frameworks/notice: Handle fa_file with no or more than a single connection better

* When a file is transferred over multiple connection, have create_file_info() just pick the first one instead of none. * Do not unconditionally assume cid and cuid as set on a Notice::FileInfo object.
2025-10-02 06:38:20 +00:00 · 2022-12-02 14:21:53 +01:00 · 2022-12-02 14:21:53 +01:00 · 1e06c8bfda
commit 1e06c8bfda
parent dbbb6cd6f0
7 changed files with 65 additions and 3 deletions
--- a/3
+++ b/3
@ -158,6 +158,9 @@ Changed Functionality
 - The MQTT scripts registering the analyzer and DPD signatures have
  been moved from the policy folder to base and are loaded by default.

+- Notices created for files transferred over multiple connections will now be
+  associated with one of the connections rather than none.
+
 Deprecated Functionality
 ------------------------

--- a/scripts/base/frameworks/notice/main.zeek
+++ b/scripts/base/frameworks/notice/main.zeek
@ -601,11 +601,13 @@ function create_file_info(f: fa_file): Notice::FileInfo
 	if ( f?$info && f$info?$mime_type )
 		fi$mime = f$info$mime_type;

-	if ( f?$conns && |f$conns| == 1 )
+	# If a file is transferred over multiple connections, just pick one.
+	if ( f?$conns && |f$conns| > 0 )
 		for ( id, c in f$conns )
 			{
 			fi$cid = id;
 			fi$cuid = c$uid;
+			break;
 			}

 	return fi;
@ -625,8 +627,12 @@ function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info)
 		n$file_mime_type = fi$mime;

 	n$file_desc = fi$desc;
-	n$id = fi$cid;
-	n$uid = fi$cuid;
+
+	if ( fi?$cid )
+		n$id = fi$cid;
+
+	if ( fi?$cuid )
+		n$uid = fi$cuid;
 	}

 # This is run synchronously as a function before all of the other
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/files.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/files.log
@ -0,0 +1,13 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid
+#types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string
+XXXXXXXXXX.XXXXXX	FDXrtA2UOyNDs2wzk8	CHhAvVGS1DHFjwGM9	127.0.0.1	48768	127.0.0.1	8080	HTTP	0	SHA1	text/plain	-	0.002150	-	F	34	34	0	0	F	-
+XXXXXXXXXX.XXXXXX	FDXrtA2UOyNDs2wzk8	ClEkJM2Vm5giqnMf4h	127.0.0.1	48770	127.0.0.1	8080	HTTP	0	SHA1	text/plain	-	0.002150	-	F	34	34	0	0	F	-
+XXXXXXXXXX.XXXXXX	FDXrtA2UOyNDs2wzk8	C4J4Th3PJpwUYZZ6gc	127.0.0.1	48776	127.0.0.1	8080	HTTP	0	SHA1	text/plain	-	0.002150	-	F	34	34	0	0	F	-
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/notice.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/notice.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	127.0.0.1	48768	127.0.0.1	8080	FDXrtA2UOyNDs2wzk8	text/plain	http://localhost:8080:8080/zeek.txt	tcp	NoticeTestType	test	-	127.0.0.1	127.0.0.1	8080	-	-	Notice::ACTION_LOG	(empty)	3600.000000
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.file-info-multiple-conns/output
@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+file_hash, sha1, 3
+[fuid=FDXrtA2UOyNDs2wzk8, desc=http://localhost:8080:8080/zeek.txt, mime=text/plain, cid=[orig_h=127.0.0.1, orig_p=48768/tcp, resp_h=127.0.0.1, resp_p=8080/tcp], cuid=CHhAvVGS1DHFjwGM9]
--- a/testing/btest/Traces/http/concurrent-range-requests-complete.pcap
+++ b/testing/btest/Traces/http/concurrent-range-requests-complete.pcap
--- a/testing/btest/scripts/base/frameworks/notice/file-info-multiple-conns.zeek
+++ b/testing/btest/scripts/base/frameworks/notice/file-info-multiple-conns.zeek
@ -0,0 +1,26 @@
+# @TEST-DOC: Call create_file_info() and populate_file_info2() when a file is transferred over multiple connections.
+
+# @TEST-EXEC: zeek -b %INPUT -r $TRACES/http/concurrent-range-requests-complete.pcap > output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff files.log
+# @TEST-EXEC: btest-diff notice.log
+
+@load base/protocols/http
+@load base/frameworks/files
+
+redef enum Notice::Type += { NoticeTestType };
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_SHA1);
+	}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	print "file_hash", kind, f?$conns ? |f$conns| : 0;
+	local fi = Notice::create_file_info(f);
+	print fi;
+	local n: Notice::Info = Notice::Info($note=NoticeTestType, $msg="test");
+	Notice::populate_file_info2(fi, n);
+	NOTICE(n);
+	}