Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 03:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

frameworks/notice: Handle fa_file with no or more than a single connection better

Browse source 
* When a file is transferred over multiple connection, have
  create_file_info() just pick the first one instead of none.

* Do not unconditionally assume cid and cuid as set on a
  Notice::FileInfo object.
This commit is contained in:
Arne Welzel 2022-12-02 14:21:53 +01:00
parent dbbb6cd6f0
commit 1e06c8bfda
7 changed files with 65 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
scripts/base/frameworks/notice/main.zeek
View file

@ -601,11 +601,13 @@ function create_file_info(f: fa_file): Notice::FileInfo
if ( f?$info && f$info?$mime_type )
fi$mime = f$info$mime_type;
if ( f?$conns && |f$conns| == 1 )
# If a file is transferred over multiple connections, just pick one.
if ( f?$conns && |f$conns| > 0 )
for ( id, c in f$conns )
{
fi$cid = id;
fi$cuid = c$uid;
break;
}
return fi;
@ -625,8 +627,12 @@ function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info)
n$file_mime_type = fi$mime;
n$file_desc = fi$desc;
n$id = fi$cid;
n$uid = fi$cuid;
if ( fi?$cid )
n$id = fi$cid;
if ( fi?$cuid )
n$uid = fi$cuid;
}
# This is run synchronously as a function before all of the other