Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

frameworks/notice: Handle fa_file with no or more than a single connection better

Browse source 
* When a file is transferred over multiple connection, have
  create_file_info() just pick the first one instead of none.

* Do not unconditionally assume cid and cuid as set on a
  Notice::FileInfo object.
This commit is contained in:
Arne Welzel 2022-12-02 14:21:53 +01:00
parent dbbb6cd6f0
commit 1e06c8bfda
7 changed files with 65 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -158,6 +158,9 @@ Changed Functionality
- The MQTT scripts registering the analyzer and DPD signatures have - The MQTT scripts registering the analyzer and DPD signatures have
been moved from the policy folder to base and are loaded by default. been moved from the policy folder to base and are loaded by default.
- Notices created for files transferred over multiple connections will now be
associated with one of the connections rather than none.
Deprecated Functionality Deprecated Functionality
------------------------ ------------------------

12
scripts/base/frameworks/notice/main.zeek
View file

@ -601,11 +601,13 @@ function create_file_info(f: fa_file): Notice::FileInfo
if ( f?$info && f$info?$mime_type ) if ( f?$info && f$info?$mime_type )
fi$mime = f$info$mime_type; fi$mime = f$info$mime_type;
if ( f?$conns && |f$conns| == 1 ) # If a file is transferred over multiple connections, just pick one.
if ( f?$conns && |f$conns| > 0 )
for ( id, c in f$conns ) for ( id, c in f$conns )
{ {
fi$cid = id; fi$cid = id;
fi$cuid = c$uid; fi$cuid = c$uid;
break;
} }
return fi; return fi;
@ -625,8 +627,12 @@ function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info)
n$file_mime_type = fi$mime; n$file_mime_type = fi$mime;
n$file_desc = fi$desc; n$file_desc = fi$desc;
n$id = fi$cid;
n$uid = fi$cuid; if ( fi?$cid )
n$id = fi$cid;
if ( fi?$cuid )
n$uid = fi$cuid;
} }
# This is run synchronously as a function before all of the other # This is run synchronously as a function before all of the other

13
testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/files.log Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path files
#open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string
XXXXXXXXXX.XXXXXX FDXrtA2UOyNDs2wzk8 CHhAvVGS1DHFjwGM9 127.0.0.1 48768 127.0.0.1 8080 HTTP 0 SHA1 text/plain - 0.002150 - F 34 34 0 0 F -
XXXXXXXXXX.XXXXXX FDXrtA2UOyNDs2wzk8 ClEkJM2Vm5giqnMf4h 127.0.0.1 48770 127.0.0.1 8080 HTTP 0 SHA1 text/plain - 0.002150 - F 34 34 0 0 F -
XXXXXXXXXX.XXXXXX FDXrtA2UOyNDs2wzk8 C4J4Th3PJpwUYZZ6gc 127.0.0.1 48776 127.0.0.1 8080 HTTP 0 SHA1 text/plain - 0.002150 - F 34 34 0 0 F -
#close XXXX-XX-XX-XX-XX-XX

11
testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/notice.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 48768 127.0.0.1 8080 FDXrtA2UOyNDs2wzk8 text/plain http://localhost:8080:8080/zeek.txt tcp NoticeTestType test - 127.0.0.1 127.0.0.1 8080 - - Notice::ACTION_LOG (empty) 3600.000000
#close XXXX-XX-XX-XX-XX-XX

3
testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/output Normal file
View file

@ -0,0 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
file_hash, sha1, 3
[fuid=FDXrtA2UOyNDs2wzk8, desc=http://localhost:8080:8080/zeek.txt, mime=text/plain, cid=[orig_h=127.0.0.1, orig_p=48768/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], cuid=CHhAvVGS1DHFjwGM9]

BIN
testing/btest/Traces/http/concurrent-range-requests-complete.pcap Normal file
View file

Binary file not shown.

26
testing/btest/scripts/base/frameworks/notice/file-info-multiple-conns.zeek Normal file
View file

@ -0,0 +1,26 @@
# @TEST-DOC: Call create_file_info() and populate_file_info2() when a file is transferred over multiple connections.
# @TEST-EXEC: zeek -b %INPUT -r $TRACES/http/concurrent-range-requests-complete.pcap > output
# @TEST-EXEC: btest-diff output
# @TEST-EXEC: btest-diff files.log
# @TEST-EXEC: btest-diff notice.log
@load base/protocols/http
@load base/frameworks/files
redef enum Notice::Type += { NoticeTestType };
event file_new(f: fa_file)
{
Files::add_analyzer(f, Files::ANALYZER_SHA1);
}
event file_hash(f: fa_file, kind: string, hash: string)
{
print "file_hash", kind, f?$conns ? |f$conns| : 0;
local fi = Notice::create_file_info(f);
print fi;
local n: Notice::Info = Notice::Info($note=NoticeTestType, $msg="test");
Notice::populate_file_info2(fi, n);
NOTICE(n);
}