Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add input interface to forward data for file analysis.

Browse source 
The new Input::add_analysis function is used to automatically forward
input data on to the file analysis framework.
This commit is contained in:
Jon Siwek 2013-05-21 10:29:22 -05:00
parent 90fa331279
commit 0ef074594d
9 changed files with 219 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/file_analysis/File.cc
View file

@ -85,14 +85,10 @@ File::File(const string& file_id, Connection* conn, AnalyzerTag::Tag tag,
if ( conn )
{
// add source, connection, is_orig fields
val->Assign(source_idx, new StringVal(::Analyzer::GetTagName(tag)));
SetSource(::Analyzer::GetTagName(tag));
val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
UpdateConnectionFields(conn);
}
else
{
// TODO: what to use as source field? (input framework interface)
}
UpdateLastActivityTime();
}
@ -172,6 +168,18 @@ int File::Idx(const string& field)
return rval;
}
string File::GetSource() const
{
Val* v = val->Lookup(source_idx);
return v ? v->AsString()->CheckString() : string();
}
void File::SetSource(const string& source)
{
val->Assign(source_idx, new StringVal(source.c_str()));
}
double File::GetTimeoutInterval() const
{
return LookupFieldDefaultInterval(timeout_interval_idx);

11
src/file_analysis/File.h
View file

@ -26,6 +26,17 @@ public:
*/
RecordVal* GetVal() const { return val; }
/**
* @return the value of the "source" field from #val record or an empty
* string if it's not initialized.
*/
string GetSource() const;
/**
* Set the "source" field from #val record to \a source.
*/
void SetSource(const string& source);
/**
* @return value (seconds) of the "timeout_interval" field from #val record.
*/

52
src/file_analysis/Manager.cc
View file

@ -62,7 +62,8 @@ void Manager::SetHandle(const string& handle)
void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
{
File* file = GetFile(conn, tag, is_orig);
GetFileHandle(tag, conn, is_orig);
File* file = GetFile(current_file_id, conn, tag, is_orig);
if ( ! file )
return;
@ -76,9 +77,10 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig)
{
GetFileHandle(tag, conn, is_orig);
// Sequential data input shouldn't be going over multiple conns, so don't
// do the check to update connection set.
File* file = GetFile(conn, tag, is_orig, false);
File* file = GetFile(current_file_id, conn, tag, is_orig, false);
if ( ! file )
return;
@ -89,6 +91,23 @@ void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
RemoveFile(file->GetID());
}
void Manager::DataIn(const u_char* data, uint64 len, const string& file_id,
const string& source)
{
File* file = GetFile(file_id);
if ( ! file )
return;
if ( file->GetSource().empty() )
file->SetSource(source);
file->DataIn(data, len);
if ( file->IsComplete() )
RemoveFile(file->GetID());
}
void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn)
{
EndOfFile(tag, conn, true);
@ -102,10 +121,16 @@ void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
RemoveFile(current_file_id);
}
void Manager::EndOfFile(const string& file_id)
{
RemoveFile(file_id);
}
void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig)
{
File* file = GetFile(conn, tag, is_orig);
GetFileHandle(tag, conn, is_orig);
File* file = GetFile(current_file_id, conn, tag, is_orig);
if ( ! file )
return;
@ -116,7 +141,8 @@ void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag,
void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
bool is_orig)
{
File* file = GetFile(conn, tag, is_orig);
GetFileHandle(tag, conn, is_orig);
File* file = GetFile(current_file_id, conn, tag, is_orig);
if ( ! file )
return;
@ -169,27 +195,23 @@ bool Manager::RemoveAnalyzer(const string& file_id, const RecordVal* args) const
return file->RemoveAnalyzer(args);
}
File* Manager::GetFile(Connection* conn, AnalyzerTag::Tag tag, bool is_orig,
bool update_conn)
File* Manager::GetFile(const string& file_id, Connection* conn,
AnalyzerTag::Tag tag, bool is_orig, bool update_conn)
{
// sets current_file_id for us
GetFileHandle(tag, conn, is_orig);
if ( current_file_id.empty() )
if ( file_id.empty() )
return 0;
if ( IsIgnored(current_file_id) )
if ( IsIgnored(file_id) )
return 0;
File* rval = id_map[current_file_id];
File* rval = id_map[file_id];
if ( ! rval )
{
rval = id_map[current_file_id] = new File(current_file_id, conn, tag,
is_orig);
rval = id_map[file_id] = new File(file_id, conn, tag, is_orig);
rval->ScheduleInactivityTimer();
if ( IsIgnored(current_file_id) )
if ( IsIgnored(file_id) )
return 0;
}
else

11
src/file_analysis/Manager.h
View file

@ -56,11 +56,18 @@ public:
void DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig);
/**
* Pass in sequential file data from external source (e.g. input framework).
*/
void DataIn(const u_char* data, uint64 len, const string& file_id,
const string& source);
/**
* Signal the end of file data.
*/
void EndOfFile(AnalyzerTag::Tag tag, Connection* conn);
void EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig);
void EndOfFile(const string& file_id);
/**
* Signal a gap in the file data stream.
@ -118,13 +125,13 @@ protected:
typedef map<string, File*> IDMap;
/**
* @return the File object mapped to #current_file_id or a null pointer if
* @return the File object mapped to \a file_id or a null pointer if
* analysis is being ignored for the associated file. An File
* object may be created if a mapping doesn't exist, and if it did
* exist, the activity time is refreshed along with any
* connection-related fields.
*/
File* GetFile(Connection* conn = 0,
File* GetFile(const string& file_id, Connection* conn = 0,
AnalyzerTag::Tag tag = AnalyzerTag::Error,
bool is_orig = false, bool update_conn = true);