Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 00:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

FileAnalysis: replace script-layer IRC file analysis.

Browse source
This commit is contained in:
Jon Siwek 2013-03-27 14:02:20 -05:00
parent 7e895a3a2f
commit 27e47f0a57
7 changed files with 138 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

6
testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log
View file

@ -3,11 +3,11 @@
#empty_field (empty)
#unset_field -
#path irc
#open 2011-07-20-19-12-44
#open 2013-03-27-18-51-40
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user command value addl dcc_file_name dcc_file_size extraction_file
#types time string addr port addr port string string string string string string count file
#types time string addr port addr port string string string string string string count string
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - NICK bloed - - - -
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - -
1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje JOIN #easymovies (empty) - - -
1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 -
#close 2011-07-20-19-15-42
#close 2013-03-27-18-51-40

0
testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat → testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat
View file

8
testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log
View file

@ -3,11 +3,11 @@
#empty_field (empty)
#unset_field -
#path irc
#open 2011-07-20-19-12-44
#open 2013-03-27-18-49-16
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user command value addl dcc_file_name dcc_file_size dcc_mime_type extraction_file
#types time string addr port addr port string string string string string string count string file
#types time string addr port addr port string string string string string string count string string
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - NICK bloed - - - - -
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - -
1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje JOIN #easymovies (empty) - - - -
1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat
#close 2011-07-20-19-15-42
1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-wqKMAamJVSb-0.dat
#close 2013-03-27-18-49-16

4
testing/btest/scripts/base/protocols/irc/dcc-extract.test
View file

@ -4,9 +4,9 @@
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
# @TEST-EXEC: btest-diff irc.log
# @TEST-EXEC: btest-diff irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat
# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb-0.dat
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test"
# @TEST-EXEC: test -e test_192.168.1.77:57655-209.197.168.151:1024_1.dat
# @TEST-EXEC: test -e test-wqKMAamJVSb-0.dat
redef IRC::extract_file_types=/.*/;