Refactor common MIME magic matching code.

Put some methods in file_analysis::Manager that can perform the matching process and return MIME type results. Also helps to centralize the management/re-use of a signature matcher object.
2025-10-02 14:48:21 +00:00 · 2014-03-05 10:49:57 -06:00 · 2014-03-05 10:49:57 -06:00 · 0865b152bb
commit 0865b152bb
parent 9ac8110416
5 changed files with 71 additions and 17 deletions
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -20,13 +20,15 @@ string Manager::salt;

 Manager::Manager()
 	: plugin::ComponentManager<file_analysis::Tag,
-	                           file_analysis::Component>("Files")
+	                           file_analysis::Component>("Files"),
+	id_map(), ignored(), current_file_id(), magic_state()
 	{
 	}

 Manager::~Manager()
 	{
 	Terminate();
+	delete magic_state;
 	}

 void Manager::InitPreScript()
@ -42,6 +44,12 @@ void Manager::InitPostScript()
 	{
 	}

+void Manager::InitMagic()
+	{
+	delete magic_state;
+	magic_state = rule_matcher->InitFileMagic();
+	}
+
 void Manager::Terminate()
 	{
 	vector<string> keys;
@ -395,3 +403,25 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const

 	return c->Factory()(args, f);
 	}
+
+RuleMatcher::MIME_Matches* Manager::DetectMIME(const u_char* data, uint64 len,
+        RuleMatcher::MIME_Matches* rval) const
+	{
+	if ( ! magic_state )
+		reporter->InternalError("file magic signature state not initialized");
+
+	rval = rule_matcher->Match(magic_state, data, len, rval);
+	rule_matcher->ClearFileMagicState(magic_state);
+	return rval;
+	}
+
+string Manager::DetectMIME(const u_char* data, uint64 len) const
+	{
+	RuleMatcher::MIME_Matches matches;
+	DetectMIME(data, len, &matches);
+
+	if ( matches.empty() )
+		return "";
+
+	return *(matches.begin()->second.begin());
+	}