exit_only_after_terminate = T;
|
redef exit_only_after_terminate = T;
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
{
|
{
|
||||||
print trig;
|
if ( trig != FileAnalysis::TRIGGER_TIMEOUT ) return;
|
||||||
|
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_TIMEOUT:
|
|
||||||
if ( timeout_cnt < 1 )
|
if ( timeout_cnt < 1 )
|
||||||
FileAnalysis::postpone_timeout(info$file_id);
|
FileAnalysis::postpone_timeout(info$file_id);
|
||||||
else
|
else
|
||||||
terminate();
|
terminate();
|
||||||
++timeout_cnt;
|
++timeout_cnt;
|
||||||
break;
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
info$timeout_interval=2sec;
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("%s-file%d", info$file_id, cnt);
|
|
||||||
++cnt;
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
if ( info$actions[act]?$md5 )
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
if ( info$actions[act]?$sha1 )
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
if ( info$actions[act]?$sha256 )
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,84 +1,20 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
|
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
|
||||||
# @TEST-EXEC: btest-diff get.out
|
# @TEST-EXEC: btest-diff get.out
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "HTTP";
|
||||||
|
|
||||||
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
|
{
|
||||||
|
return fmt("%s-file", info$file_id);
|
||||||
|
};
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
{
|
{
|
||||||
local filename: string;
|
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
|
||||||
print trig;
|
for ( act in test_file_actions )
|
||||||
|
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
filename = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::remove_action(info$file_id, act);
|
FileAnalysis::remove_action(info$file_id, act);
|
||||||
filename = fmt("%s-file", info$file_id);
|
local filename = test_get_file_name(info);
|
||||||
FileAnalysis::remove_action(info$file_id,
|
FileAnalysis::remove_action(info$file_id,
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
[$act=FileAnalysis::ACTION_EXTRACT,
|
||||||
$extract_filename=filename]);
|
$extract_filename=filename]);
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
if ( info$actions[act]?$md5 )
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
if ( info$actions[act]?$sha1 )
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
if ( info$actions[act]?$sha256 )
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,76 +1,9 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
|
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
|
||||||
# @TEST-EXEC: btest-diff get.out
|
# @TEST-EXEC: btest-diff get.out
|
||||||
# @TEST-EXEC: test ! -s Cx92a0ym5R8-file
|
# @TEST-EXEC: test ! -s Cx92a0ym5R8-file
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
{
|
{
|
||||||
print trig;
|
if ( trig != FileAnalysis::TRIGGER_NEW ) return;
|
||||||
|
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
FileAnalysis::stop(info$file_id);
|
FileAnalysis::stop(info$file_id);
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,69 +1,10 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/ftp/retr.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
# @TEST-EXEC: btest-diff thefile
|
# @TEST-EXEC: btest-diff thefile
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "FTP_DATA";
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
{
|
{
|
||||||
print trig;
|
return "thefile";
|
||||||
|
};
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "FTP_DATA" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename="thefile"]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,77 +1,13 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
|
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace %INPUT >get-gzip.out
|
# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out
|
||||||
# @TEST-EXEC: btest-diff get.out
|
# @TEST-EXEC: btest-diff get.out
|
||||||
# @TEST-EXEC: btest-diff get-gzip.out
|
# @TEST-EXEC: btest-diff get-gzip.out
|
||||||
# @TEST-EXEC: btest-diff Cx92a0ym5R8-file
|
# @TEST-EXEC: btest-diff Cx92a0ym5R8-file
|
||||||
# @TEST-EXEC: btest-diff kg59rqyYxN-file
|
# @TEST-EXEC: btest-diff kg59rqyYxN-file
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "HTTP";
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
{
|
{
|
||||||
print trig;
|
return fmt("%s-file", info$file_id);
|
||||||
|
};
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,90 +1,25 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap %INPUT >a.out
|
# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out
|
||||||
# @TEST-EXEC: btest-diff a.out
|
# @TEST-EXEC: btest-diff a.out
|
||||||
# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 >a.size
|
# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 >a.size
|
||||||
# @TEST-EXEC: btest-diff a.size
|
# @TEST-EXEC: btest-diff a.size
|
||||||
|
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap %INPUT >b.out
|
# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out
|
||||||
# @TEST-EXEC: btest-diff b.out
|
# @TEST-EXEC: btest-diff b.out
|
||||||
# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 >b.size
|
# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 >b.size
|
||||||
# @TEST-EXEC: btest-diff b.size
|
# @TEST-EXEC: btest-diff b.size
|
||||||
|
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap %INPUT >c.out
|
# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out
|
||||||
# @TEST-EXEC: btest-diff c.out
|
# @TEST-EXEC: btest-diff c.out
|
||||||
# @TEST-EXEC: wc -c uHS14uhRKGe-file0 >c.size
|
# @TEST-EXEC: wc -c uHS14uhRKGe-file0 >c.size
|
||||||
# @TEST-EXEC: btest-diff c.size
|
# @TEST-EXEC: btest-diff c.size
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
|
||||||
global cnt: count = 0;
|
global cnt: count = 0;
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
redef test_file_analysis_source = "HTTP";
|
||||||
{
|
|
||||||
print trig;
|
|
||||||
|
|
||||||
switch ( trig ) {
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
{
|
||||||
for ( act in actions )
|
local rval: string = fmt("%s-file%d", info$file_id, cnt);
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("%s-file%d", info$file_id, cnt);
|
|
||||||
++cnt;
|
++cnt;
|
||||||
FileAnalysis::add_action(info$file_id,
|
return rval;
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
};
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
if ( info$actions[act]?$md5 )
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
if ( info$actions[act]?$sha1 )
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
if ( info$actions[act]?$sha256 )
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
# @TEST-EXEC: btest-diff aFQKI8SPOL2-file
|
# @TEST-EXEC: btest-diff aFQKI8SPOL2-file
|
||||||
# @TEST-EXEC: btest-diff CCU3vUEr06l-file
|
# @TEST-EXEC: btest-diff CCU3vUEr06l-file
|
||||||
|
|
@ -6,73 +6,9 @@
|
||||||
# @TEST-EXEC: btest-diff a1Zu1fteVEf-file
|
# @TEST-EXEC: btest-diff a1Zu1fteVEf-file
|
||||||
# @TEST-EXEC: btest-diff xXlF7wFdsR-file
|
# @TEST-EXEC: btest-diff xXlF7wFdsR-file
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "HTTP";
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
{
|
{
|
||||||
print trig;
|
return fmt("%s-file", info$file_id);
|
||||||
|
};
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,75 +1,11 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/post.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
# @TEST-EXEC: btest-diff v5HLI7MxPQh-file
|
# @TEST-EXEC: btest-diff v5HLI7MxPQh-file
|
||||||
# @TEST-EXEC: btest-diff PZS1XGHkIf1-file
|
# @TEST-EXEC: btest-diff PZS1XGHkIf1-file
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "HTTP";
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
{
|
{
|
||||||
print trig;
|
return fmt("%s-file", info$file_id);
|
||||||
|
};
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,15 @@
|
||||||
# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
|
# @TEST-EXEC: btest-bg-run bro bro -b $SCRIPTS/file-analysis-test.bro %INPUT
|
||||||
# @TEST-EXEC: btest-bg-wait 8
|
# @TEST-EXEC: btest-bg-wait 8
|
||||||
# @TEST-EXEC: btest-diff bro/.stdout
|
# @TEST-EXEC: btest-diff bro/.stdout
|
||||||
# @TEST-EXEC: diff -q bro/nYgPNGLrZf9-file input.log
|
# @TEST-EXEC: diff -q bro/nYgPNGLrZf9-file input.log
|
||||||
|
|
||||||
redef exit_only_after_terminate = T;
|
redef exit_only_after_terminate = T;
|
||||||
|
|
||||||
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
|
{
|
||||||
|
return fmt("%s-file", info$file_id);
|
||||||
|
};
|
||||||
|
|
||||||
@TEST-START-FILE input.log
|
@TEST-START-FILE input.log
|
||||||
#separator \x09
|
#separator \x09
|
||||||
#path ssh
|
#path ssh
|
||||||
|
|
@ -37,79 +42,10 @@ event bro_init()
|
||||||
Input::remove("input");
|
Input::remove("input");
|
||||||
}
|
}
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=-10
|
||||||
{
|
{
|
||||||
local filename: string;
|
if ( trig != FileAnalysis::TRIGGER_EOF ) return;
|
||||||
print trig;
|
|
||||||
|
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
filename = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::remove_action(info$file_id, act);
|
|
||||||
filename = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::remove_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
if ( info$actions[act]?$md5 )
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
if ( info$actions[act]?$sha1 )
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
if ( info$actions[act]?$sha256 )
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
terminate();
|
terminate();
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,69 +1,10 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
# @TEST-EXEC: btest-diff thefile
|
# @TEST-EXEC: btest-diff thefile
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "IRC_DATA";
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
{
|
{
|
||||||
print trig;
|
return "thefile";
|
||||||
|
};
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "IRC_DATA" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename="thefile"]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,100 +1,9 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT
|
# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT
|
||||||
# @TEST-EXEC: btest-diff file_analysis.log
|
# @TEST-EXEC: btest-diff file_analysis.log
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "HTTP";
|
||||||
|
|
||||||
event file_chunk(info: FileAnalysis::Info, data: string, off: count)
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
{
|
{
|
||||||
print "file_chunk", info$file_id, |data|, off, data;
|
return fmt("%s-file", info$file_id);
|
||||||
}
|
};
|
||||||
|
|
||||||
event file_stream(info: FileAnalysis::Info, data: string)
|
|
||||||
{
|
|
||||||
print "file_stream", info$file_id, |data|, data;
|
|
||||||
}
|
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
|
||||||
{
|
|
||||||
print trig;
|
|
||||||
|
|
||||||
switch ( trig ) {
|
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "HTTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("%s-file", info$file_id);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_DATA_EVENT,
|
|
||||||
$chunk_event=file_chunk,
|
|
||||||
$stream_event=file_stream]);
|
|
||||||
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
fallthrough;
|
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
|
||||||
&priority=-5
|
|
||||||
{
|
|
||||||
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
|
|
||||||
|
|
||||||
# avoids libmagic variances across systems
|
|
||||||
if ( info?$mime_type )
|
|
||||||
info$mime_type = "set";
|
|
||||||
if ( info?$file_type )
|
|
||||||
info$file_type = "set";
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,75 +1,16 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/smtp.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
# @TEST-EXEC: btest-diff thefile0
|
# @TEST-EXEC: btest-diff thefile0
|
||||||
# @TEST-EXEC: btest-diff thefile1
|
# @TEST-EXEC: btest-diff thefile1
|
||||||
# @TEST-EXEC: btest-diff thefile2
|
# @TEST-EXEC: btest-diff thefile2
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
redef test_file_analysis_source = "SMTP";
|
||||||
global cnt: count = 0;
|
|
||||||
|
|
||||||
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
global mycnt: count = 0;
|
||||||
|
|
||||||
|
redef test_get_file_name = function(info: FileAnalysis::Info): string
|
||||||
{
|
{
|
||||||
print trig;
|
local rval: string = fmt("thefile%d", mycnt);
|
||||||
|
++mycnt;
|
||||||
switch ( trig ) {
|
return rval;
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
};
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
|
|
||||||
if ( info$source == "SMTP" )
|
|
||||||
{
|
|
||||||
for ( act in actions )
|
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
|
||||||
local filename: string = fmt("thefile%d", cnt);
|
|
||||||
++cnt;
|
|
||||||
FileAnalysis::add_action(info$file_id,
|
|
||||||
[$act=FileAnalysis::ACTION_EXTRACT,
|
|
||||||
$extract_filename=filename]);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
|
||||||
if ( info?$bof_buffer )
|
|
||||||
print info$bof_buffer[0:10];
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_TYPE:
|
|
||||||
# not actually printing the values due to libmagic variances
|
|
||||||
if ( info?$file_type )
|
|
||||||
print "file type is set";
|
|
||||||
if ( info?$mime_type )
|
|
||||||
print "mime type is set";
|
|
||||||
break;
|
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
|
||||||
if ( info?$conns )
|
|
||||||
for ( cid in info$conns )
|
|
||||||
print cid;
|
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
|
||||||
if ( info?$source )
|
|
||||||
print "source: " + info$source;
|
|
||||||
|
|
||||||
for ( act in info$actions )
|
|
||||||
switch ( act$act ) {
|
|
||||||
case FileAnalysis::ACTION_MD5:
|
|
||||||
print fmt("MD5: %s", info$actions[act]$md5);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA1:
|
|
||||||
print fmt("SHA1: %s", info$actions[act]$sha1);
|
|
||||||
break;
|
|
||||||
case FileAnalysis::ACTION_SHA256:
|
|
||||||
print fmt("SHA256: %s", info$actions[act]$sha256);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_MD5]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA1]];
|
|
||||||
add actions[[$act=FileAnalysis::ACTION_SHA256]];
|
|
||||||
}
|
|
||||||
|
|
|
||||||
109
testing/scripts/file-analysis-test.bro
Normal file
109
testing/scripts/file-analysis-test.bro
Normal file
|
|
@ -0,0 +1,109 @@
|
||||||
|
|
||||||
|
global test_file_analysis_source: string = "" &redef;
|
||||||
|
|
||||||
|
global test_file_actions: set[FileAnalysis::ActionArgs];
|
||||||
|
|
||||||
|
global test_get_file_name: function(info: FileAnalysis::Info): string =
|
||||||
|
function(info: FileAnalysis::Info): string { return ""; } &redef;
|
||||||
|
|
||||||
|
global test_print_file_data_events: bool = F &redef;
|
||||||
|
|
||||||
|
event file_chunk(info: FileAnalysis::Info, data: string, off: count)
|
||||||
|
{
|
||||||
|
if ( test_print_file_data_events )
|
||||||
|
print "file_chunk", info$file_id, |data|, off, data;
|
||||||
|
}
|
||||||
|
|
||||||
|
event file_stream(info: FileAnalysis::Info, data: string)
|
||||||
|
{
|
||||||
|
if ( test_print_file_data_events )
|
||||||
|
print "file_stream", info$file_id, |data|, data;
|
||||||
|
}
|
||||||
|
|
||||||
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
{
|
||||||
|
print trig;
|
||||||
|
|
||||||
|
switch ( trig ) {
|
||||||
|
case FileAnalysis::TRIGGER_NEW:
|
||||||
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
|
|
||||||
|
if ( test_file_analysis_source == "" ||
|
||||||
|
info$source == test_file_analysis_source )
|
||||||
|
{
|
||||||
|
for ( act in test_file_actions )
|
||||||
|
FileAnalysis::add_action(info$file_id, act);
|
||||||
|
|
||||||
|
local filename: string = test_get_file_name(info);
|
||||||
|
if ( filename != "" )
|
||||||
|
FileAnalysis::add_action(info$file_id,
|
||||||
|
[$act=FileAnalysis::ACTION_EXTRACT,
|
||||||
|
$extract_filename=filename]);
|
||||||
|
FileAnalysis::add_action(info$file_id,
|
||||||
|
[$act=FileAnalysis::ACTION_DATA_EVENT,
|
||||||
|
$chunk_event=file_chunk,
|
||||||
|
$stream_event=file_stream]);
|
||||||
|
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case FileAnalysis::TRIGGER_BOF_BUFFER:
|
||||||
|
if ( info?$bof_buffer )
|
||||||
|
print info$bof_buffer[0:10];
|
||||||
|
break;
|
||||||
|
|
||||||
|
case FileAnalysis::TRIGGER_TYPE:
|
||||||
|
# not actually printing the values due to libmagic variances
|
||||||
|
if ( info?$file_type )
|
||||||
|
print "file type is set";
|
||||||
|
if ( info?$mime_type )
|
||||||
|
print "mime type is set";
|
||||||
|
break;
|
||||||
|
|
||||||
|
case FileAnalysis::TRIGGER_EOF:
|
||||||
|
fallthrough;
|
||||||
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
|
if ( info?$conns )
|
||||||
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
|
if ( info?$total_bytes )
|
||||||
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
if ( info?$source )
|
||||||
|
print "source: " + info$source;
|
||||||
|
|
||||||
|
for ( act in info$actions )
|
||||||
|
switch ( act$act ) {
|
||||||
|
case FileAnalysis::ACTION_MD5:
|
||||||
|
print fmt("MD5: %s", info$actions[act]$md5);
|
||||||
|
break;
|
||||||
|
case FileAnalysis::ACTION_SHA1:
|
||||||
|
print fmt("SHA1: %s", info$actions[act]$sha1);
|
||||||
|
break;
|
||||||
|
case FileAnalysis::ACTION_SHA256:
|
||||||
|
print fmt("SHA256: %s", info$actions[act]$sha256);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=-5
|
||||||
|
{
|
||||||
|
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
|
||||||
|
|
||||||
|
# avoids libmagic variances across systems
|
||||||
|
if ( info?$mime_type )
|
||||||
|
info$mime_type = "set";
|
||||||
|
if ( info?$file_type )
|
||||||
|
info$file_type = "set";
|
||||||
|
}
|
||||||
|
|
||||||
|
event bro_init()
|
||||||
|
{
|
||||||
|
add test_file_actions[[$act=FileAnalysis::ACTION_MD5]];
|
||||||
|
add test_file_actions[[$act=FileAnalysis::ACTION_SHA1]];
|
||||||
|
add test_file_actions[[$act=FileAnalysis::ACTION_SHA256]];
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue