Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Unified2 file analyzer updated to new plugin style.

Browse source
This commit is contained in:
Seth Hall 2013-08-10 22:26:32 -04:00
parent a6eb7bb9df
commit 04de4ce24b
15 changed files with 169 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/files/unified2/__load__.bro Normal file
View file

@ -0,0 +1 @@
@load ./main

16
scripts/base/files/unified2/main.bro Normal file
View file

@ -0,0 +1,16 @@
event file_new(f: fa_file)
{
print "found a file";
print f$mime_type;
print Files::add_analyzer(f, Files::ANALYZER_UNIFIED2);
}
event unified2_alert(f: fa_file, alert: count)
{
print "yaayyaya!!!";
print alert;
}

2
scripts/base/init-default.bro
View file

@ -55,5 +55,7 @@
@load base/files/hash
@load base/files/extract
@load base/files/unified2
@load base/misc/find-checksum-offloading

2
src/binpac_bro.h
View file

@ -12,6 +12,7 @@ namespace analyzer { class Analyzer; }
#include "event.bif.func_h"
#include "TunnelEncapsulation.h"
#include "analyzer/Analyzer.h"
#include "file_analysis/Analyzer.h"
#include "Conn.h"
#include "binpac.h"
@ -19,6 +20,7 @@ namespace analyzer { class Analyzer; }
namespace binpac {
typedef analyzer::Analyzer* BroAnalyzer;
typedef file_analysis::Analyzer BroFileAnalyzer;
typedef Val* BroVal;
typedef PortVal* BroPortVal;
typedef StringVal* BroStringVal;

1
src/file_analysis/analyzer/CMakeLists.txt
View file

@ -1,3 +1,4 @@
add_subdirectory(data_event)
add_subdirectory(extract)
add_subdirectory(hash)
add_subdirectory(unified2)

10
src/file_analysis/analyzer/unified2/CMakeLists.txt Normal file
View file

@ -0,0 +1,10 @@
include(BroPlugin)
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
${CMAKE_CURRENT_BINARY_DIR})
bro_plugin_begin(Bro Unified2)
bro_plugin_cc(Unified2.cc Plugin.cc ../../Analyzer.cc)
bro_plugin_bif(events.bif)
bro_plugin_pac(unified2.pac unified2-file.pac unified2-analyzer.pac)
bro_plugin_end()

29
src/file_analysis/analyzer/unified2/Plugin.cc Normal file
View file

@ -0,0 +1,29 @@
#include "plugin/Plugin.h"
#include "file_analysis/Component.h"
#include "Unified2.h"
namespace plugin { namespace Bro_Unified2 {
class Plugin : public plugin::Plugin {
protected:
void InitPreScript()
{
SetName("Bro::Unified2");
SetVersion(-1);
SetAPIVersion(BRO_PLUGIN_API_VERSION);
SetDynamicPlugin(false);
SetDescription("Analyze Unified2 alert files.");
AddComponent(new ::file_analysis::Component("UNIFIED2",
::file_analysis::Unified2::Instantiate));
extern std::list<std::pair<const char*, int> > __bif_events_init();
AddBifInitFunction(&__bif_events_init);
}
};
Plugin __plugin;
} }

29
src/file_analysis/analyzer/unified2/Unified2.cc Normal file
View file

@ -0,0 +1,29 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include <string>
#include "Unified2.h"
#include "file_analysis/Manager.h"
using namespace file_analysis;
Unified2::Unified2(RecordVal* args, File* file)
: file_analysis::Analyzer(file_mgr->GetComponentTag("UNIFIED2"), args, file)
{
interp = new binpac::Unified2::Unified2_Analyzer(this);
}
Unified2::~Unified2()
{
}
file_analysis::Analyzer* Unified2::Instantiate(RecordVal* args, File* file)
{
return new Unified2(args, file);
}
bool Unified2::DeliverStream(const u_char* data, uint64 len)
{
interp->NewData(true, data, data+len);
return true;
}

40
src/file_analysis/analyzer/unified2/Unified2.h Normal file
View file

@ -0,0 +1,40 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_UNIFIED2_H
#define FILE_ANALYSIS_UNIFIED2_H
#include <string>
#include "Val.h"
#include "File.h"
#include "Analyzer.h"
#include "unified2_pac.h"
namespace file_analysis {
/**
* An analyzer to extract content of files to local disk.
*/
class Unified2 : public file_analysis::Analyzer {
public:
virtual ~Unified2();
virtual bool DeliverStream(const u_char* data, uint64 len);
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
protected:
Unified2(RecordVal* args, File* file);
private:
binpac::Unified2::Unified2_Analyzer* interp;
string filename;
int fd;
};
} // namespace file_analysis
#endif

2
src/file_analysis/analyzer/unified2/events.bif Normal file
View file

@ -0,0 +1,2 @@
event unified2_alert%(f: fa_file, alert: count%);

1
src/file_analysis/analyzer/unified2/types.bif Normal file
View file

@ -0,0 +1 @@
type Unified2Alert: record;

35
src/file_analysis/analyzer/unified2/unified2-analyzer.pac Normal file
View file

@ -0,0 +1,35 @@
%extern{
#include "Event.h"
#include "file_analysis/File.h"
#include "events.bif.h"
%}
refine flow Flow += {
%member{
%}
%init{
%}
%eof{
%}
%cleanup{
%}
function proc_ids_event(ev: IDSEvent) : bool
%{
val_list* vl = new val_list();
vl->append(connection()->bro_analyzer()->GetFile()->GetVal()->Ref());
vl->append(new Val(${ev.signature_id}, TYPE_COUNT));
mgr.QueueEvent(::unified2_alert, vl, SOURCE_LOCAL);
return true;
%}
};
refine typeattr IDSEvent += &let {
proc : bool = $context.flow.proc_ids_event(this);
};

1
src/unified2-file.pac → src/file_analysis/analyzer/unified2/unified2-file.pac
View file

@ -11,7 +11,6 @@ enum Types {
EXTRA_DATA = 110,
};
type Time = record {
seconds: uint32;
microseconds: uint32;

2
src/unified2.pac → src/file_analysis/analyzer/unified2/unified2.pac
View file

@ -7,7 +7,7 @@ analyzer Unified2 withcontext {
flow: Flow;
};
analyzer Unified2_Analyzer {
analyzer Unified2_Analyzer(bro_analyzer: BroFileAnalyzer) {
downflow = Flow;
upflow = Flow;
};

26
src/unified2-analyzer.pac
View file

@ -1,26 +0,0 @@
refine flow Flow += {
%member{
%}
%init{
%}
%eof{
%}
%cleanup{
%}
function proc_ids_event(ev: IDSEvent) : bool
%{
printf("woo!\n");
return true;
%}
};
refine typeattr IDSEvent += &let {
proc : bool = $context.flow.proc_ids_event(this);
};