Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 03:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Added protocol description functions that provide a super compressed log representation.

Browse source
This commit is contained in:
Seth Hall 2013-07-16 12:01:50 -04:00
parent 4dd4c5344e
commit 0bfdcc1fbc
13 changed files with 190 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

19
scripts/base/frameworks/notice/main.bro
View file

@ -79,7 +79,13 @@ export {
## A mime type if the notice is related to a file. If the $f field
## is provided, this will be automatically filled out.
mime_type: string &log &optional;
file_mime_type: string &log &optional;
## Frequently files can be "described" to give a bit more context.
## This field will typically be automatically filled out from an
## fa_file record. For example, if a notice was related to a
## file over HTTP, the URL of the request would be shown.
file_desc: string &log &optional;
## The transport protocol. Filled automatically when either conn, iconn
## or p is specified.
@ -477,9 +483,13 @@ function apply_policy(n: Notice::Info)
{
if ( ! n?$fuid )
n$fuid = n$f$id;
if ( ! n?$mime_type && n$f?$mime_type )
n$mime_type = n$f$mime_type;
if ( |n$f$conns| == 1 )
if ( ! n?$file_mime_type && n$f?$mime_type )
n$file_mime_type = n$f$mime_type;
n$file_desc = Files::describe(n$f);
if ( n$f?$conns && |n$f$conns| == 1 )
{
for ( id in n$f$conns )
n$conn = n$f$conns[id];
@ -490,6 +500,7 @@ function apply_policy(n: Notice::Info)
{
if ( ! n?$id )
n$id = n$conn$id;
if ( ! n?$uid )
n$uid = n$conn$uid;
}