diff --git a/src/file_analysis.bif b/src/file_analysis.bif index 9bea289444..934122f819 100644 --- a/src/file_analysis.bif +++ b/src/file_analysis.bif @@ -94,13 +94,13 @@ function FileAnalysis::stop%(file_id: string%): bool return new Val(result, TYPE_BOOL); %} -function FileAnalysis::input_data%(source: string, data: string%): any +function FileAnalysis::data_stream%(source: string, data: string%): any %{ file_mgr->DataIn(data->Bytes(), data->Len(), source->CheckString()); return 0; %} -function FileAnalysis::input_data_chunk%(source: string, data: string, +function FileAnalysis::data_chunk%(source: string, data: string, offset: count%): any %{ file_mgr->DataIn(data->Bytes(), data->Len(), offset, source->CheckString()); @@ -119,7 +119,7 @@ function FileAnalysis::set_size%(source: string, size: count%): any return 0; %} -function FileAnalysis::input_eof%(source: string%): any +function FileAnalysis::eof%(source: string%): any %{ file_mgr->EndOfFile(source->CheckString()); return 0; diff --git a/src/file_analysis/InfoTimer.cc b/src/file_analysis/InfoTimer.cc index c855d0a54d..9859839c5a 100644 --- a/src/file_analysis/InfoTimer.cc +++ b/src/file_analysis/InfoTimer.cc @@ -3,6 +3,14 @@ using namespace file_analysis; + +InfoTimer::InfoTimer(double t, const FileID& id, double interval) + : Timer(t + interval, TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id) + { + DBG_LOG(DBG_FILE_ANALYSIS, "New %f second timeout timer for %s", + file_id.c_str(), interval); + } + void InfoTimer::Dispatch(double t, int is_expire) { Info* info = file_mgr->Lookup(file_id); diff --git a/src/file_analysis/InfoTimer.h b/src/file_analysis/InfoTimer.h index 250dbedddf..08aefb5d6a 100644 --- a/src/file_analysis/InfoTimer.h +++ b/src/file_analysis/InfoTimer.h @@ -13,8 +13,7 @@ namespace file_analysis { class InfoTimer : public Timer { public: - InfoTimer(double t, const FileID& id, double interval) - : Timer(t + interval, TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id) {} + InfoTimer(double t, const FileID& id, double interval); /** * Check inactivity of file_analysis::Info corresponding to #file_id, diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out new file mode 100644 index 0000000000..934c22f049 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out @@ -0,0 +1,31 @@ +FileAnalysis::TRIGGER_NEW +Cx92a0ym5R8, 0, 0 +T +FileAnalysis::TRIGGER_BOF +FileAnalysis::TRIGGER_BOF_BUFFER +^J0.26 | 201 +FileAnalysis::TRIGGER_TYPE +file type is set +mime type is set +file_stream, Cx92a0ym5R8, 1500, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-relea +file_chunk, Cx92a0ym5R8, 1500, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J * Tweaks to release scripts, plus a new one for signing files.^J (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J * Tweaks for OpenBSD support. (Jon Siwek)^J^J * bro-cut extensions and fixes. (Robin Sommer)^J ^J - If no field names are given on the command line, we now pass through^J all fields. Adresses #657.^J^J - Removing some GNUism from awk script. Addresses #653.^J^J - Added option for time output in UTC. Addresses #668.^J^J - Added output field separator option -F. Addresses #649.^J^J - Fixing option -c: only some header lines were passed through^J rather than all. (Robin Sommer)^J^J * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J * Little fix for make-relea +file_stream, Cx92a0ym5R8, 1024, se script, which could pick out the wrong^J tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J * Bugfix in update-changes script. (Robin Sommer)^J^J * update-changes now ignores commits it did itself. (Robin Sommer)^J^J * Fix a bug in the update-changes script. (Robin Sommer)^J^J * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J * Options to adjust time format for bro-cut. (Robin Sommer)^J^J The default with -d is now ISO format. The new option "-D "^J specifies a custom strftime()-style format string. Alternatively,^J the environment variable BRO_CUT_TIMEFMT can set the format as^J well.^J^J * bro-cut now understands the field separator header. (Robin Sommer)^J^J * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J * Adding support for replacing version string in a setup.py. (Robin^J Sommer)^J^J * Change generated root cert DN indices f +file_chunk, Cx92a0ym5R8, 1024, 1500, se script, which could pick out the wrong^J tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J * Bugfix in update-changes script. (Robin Sommer)^J^J * update-changes now ignores commits it did itself. (Robin Sommer)^J^J * Fix a bug in the update-changes script. (Robin Sommer)^J^J * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J * Options to adjust time format for bro-cut. (Robin Sommer)^J^J The default with -d is now ISO format. The new option "-D "^J specifies a custom strftime()-style format string. Alternatively,^J the environment variable BRO_CUT_TIMEFMT can set the format as^J well.^J^J * bro-cut now understands the field separator header. (Robin Sommer)^J^J * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J * Adding support for replacing version string in a setup.py. (Robin^J Sommer)^J^J * Change generated root cert DN indices f +file_stream, Cx92a0ym5R8, 476, ormat for RFC2253^J compliance. (Jon Siwek)^J^J * New tool devel-tools/check-release to run before making releases.^J (Robin Sommer)^J^J * devel-tools/update-changes gets a new option -a to amend to^J previous commit if possible. Default is now not to (used to be the^J opposite). (Robin Sommer)^J^J * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J * Change distclean to only remove build dir. (Jon Siwek)^J^J * Make dist now cleans the +file_chunk, Cx92a0ym5R8, 476, 2524, ormat for RFC2253^J compliance. (Jon Siwek)^J^J * New tool devel-tools/check-release to run before making releases.^J (Robin Sommer)^J^J * devel-tools/update-changes gets a new option -a to amend to^J previous commit if possible. Default is now not to (used to be the^J opposite). (Robin Sommer)^J^J * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J * Change distclean to only remove build dir. (Jon Siwek)^J^J * Make dist now cleans the +file_stream, Cx92a0ym5R8, 1024, copied source (Jon Siwek)^J^J * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J * Fix to not let updates scripts loose their executable permissions.^J (Robin Sommer)^J^J * devel-tools/update-changes now looks for a 'release' tag to^J idenfify the stable version, and 'beta' for the beta versions.^J (Robin Sommer).^J^J * Distribution cleanup. (Robin Sommer)^J^J * New script devel-tools/make-release to create source tar balls.^J (Robin Sommer)^J^J * Removing bdcat. With the new log format, this isn't very useful^J anymore. (Robin Sommer)^J^J * Adding script that shows all pending git fastpath commits. (Robin^J Sommer)^J^J * Script to measure CPU time by loading an increasing set of^J scripts. (Robin Sommer)^J^J * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J * Tiny update to output a valid CA list file for SSL cert^J validation. (Seth Hall)^J^J * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J * FindPCAP +file_chunk, Cx92a0ym5R8, 1024, 3000, copied source (Jon Siwek)^J^J * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J * Fix to not let updates scripts loose their executable permissions.^J (Robin Sommer)^J^J * devel-tools/update-changes now looks for a 'release' tag to^J idenfify the stable version, and 'beta' for the beta versions.^J (Robin Sommer).^J^J * Distribution cleanup. (Robin Sommer)^J^J * New script devel-tools/make-release to create source tar balls.^J (Robin Sommer)^J^J * Removing bdcat. With the new log format, this isn't very useful^J anymore. (Robin Sommer)^J^J * Adding script that shows all pending git fastpath commits. (Robin^J Sommer)^J^J * Script to measure CPU time by loading an increasing set of^J scripts. (Robin Sommer)^J^J * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J * Tiny update to output a valid CA list file for SSL cert^J validation. (Seth Hall)^J^J * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J * FindPCAP +FileAnalysis::TRIGGER_DONE +Cx92a0ym5R8, 4705, 0 +{ +UWkUyAuUGXf +} +{ +[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] +} +total bytes: 4705 +source: HTTP +file_stream, Cx92a0ym5R8, 476, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J +file_chunk, Cx92a0ym5R8, 476, 4024, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J +file_stream, Cx92a0ym5R8, 205, ^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J +file_chunk, Cx92a0ym5R8, 205, 4500, ^J * Removing cf/hf/ca-* from distribution. The README has a note where^J to find them now. (Robin Sommer)^J^J * General cleanup. (Robin Sommer)^J^J * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.postpone_timeout/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.postpone_timeout/bro..stdout new file mode 100644 index 0000000000..2ac9682b76 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.postpone_timeout/bro..stdout @@ -0,0 +1,26 @@ +FileAnalysis::TRIGGER_NEW +oDwT1BbzjM1, 0, 0 +FileAnalysis::TRIGGER_DONE +oDwT1BbzjM1, 1022920, 0 +{ +UWkUyAuUGXf +} +{ +[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp] +} +total bytes: 1022920 +source: HTTP +FileAnalysis::TRIGGER_NEW +oDwT1BbzjM1, 0, 0 +FileAnalysis::TRIGGER_TIMEOUT +FileAnalysis::TRIGGER_TIMEOUT +FileAnalysis::TRIGGER_EOF +oDwT1BbzjM1, 206024, 0 +{ +arKYeMETxOg +} +{ +[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp] +} +total bytes: 1022920 +source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out new file mode 100644 index 0000000000..56ce58a1f8 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out @@ -0,0 +1,18 @@ +FileAnalysis::TRIGGER_NEW +Cx92a0ym5R8, 0, 0 +FileAnalysis::TRIGGER_BOF +FileAnalysis::TRIGGER_BOF_BUFFER +^J0.26 | 201 +FileAnalysis::TRIGGER_TYPE +file type is set +mime type is set +FileAnalysis::TRIGGER_DONE +Cx92a0ym5R8, 4705, 0 +{ +UWkUyAuUGXf +} +{ +[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp] +} +total bytes: 4705 +source: HTTP diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out new file mode 100644 index 0000000000..c9a704444d --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out @@ -0,0 +1,2 @@ +FileAnalysis::TRIGGER_NEW +Cx92a0ym5R8, 0, 0 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout new file mode 100644 index 0000000000..cc19da8e34 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout @@ -0,0 +1,14 @@ +FileAnalysis::TRIGGER_NEW +nYgPNGLrZf9, 0, 0 +FileAnalysis::TRIGGER_BOF +FileAnalysis::TRIGGER_BOF_BUFFER +#separator +FileAnalysis::TRIGGER_TYPE +file type is set +mime type is set +FileAnalysis::TRIGGER_EOF +nYgPNGLrZf9, 311, 0 +source: ../input.log +SHA1: 0a0f20de89c86d7bce1301af6548d6e9ae87b0f1 +MD5: bf4dfa6169b74146da5236e918743599 +SHA256: 4e573192c5ea75da72494812fe24dae53a577837b2079df012fd464903d68a6f diff --git a/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro b/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro new file mode 100644 index 0000000000..d072a05c17 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro @@ -0,0 +1,55 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >out +# @TEST-EXEC: btest-diff out + +event file_chunk(info: FileAnalysis::Info, data: string, off: count) + { + print "file_chunk", info$file_id, |data|, off, data; + } + +event file_stream(info: FileAnalysis::Info, data: string) + { + print "file_stream", info$file_id, |data|, data; + } + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + { + print trig; + + switch ( trig ) { + case FileAnalysis::TRIGGER_NEW: + print info$file_id, info$seen_bytes, info$missing_bytes; + + print FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_DATA_EVENT, + $chunk_event=file_chunk, + $stream_event=file_stream]); + break; + + case FileAnalysis::TRIGGER_BOF_BUFFER: + if ( info?$bof_buffer ) + print info$bof_buffer[0:10]; + break; + + case FileAnalysis::TRIGGER_TYPE: + # not actually printing the values due to libmagic variances + if ( info?$file_type ) + print "file type is set"; + if ( info?$mime_type ) + print "mime type is set"; + break; + + case FileAnalysis::TRIGGER_EOF: + fallthrough; + case FileAnalysis::TRIGGER_DONE: + + print info$file_id, info$seen_bytes, info$missing_bytes; + print info$conn_uids; + print info$conn_ids; + + if ( info?$total_bytes ) + print "total bytes: " + fmt("%s", info$total_bytes); + if ( info?$source ) + print "source: " + info$source; + break; + } + } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro new file mode 100644 index 0000000000..f8f727f28b --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro @@ -0,0 +1,90 @@ +# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap %INPUT +# @TEST-EXEC: btest-bg-wait 8 +# @TEST-EXEC: btest-diff bro/.stdout + +global actions: set[FileAnalysis::ActionArgs]; +global cnt: count = 0; +global timeout_cnt: count = 0; + +redef exit_only_after_terminate = T; + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + { + print trig; + + switch ( trig ) { + case FileAnalysis::TRIGGER_TIMEOUT: + if ( timeout_cnt < 1 ) + FileAnalysis::postpone_timeout(info$file_id); + else + terminate(); + ++timeout_cnt; + break; + case FileAnalysis::TRIGGER_NEW: + info$timeout_interval=2sec; + + print info$file_id, info$seen_bytes, info$missing_bytes; + + if ( info$source == "HTTP" ) + { + for ( act in actions ) + FileAnalysis::add_action(info$file_id, act); + local filename: string = fmt("%s-file%d", info$file_id, cnt); + ++cnt; + FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); + } + break; + + case FileAnalysis::TRIGGER_BOF_BUFFER: + if ( info?$bof_buffer ) + print info$bof_buffer[0:10]; + break; + + case FileAnalysis::TRIGGER_TYPE: + # not actually printing the values due to libmagic variances + if ( info?$file_type ) + print "file type is set"; + if ( info?$mime_type ) + print "mime type is set"; + break; + + case FileAnalysis::TRIGGER_EOF: + fallthrough; + case FileAnalysis::TRIGGER_DONE: + + print info$file_id, info$seen_bytes, info$missing_bytes; + print info$conn_uids; + print info$conn_ids; + + if ( info?$total_bytes ) + print "total bytes: " + fmt("%s", info$total_bytes); + if ( info?$source ) + print "source: " + info$source; + + for ( act in info$actions ) + switch ( act$act ) { + case FileAnalysis::ACTION_MD5: + if ( info$actions[act]?$md5 ) + print fmt("MD5: %s", info$actions[act]$md5); + break; + case FileAnalysis::ACTION_SHA1: + if ( info$actions[act]?$sha1 ) + print fmt("SHA1: %s", info$actions[act]$sha1); + break; + case FileAnalysis::ACTION_SHA256: + if ( info$actions[act]?$sha256 ) + print fmt("SHA256: %s", info$actions[act]$sha256); + break; + } + break; + } + } + +event bro_init() + { + add actions[[$act=FileAnalysis::ACTION_MD5]]; + add actions[[$act=FileAnalysis::ACTION_SHA1]]; + add actions[[$act=FileAnalysis::ACTION_SHA256]]; + } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro new file mode 100644 index 0000000000..90285701ca --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro @@ -0,0 +1,83 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out +# @TEST-EXEC: btest-diff get.out + +global actions: set[FileAnalysis::ActionArgs]; + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + { + local filename: string; + print trig; + + switch ( trig ) { + case FileAnalysis::TRIGGER_NEW: + + print info$file_id, info$seen_bytes, info$missing_bytes; + + if ( info$source == "HTTP" ) + { + for ( act in actions ) + FileAnalysis::add_action(info$file_id, act); + filename = fmt("%s-file", info$file_id); + FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); + } + break; + + case FileAnalysis::TRIGGER_BOF_BUFFER: + if ( info?$bof_buffer ) + print info$bof_buffer[0:10]; + break; + + case FileAnalysis::TRIGGER_TYPE: + for ( act in actions ) + FileAnalysis::remove_action(info$file_id, act); + filename = fmt("%s-file", info$file_id); + FileAnalysis::remove_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); + # not actually printing the values due to libmagic variances + if ( info?$file_type ) + print "file type is set"; + if ( info?$mime_type ) + print "mime type is set"; + break; + + case FileAnalysis::TRIGGER_EOF: + fallthrough; + case FileAnalysis::TRIGGER_DONE: + + print info$file_id, info$seen_bytes, info$missing_bytes; + print info$conn_uids; + print info$conn_ids; + + if ( info?$total_bytes ) + print "total bytes: " + fmt("%s", info$total_bytes); + if ( info?$source ) + print "source: " + info$source; + + for ( act in info$actions ) + switch ( act$act ) { + case FileAnalysis::ACTION_MD5: + if ( info$actions[act]?$md5 ) + print fmt("MD5: %s", info$actions[act]$md5); + break; + case FileAnalysis::ACTION_SHA1: + if ( info$actions[act]?$sha1 ) + print fmt("SHA1: %s", info$actions[act]$sha1); + break; + case FileAnalysis::ACTION_SHA256: + if ( info$actions[act]?$sha256 ) + print fmt("SHA256: %s", info$actions[act]$sha256); + break; + } + break; + } + } + +event bro_init() + { + add actions[[$act=FileAnalysis::ACTION_MD5]]; + add actions[[$act=FileAnalysis::ACTION_SHA1]]; + add actions[[$act=FileAnalysis::ACTION_SHA256]]; + } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro new file mode 100644 index 0000000000..d8ff623c60 --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro @@ -0,0 +1,75 @@ +# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out +# @TEST-EXEC: btest-diff get.out +# @TEST-EXEC: test ! -s Cx92a0ym5R8-file + +global actions: set[FileAnalysis::ActionArgs]; + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + { + print trig; + + switch ( trig ) { + case FileAnalysis::TRIGGER_NEW: + FileAnalysis::stop(info$file_id); + + print info$file_id, info$seen_bytes, info$missing_bytes; + + if ( info$source == "HTTP" ) + { + for ( act in actions ) + FileAnalysis::add_action(info$file_id, act); + local filename: string = fmt("%s-file", info$file_id); + FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); + } + break; + + case FileAnalysis::TRIGGER_BOF_BUFFER: + if ( info?$bof_buffer ) + print info$bof_buffer[0:10]; + break; + + case FileAnalysis::TRIGGER_TYPE: + # not actually printing the values due to libmagic variances + if ( info?$file_type ) + print "file type is set"; + if ( info?$mime_type ) + print "mime type is set"; + break; + + case FileAnalysis::TRIGGER_EOF: + fallthrough; + case FileAnalysis::TRIGGER_DONE: + + print info$file_id, info$seen_bytes, info$missing_bytes; + print info$conn_uids; + print info$conn_ids; + + if ( info?$total_bytes ) + print "total bytes: " + fmt("%s", info$total_bytes); + if ( info?$source ) + print "source: " + info$source; + + for ( act in info$actions ) + switch ( act$act ) { + case FileAnalysis::ACTION_MD5: + print fmt("MD5: %s", info$actions[act]$md5); + break; + case FileAnalysis::ACTION_SHA1: + print fmt("SHA1: %s", info$actions[act]$sha1); + break; + case FileAnalysis::ACTION_SHA256: + print fmt("SHA256: %s", info$actions[act]$sha256); + break; + } + break; + } + } + +event bro_init() + { + add actions[[$act=FileAnalysis::ACTION_MD5]]; + add actions[[$act=FileAnalysis::ACTION_SHA1]]; + add actions[[$act=FileAnalysis::ACTION_SHA256]]; + } diff --git a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro new file mode 100644 index 0000000000..568a2a47da --- /dev/null +++ b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro @@ -0,0 +1,115 @@ +# @TEST-EXEC: btest-bg-run bro bro -b %INPUT +# @TEST-EXEC: btest-bg-wait 8 +# @TEST-EXEC: btest-diff bro/.stdout +# @TEST-EXEC: diff -q bro/nYgPNGLrZf9-file input.log + +redef exit_only_after_terminate = T; + +@TEST-START-FILE input.log +#separator \x09 +#path ssh +#fields b i e c p sn a d t iv s sc ss se vc ve ns +#types bool int enum count port subnet addr double time interval string table table table vector vector string +T -42 SSH::LOG 21 123 10.0.0.0/24 1.2.3.4 3.14 1315801931.273616 100.000000 hurz 2,4,1,3 CC,AA,BB EMPTY 10,20,30 EMPTY 4242 +@TEST-END-FILE + +module A; + +type Val: record { + s: string; +}; + +event line(description: Input::EventDescription, tpe: Input::Event, s: string) + { + FileAnalysis::data_stream(description$source, s); + } + +event Input::end_of_data(name: string, source: string) + { + FileAnalysis::eof(source); + } + +event bro_init() + { + Input::add_event([$source="../input.log", $reader=Input::READER_BINARY, + $mode=Input::MANUAL, $name="input", $fields=Val, + $ev=line, $want_record=F]); + Input::remove("input"); + } + +global actions: set[FileAnalysis::ActionArgs]; + +hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info) + { + local filename: string; + print trig; + + switch ( trig ) { + case FileAnalysis::TRIGGER_NEW: + + print info$file_id, info$seen_bytes, info$missing_bytes; + + for ( act in actions ) + FileAnalysis::add_action(info$file_id, act); + filename = fmt("%s-file", info$file_id); + FileAnalysis::add_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); + break; + + case FileAnalysis::TRIGGER_BOF_BUFFER: + if ( info?$bof_buffer ) + print info$bof_buffer[0:10]; + break; + + case FileAnalysis::TRIGGER_TYPE: + for ( act in actions ) + FileAnalysis::remove_action(info$file_id, act); + filename = fmt("%s-file", info$file_id); + FileAnalysis::remove_action(info$file_id, + [$act=FileAnalysis::ACTION_EXTRACT, + $extract_filename=filename]); + # not actually printing the values due to libmagic variances + if ( info?$file_type ) + print "file type is set"; + if ( info?$mime_type ) + print "mime type is set"; + break; + + case FileAnalysis::TRIGGER_EOF: + fallthrough; + case FileAnalysis::TRIGGER_DONE: + + print info$file_id, info$seen_bytes, info$missing_bytes; + + if ( info?$total_bytes ) + print "total bytes: " + fmt("%s", info$total_bytes); + if ( info?$source ) + print "source: " + info$source; + + for ( act in info$actions ) + switch ( act$act ) { + case FileAnalysis::ACTION_MD5: + if ( info$actions[act]?$md5 ) + print fmt("MD5: %s", info$actions[act]$md5); + break; + case FileAnalysis::ACTION_SHA1: + if ( info$actions[act]?$sha1 ) + print fmt("SHA1: %s", info$actions[act]$sha1); + break; + case FileAnalysis::ACTION_SHA256: + if ( info$actions[act]?$sha256 ) + print fmt("SHA256: %s", info$actions[act]$sha256); + break; + } + terminate(); + break; + } + } + +event bro_init() + { + add actions[[$act=FileAnalysis::ACTION_MD5]]; + add actions[[$act=FileAnalysis::ACTION_SHA1]]; + add actions[[$act=FileAnalysis::ACTION_SHA256]]; + }