From 04de4ce24b1d58ad1a11d61153cc38e2eaf6b7d7 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Sat, 10 Aug 2013 22:26:32 -0400 Subject: [PATCH] Unified2 file analyzer updated to new plugin style. --- scripts/base/files/unified2/__load__.bro | 1 + scripts/base/files/unified2/main.bro | 16 ++++++++ scripts/base/init-default.bro | 2 + src/binpac_bro.h | 2 + src/file_analysis/analyzer/CMakeLists.txt | 1 + .../analyzer/unified2/CMakeLists.txt | 10 +++++ src/file_analysis/analyzer/unified2/Plugin.cc | 29 ++++++++++++++ .../analyzer/unified2/Unified2.cc | 29 ++++++++++++++ .../analyzer/unified2/Unified2.h | 40 +++++++++++++++++++ .../analyzer/unified2/events.bif | 2 + src/file_analysis/analyzer/unified2/types.bif | 1 + .../analyzer/unified2/unified2-analyzer.pac | 35 ++++++++++++++++ .../analyzer/unified2}/unified2-file.pac | 1 - .../analyzer/unified2}/unified2.pac | 2 +- src/unified2-analyzer.pac | 26 ------------ 15 files changed, 169 insertions(+), 28 deletions(-) create mode 100644 scripts/base/files/unified2/__load__.bro create mode 100644 scripts/base/files/unified2/main.bro create mode 100644 src/file_analysis/analyzer/unified2/CMakeLists.txt create mode 100644 src/file_analysis/analyzer/unified2/Plugin.cc create mode 100644 src/file_analysis/analyzer/unified2/Unified2.cc create mode 100644 src/file_analysis/analyzer/unified2/Unified2.h create mode 100644 src/file_analysis/analyzer/unified2/events.bif create mode 100644 src/file_analysis/analyzer/unified2/types.bif create mode 100644 src/file_analysis/analyzer/unified2/unified2-analyzer.pac rename src/{ => file_analysis/analyzer/unified2}/unified2-file.pac (99%) rename src/{ => file_analysis/analyzer/unified2}/unified2.pac (82%) delete mode 100644 src/unified2-analyzer.pac diff --git a/scripts/base/files/unified2/__load__.bro b/scripts/base/files/unified2/__load__.bro new file mode 100644 index 0000000000..d551be57d3 --- /dev/null +++ b/scripts/base/files/unified2/__load__.bro @@ -0,0 +1 @@ +@load ./main \ No newline at end of file diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro new file mode 100644 index 0000000000..5e5ff17e6f --- /dev/null +++ b/scripts/base/files/unified2/main.bro @@ -0,0 +1,16 @@ + + + +event file_new(f: fa_file) + { + print "found a file"; + print f$mime_type; + print Files::add_analyzer(f, Files::ANALYZER_UNIFIED2); + } + +event unified2_alert(f: fa_file, alert: count) + { + print "yaayyaya!!!"; + + print alert; + } \ No newline at end of file diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro index 61376c7de4..c95c03899e 100644 --- a/scripts/base/init-default.bro +++ b/scripts/base/init-default.bro @@ -55,5 +55,7 @@ @load base/files/hash @load base/files/extract +@load base/files/unified2 + @load base/misc/find-checksum-offloading diff --git a/src/binpac_bro.h b/src/binpac_bro.h index 5902c52113..8dc3df9e6f 100644 --- a/src/binpac_bro.h +++ b/src/binpac_bro.h @@ -12,6 +12,7 @@ namespace analyzer { class Analyzer; } #include "event.bif.func_h" #include "TunnelEncapsulation.h" #include "analyzer/Analyzer.h" +#include "file_analysis/Analyzer.h" #include "Conn.h" #include "binpac.h" @@ -19,6 +20,7 @@ namespace analyzer { class Analyzer; } namespace binpac { typedef analyzer::Analyzer* BroAnalyzer; +typedef file_analysis::Analyzer BroFileAnalyzer; typedef Val* BroVal; typedef PortVal* BroPortVal; typedef StringVal* BroStringVal; diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt index bfafcd2894..1e19b7bd11 100644 --- a/src/file_analysis/analyzer/CMakeLists.txt +++ b/src/file_analysis/analyzer/CMakeLists.txt @@ -1,3 +1,4 @@ add_subdirectory(data_event) add_subdirectory(extract) add_subdirectory(hash) +add_subdirectory(unified2) diff --git a/src/file_analysis/analyzer/unified2/CMakeLists.txt b/src/file_analysis/analyzer/unified2/CMakeLists.txt new file mode 100644 index 0000000000..26a3d88ba7 --- /dev/null +++ b/src/file_analysis/analyzer/unified2/CMakeLists.txt @@ -0,0 +1,10 @@ +include(BroPlugin) + +include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_CURRENT_BINARY_DIR}) + +bro_plugin_begin(Bro Unified2) +bro_plugin_cc(Unified2.cc Plugin.cc ../../Analyzer.cc) +bro_plugin_bif(events.bif) +bro_plugin_pac(unified2.pac unified2-file.pac unified2-analyzer.pac) +bro_plugin_end() diff --git a/src/file_analysis/analyzer/unified2/Plugin.cc b/src/file_analysis/analyzer/unified2/Plugin.cc new file mode 100644 index 0000000000..ae47ad270b --- /dev/null +++ b/src/file_analysis/analyzer/unified2/Plugin.cc @@ -0,0 +1,29 @@ +#include "plugin/Plugin.h" +#include "file_analysis/Component.h" + +#include "Unified2.h" + +namespace plugin { namespace Bro_Unified2 { + +class Plugin : public plugin::Plugin { +protected: + void InitPreScript() + { + SetName("Bro::Unified2"); + SetVersion(-1); + SetAPIVersion(BRO_PLUGIN_API_VERSION); + SetDynamicPlugin(false); + + SetDescription("Analyze Unified2 alert files."); + + AddComponent(new ::file_analysis::Component("UNIFIED2", + ::file_analysis::Unified2::Instantiate)); + + extern std::list > __bif_events_init(); + AddBifInitFunction(&__bif_events_init); + } +}; + +Plugin __plugin; + +} } diff --git a/src/file_analysis/analyzer/unified2/Unified2.cc b/src/file_analysis/analyzer/unified2/Unified2.cc new file mode 100644 index 0000000000..6b0579e2d3 --- /dev/null +++ b/src/file_analysis/analyzer/unified2/Unified2.cc @@ -0,0 +1,29 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#include + +#include "Unified2.h" +#include "file_analysis/Manager.h" + +using namespace file_analysis; + +Unified2::Unified2(RecordVal* args, File* file) + : file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), args, file) + { + interp = new binpac::Unified2::Unified2_Analyzer(this); + } + +Unified2::~Unified2() + { + } + +file_analysis::Analyzer* Unified2::Instantiate(RecordVal* args, File* file) + { + return new Unified2(args, file); + } + +bool Unified2::DeliverStream(const u_char* data, uint64 len) + { + interp->NewData(true, data, data+len); + return true; + } diff --git a/src/file_analysis/analyzer/unified2/Unified2.h b/src/file_analysis/analyzer/unified2/Unified2.h new file mode 100644 index 0000000000..d87bfb2009 --- /dev/null +++ b/src/file_analysis/analyzer/unified2/Unified2.h @@ -0,0 +1,40 @@ +// See the file "COPYING" in the main distribution directory for copyright. + +#ifndef FILE_ANALYSIS_UNIFIED2_H +#define FILE_ANALYSIS_UNIFIED2_H + +#include + +#include "Val.h" +#include "File.h" +#include "Analyzer.h" +#include "unified2_pac.h" + +namespace file_analysis { + +/** + * An analyzer to extract content of files to local disk. + */ +class Unified2 : public file_analysis::Analyzer { +public: + + virtual ~Unified2(); + + virtual bool DeliverStream(const u_char* data, uint64 len); + + static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file); + +protected: + + Unified2(RecordVal* args, File* file); + +private: + binpac::Unified2::Unified2_Analyzer* interp; + + string filename; + int fd; +}; + +} // namespace file_analysis + +#endif diff --git a/src/file_analysis/analyzer/unified2/events.bif b/src/file_analysis/analyzer/unified2/events.bif new file mode 100644 index 0000000000..f1c3035606 --- /dev/null +++ b/src/file_analysis/analyzer/unified2/events.bif @@ -0,0 +1,2 @@ + +event unified2_alert%(f: fa_file, alert: count%); diff --git a/src/file_analysis/analyzer/unified2/types.bif b/src/file_analysis/analyzer/unified2/types.bif new file mode 100644 index 0000000000..fb385bf962 --- /dev/null +++ b/src/file_analysis/analyzer/unified2/types.bif @@ -0,0 +1 @@ +type Unified2Alert: record; diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac new file mode 100644 index 0000000000..4743ebb5da --- /dev/null +++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac @@ -0,0 +1,35 @@ +%extern{ +#include "Event.h" +#include "file_analysis/File.h" +#include "events.bif.h" +%} + +refine flow Flow += { + + %member{ + %} + + %init{ + %} + + %eof{ + %} + + %cleanup{ + %} + + function proc_ids_event(ev: IDSEvent) : bool + %{ + val_list* vl = new val_list(); + vl->append(connection()->bro_analyzer()->GetFile()->GetVal()->Ref()); + vl->append(new Val(${ev.signature_id}, TYPE_COUNT)); + mgr.QueueEvent(::unified2_alert, vl, SOURCE_LOCAL); + + return true; + %} +}; + + +refine typeattr IDSEvent += &let { + proc : bool = $context.flow.proc_ids_event(this); +}; diff --git a/src/unified2-file.pac b/src/file_analysis/analyzer/unified2/unified2-file.pac similarity index 99% rename from src/unified2-file.pac rename to src/file_analysis/analyzer/unified2/unified2-file.pac index 26b72b14dd..01497aaec3 100644 --- a/src/unified2-file.pac +++ b/src/file_analysis/analyzer/unified2/unified2-file.pac @@ -11,7 +11,6 @@ enum Types { EXTRA_DATA = 110, }; - type Time = record { seconds: uint32; microseconds: uint32; diff --git a/src/unified2.pac b/src/file_analysis/analyzer/unified2/unified2.pac similarity index 82% rename from src/unified2.pac rename to src/file_analysis/analyzer/unified2/unified2.pac index 86820eb9f3..c0947d3fb5 100644 --- a/src/unified2.pac +++ b/src/file_analysis/analyzer/unified2/unified2.pac @@ -7,7 +7,7 @@ analyzer Unified2 withcontext { flow: Flow; }; -analyzer Unified2_Analyzer { +analyzer Unified2_Analyzer(bro_analyzer: BroFileAnalyzer) { downflow = Flow; upflow = Flow; }; diff --git a/src/unified2-analyzer.pac b/src/unified2-analyzer.pac deleted file mode 100644 index 9f4f206562..0000000000 --- a/src/unified2-analyzer.pac +++ /dev/null @@ -1,26 +0,0 @@ - -refine flow Flow += { - - %member{ - %} - - %init{ - %} - - %eof{ - %} - - %cleanup{ - %} - - function proc_ids_event(ev: IDSEvent) : bool - %{ - printf("woo!\n"); - return true; - %} -}; - - -refine typeattr IDSEvent += &let { - proc : bool = $context.flow.proc_ids_event(this); -};