Added protocol description functions that provide a super compressed log representation.

2025-10-03 15:18:20 +00:00 · 2013-07-16 12:01:50 -04:00 · 2013-07-16 12:01:50 -04:00 · 0bfdcc1fbc
commit 0bfdcc1fbc
parent 4dd4c5344e
13 changed files with 190 additions and 75 deletions
--- a/scripts/base/protocols/ftp/load.bro
+++ b/scripts/base/protocols/ftp/load.bro
@ -1,5 +1,6 @@
@load ./utils-commands
@load ./main
+@load ./utils
@load ./files
@load ./gridftp

--- a/scripts/base/protocols/ftp/files.bro
+++ b/scripts/base/protocols/ftp/files.bro
@ -12,6 +12,9 @@ export {

 	## Default file handle provider for FTP.
 	global get_file_handle: function(c: connection, is_orig: bool): string;
+
+	## Describe the file being transferred.
+	global describe_file: function(f: fa_file): string;
 }

 function get_file_handle(c: connection, is_orig: bool): string
@ -22,9 +25,25 @@ function get_file_handle(c: connection, is_orig: bool): string
 	return cat(Analyzer::ANALYZER_FTP_DATA, c$start_time, c$id, is_orig);
 	}

+function describe_file(f: fa_file): string
+	{
+	# This shouldn't be needed, but just in case...
+	if ( f$source != "FTP" )
+		return "";
+
+	for ( cid in f$conns )
+		{
+		if ( f$conns[cid]?$ftp )
+			return FTP::describe(f$conns[cid]$ftp);
+		}
+	return "";
+	}
+
 event bro_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, FTP::get_file_handle);
+	Files::register_protocol(Analyzer::ANALYZER_FTP_DATA,
+	                         [$get_file_handle = FTP::get_file_handle,
+	                          $describe        = FTP::describe_file]);
 	}


--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@ -63,8 +63,6 @@ export {
 		reply_code:       count       &log &optional;
 		## Reply message from the server in response to the command.
 		reply_msg:        string      &log &optional;
-		## Arbitrary tags that may indicate a particular attribute of this command.
-		tags:             set[string] &log;

 		## Expected FTP data channel.
 		data_channel:     ExpectedDataChannel &log &optional;
@ -171,37 +169,22 @@ function set_ftp_session(c: connection)

 function ftp_message(s: Info)
 	{
-	# If it either has a tag associated with it (something detected)
-	# or it's a deliberately logged command.
-	if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) )
+	s$ts=s$cmdarg$ts;
+	s$command=s$cmdarg$cmd;
+	s$arg=s$cmdarg$arg;
+	if ( s$arg == "" )
+		delete s$arg;
+
+	if ( s?$password &&
+	     ! s$capture_password &&
+	     to_lower(s$user) !in guest_ids )
 		{
-		if ( s?$password &&
-		     ! s$capture_password &&
-		     to_lower(s$user) !in guest_ids )
-			{
-			s$password = "<hidden>";
-			}
-
-		local arg = s$cmdarg$arg;
-		if ( s$cmdarg$cmd in file_cmds )
-			{
-			local comp_path = build_path_compressed(s$cwd, arg);
-			if ( comp_path[0] != "/" )
-				comp_path = cat("/", comp_path);
-
-			arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path);
-			}
-
-		s$ts=s$cmdarg$ts;
-		s$command=s$cmdarg$cmd;
-		if ( arg == "" )
-			delete s$arg;
-		else
-			s$arg=arg;
-
-		Log::write(FTP::LOG, s);
+		s$password = "<hidden>";
 		}

+	if ( s?$cmdarg && s$command in logged_commands)
+		Log::write(FTP::LOG, s);
+
 	# The MIME and file_size fields are specific to file transfer commands
 	# and may not be used in all commands so they need reset to "blank"
 	# values after logging.
@ -209,8 +192,6 @@ function ftp_message(s: Info)
 	delete s$file_size;
 	# Same with data channel.
 	delete s$data_channel;
-	# Tags are cleared everytime too.
-	s$tags = set();
 	}

 function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
@ -218,8 +199,9 @@ function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
 	s$passive = chan$passive;
 	s$data_channel = chan;
 	ftp_data_expected[chan$resp_h, chan$resp_p] = s;
-	Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p, Analyzer::ANALYZER_FTP_DATA,
-				    5mins);
+	Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p, 
+	                            Analyzer::ANALYZER_FTP_DATA,
+	                            5mins);
 	}

 event ftp_request(c: connection, command: string, arg: string) &priority=5
--- a/scripts/base/protocols/http/files.bro
+++ b/scripts/base/protocols/http/files.bro
@ -8,6 +8,9 @@ module HTTP;
 export {
 	## Default file handle provider for HTTP.
 	global get_file_handle: function(c: connection, is_orig: bool): string;
+
+	## Default file describer for HTTP.
+	global describe_file: function(f: fa_file): string;
 }

 function get_file_handle(c: connection, is_orig: bool): string
@ -27,7 +30,23 @@ function get_file_handle(c: connection, is_orig: bool): string
 		}
 	}

+function describe_file(f: fa_file): string
+	{
+	# This shouldn't be needed, but just in case...
+	if ( f$source != "HTTP" )
+		return "";
+
+	for ( cid in f$conns )
+		{
+		if ( f$conns[cid]?$http )
+			return build_url_http(f$conns[cid]$http);
+		}
+	return "";
+	}
+
 event bro_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle);
+	Files::register_protocol(Analyzer::ANALYZER_HTTP,
+	                         [$get_file_handle = HTTP::get_file_handle,
+	                          $describe        = HTTP::describe_file]);
 	}
--- a/scripts/base/protocols/http/utils.bro
+++ b/scripts/base/protocols/http/utils.bro
@ -32,6 +32,9 @@ export {
 	##
 	## Returns: A URL prefixed with "http://".
 	global build_url_http: function(rec: Info): string;
+
+	## Create an extremely shortened representation of a log line.
+	global describe: function(rec: Info): string;
 }


@ -62,3 +65,8 @@ function build_url_http(rec: Info): string
 	{
 	return fmt("http://%s", build_url(rec));
 	}
+
+function describe(rec: Info): string
+	{
+	return build_url_http(rec);
+	}
--- a/scripts/base/protocols/irc/file-analysis.bro
+++ b/scripts/base/protocols/irc/file-analysis.bro
@ -1,23 +0,0 @@
-@load ./dcc-send
-@load base/utils/conn-ids
-@load base/frameworks/files
-
-module IRC;
-
-export {
-	## Default file handle provider for IRC.
-	global get_file_handle: function(c: connection, is_orig: bool): string;
-}
-
-function get_file_handle(c: connection, is_orig: bool): string
-	{
-	if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers ) 
-		return "";
-
-	return cat(ANALYZER_IRC_DATA, c$start_time, c$id, is_orig);
-	}
-
-event bro_init() &priority=5
-	{
-	Files::register_protocol(ANALYZER_IRC_DATA, IRC::get_file_handle);
-	}
--- a/scripts/base/protocols/irc/files.bro
+++ b/scripts/base/protocols/irc/files.bro
@ -24,7 +24,8 @@ function get_file_handle(c: connection, is_orig: bool): string

 event bro_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, IRC::get_file_handle);
+	Files::register_protocol(Analyzer::ANALYZER_IRC_DATA,
+	                         [$get_file_handle = IRC::get_file_handle]);
 	}

 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
--- a/scripts/base/protocols/smtp/files.bro
+++ b/scripts/base/protocols/smtp/files.bro
@ -14,6 +14,9 @@ export {

 	## Default file handle provider for SMTP.
 	global get_file_handle: function(c: connection, is_orig: bool): string;
+
+	## Default file describer for SMTP.
+	global describe_file: function(f: fa_file): string;
 }

 function get_file_handle(c: connection, is_orig: bool): string
@ -22,9 +25,25 @@ function get_file_handle(c: connection, is_orig: bool): string
 	           c$smtp_state$mime_depth);
 	}

+function describe_file(f: fa_file): string
+	{
+	# This shouldn't be needed, but just in case...
+	if ( f$source != "SMTP" )
+		return "";
+
+	for ( cid in f$conns )
+		{
+		local c = f$conns[cid];
+		return SMTP::describe(c$smtp);
+		}
+	return "";
+	}
+
 event bro_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_SMTP, SMTP::get_file_handle);
+	Files::register_protocol(Analyzer::ANALYZER_SMTP, 
+	                         [$get_file_handle = SMTP::get_file_handle,
+	                          $describe        = SMTP::describe_file]);
 	}

 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -72,7 +72,10 @@ export {
 	##    ALL_HOSTS - always capture the entire path.
 	##    NO_HOSTS - never capture the path.
 	const mail_path_capture = ALL_HOSTS &redef;
-		
+	
+	## Create an extremely shortened representation of a log line.
+	global describe: function(rec: Info): string;
+
 	global log_smtp: event(rec: Info);
 }

@ -268,3 +271,29 @@ event connection_state_remove(c: connection) &priority=-5
 	if ( c?$smtp )
 		smtp_message(c);
 	}
+
+function describe(rec: Info): string
+	{
+	if ( rec?$mailfrom && rec?$rcptto )
+		{
+		local one_to = "";
+		for ( to in rec$rcptto )
+			{
+			one_to = to;
+			break;
+			}
+		local abbrev_subject = "";
+		if ( rec?$subject )
+			{
+			if ( |rec$subject| > 20 )
+				{
+				abbrev_subject = rec$subject[0:20] + "...";
+				}
+			}
+
+		return fmt("%s -> %s%s%s", rec$mailfrom, one_to,
+			(|rec$rcptto|>1 ? fmt(" (plus %d others)", |rec$rcptto|-1) : ""),
+			(abbrev_subject != "" ? fmt(": %s", abbrev_subject) : ""));
+		}
+		return "";
+	}