Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Improved file name extraction for SMTP when file name is included in Content-Type header.

Browse source
This commit is contained in:
Seth Hall 2012-12-13 10:27:08 -05:00
parent 43ed437daa
commit 0cf98ac325
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/smtp/entities.bro
View file

@ -177,6 +177,10 @@ event mime_one_header(c: connection, h: mime_header_rec)
if ( h$name == "CONTENT-DISPOSITION" && if ( h$name == "CONTENT-DISPOSITION" &&
/[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value ) /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value )
c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value); c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value);
if ( h$name == "CONTENT-TYPE" &&
/[nN][aA][mM][eE][:blank:]*=/ in h$value )
c$smtp$current_entity$filename = extract_filename_from_content_disposition(h$value);
} }
event mime_end_entity(c: connection) &priority=-5 event mime_end_entity(c: connection) &priority=-5

2
scripts/base/utils/files.bro
View file

@ -19,7 +19,7 @@ function generate_extraction_filename(prefix: string, c: connection, suffix: str
## the filename. ## the filename.
function extract_filename_from_content_disposition(data: string): string function extract_filename_from_content_disposition(data: string): string
{ {
local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, ""); local filename = sub(data, /^.*[nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, "");
# Remove quotes around the filename if they are there. # Remove quotes around the filename if they are there.
if ( /^\"/ in filename ) if ( /^\"/ in filename )
filename = split_n(filename, /\"/, F, 2)[2]; filename = split_n(filename, /\"/, F, 2)[2];