mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 16:18:19 +00:00
Remove extraction counter in default file extraction scripts.
This commit is contained in:
Jon Siwek
parent
16f924c2c0
commit
28f51a9a22
20 changed files with 24 additions and 53 deletions
|
|
@ -13,8 +13,6 @@ export {
|
|||
const extraction_prefix = "ftp-item" &redef;
|
||||
}
|
||||
|
||||
global extract_count: count = 0;
|
||||
|
||||
redef record Info += {
|
||||
## On disk file where it was extracted to.
|
||||
extraction_file: string &log &optional;
|
||||
|
|
@ -26,8 +24,7 @@ redef record Info += {
|
|||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
local r = fmt("%s-%s.dat", extraction_prefix, f$id);
|
||||
return r;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -23,12 +23,9 @@ export {
|
|||
};
|
||||
}
|
||||
|
||||
global extract_count: count = 0;
|
||||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
local r = fmt("%s-%s.dat", extraction_prefix, f$id);
|
||||
return r;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -39,8 +39,6 @@ export {
|
|||
|
||||
global dcc_expected_transfers: table[addr, port] of Info &read_expire=5mins;
|
||||
|
||||
global extract_count: count = 0;
|
||||
|
||||
function set_dcc_mime(f: fa_file)
|
||||
{
|
||||
if ( ! f?$conns ) return;
|
||||
|
|
@ -75,8 +73,7 @@ function set_dcc_extraction_file(f: fa_file, filename: string)
|
|||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
local r = fmt("%s-%s.dat", extraction_prefix, f$id);
|
||||
return r;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -66,8 +66,6 @@ export {
|
|||
global log_mime: event(rec: EntityInfo);
|
||||
}
|
||||
|
||||
global extract_count: count = 0;
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
Log::create_stream(SMTP::ENTITIES_LOG, [$columns=EntityInfo, $ev=log_mime]);
|
||||
|
|
@ -90,8 +88,7 @@ function set_session(c: connection, new_entity: bool)
|
|||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
local r = fmt("%s-%s.dat", extraction_prefix, f$id);
|
||||
return r;
|
||||
}
|
||||
|
||||
|
|
@ -127,7 +124,6 @@ event file_new(f: fa_file) &priority=5
|
|||
[$tag=FileAnalysis::ANALYZER_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
++extract_count;
|
||||
}
|
||||
|
||||
c$smtp$current_entity$extraction_file = fname;
|
||||
|
|
|
|||
|
|
@ -9,13 +9,13 @@
|
|||
1329843175.680248 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,90) (empty) T 141.142.220.235 199.233.217.249 56666 -
|
||||
1329843175.791528 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - -
|
||||
1329843179.815947 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PASV - - - 227 Entering Passive Mode (199,233,217,249,221,91) (empty) T 141.142.220.235 199.233.217.249 56667 -
|
||||
1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 <ftp-data> - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4-0.dat
|
||||
1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 <ftp-data> - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7-1.dat
|
||||
1329843193.984222 arKYeMETxOg 141.142.220.235 37604 199.233.217.249 56666 <ftp-data> - - - - - - - (empty) - - - - ftp-item-Rqjkzoroau4.dat
|
||||
1329843193.984222 k6kgXLOoSKl 141.142.220.235 59378 199.233.217.249 56667 <ftp-data> - - - - - - - (empty) - - - - ftp-item-BTsa70Ua9x7.dat
|
||||
1329843179.926563 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - -
|
||||
1329843194.040188 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,131,46 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 33582 -
|
||||
1329843194.095782 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test LIST - - - 226 Transfer complete. (empty) - - - - -
|
||||
1329843197.672179 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test PORT 141,142,220,235,147,203 - - 200 PORT command successful. (empty) F 199.233.217.249 141.142.220.235 37835 -
|
||||
1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 <ftp-data> - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38-2.dat
|
||||
1329843199.968212 nQcgTWjvg4c 199.233.217.249 61920 141.142.220.235 33582 <ftp-data> - - - - - - - (empty) - - - - ftp-item-VLQvJybrm38.dat
|
||||
1329843197.727769 UWkUyAuUGXf 141.142.220.235 50003 199.233.217.249 21 anonymous test RETR ftp://199.233.217.249/./robots.txt text/plain 77 226 Transfer complete. (empty) - - - - -
|
||||
1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 <ftp-data> - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk-3.dat
|
||||
1329843200.079930 j4u32Pc5bif 199.233.217.249 61918 141.142.220.235 37835 <ftp-data> - - - - - - - (empty) - - - - ftp-item-zrfwSs9K1yk.dat
|
||||
#close 2013-04-12-16-32-25
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@
|
|||
#open 2013-03-22-14-38-28
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||
1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3-0.dat
|
||||
1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item-BFymS6bFgT3.dat
|
||||
#close 2013-03-22-14-38-28
|
||||
|
|
|
|||
|
|
@ -9,5 +9,5 @@
|
|||
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - NICK bloed - - - - -
|
||||
1311189164.119437 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - -
|
||||
1311189174.474127 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje JOIN #easymovies (empty) - - - -
|
||||
1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 FAKE_MIME irc-dcc-item-wqKMAamJVSb-0.dat
|
||||
1311189316.326025 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje DCC #easymovies (empty) ladyvampress-default(2011-07-07)-OS.zip 42208 application/zip irc-dcc-item-wqKMAamJVSb.dat
|
||||
#close 2013-03-27-18-49-16
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
#open 2013-03-26-20-43-14
|
||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth filename content_len mime_type md5 extraction_file excerpt
|
||||
#types time string addr port addr port count string count string string string string
|
||||
1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-cwR7l6Zctxb-0.dat (empty)
|
||||
1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 79 text/plain - smtp-entity-cwR7l6Zctxb.dat (empty)
|
||||
1254722770.692743 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 - 1918 text/html - - (empty)
|
||||
1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-Ltd7QO7jEv3-1.dat (empty)
|
||||
1254722770.692804 arKYeMETxOg 10.10.1.4 1470 74.53.140.153 25 1 NEWS.txt 10823 text/plain - smtp-entity-Ltd7QO7jEv3.dat (empty)
|
||||
#close 2013-03-26-20-43-14
|
||||
|
|
|
|||
|
|
@ -3,10 +3,10 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff conn.log
|
||||
# @TEST-EXEC: btest-diff ftp.log
|
||||
# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4-0.dat
|
||||
# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7-1.dat
|
||||
# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38-2.dat
|
||||
# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk-3.dat
|
||||
# @TEST-EXEC: btest-diff ftp-item-Rqjkzoroau4.dat
|
||||
# @TEST-EXEC: btest-diff ftp-item-BTsa70Ua9x7.dat
|
||||
# @TEST-EXEC: btest-diff ftp-item-VLQvJybrm38.dat
|
||||
# @TEST-EXEC: btest-diff ftp-item-zrfwSs9K1yk.dat
|
||||
|
||||
redef FTP::logged_commands += {"LIST"};
|
||||
redef FTP::extract_file_types=/.*/;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff http.log
|
||||
# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3-0.dat
|
||||
# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3.dat
|
||||
|
||||
redef HTTP::extract_file_types += /text\/html/;
|
||||
|
|
|
|||
|
|
@ -1,26 +1,10 @@
|
|||
# This tests that the contents of a DCC transfer negotiated with IRC can be
|
||||
# correctly extracted. The mime type of the file transferred is normalized
|
||||
# to prevent sensitivity to libmagic version being used.
|
||||
# correctly extracted.
|
||||
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff irc.log
|
||||
# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb-0.dat
|
||||
# @TEST-EXEC: btest-diff irc-dcc-item-wqKMAamJVSb.dat
|
||||
# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT IRC::extraction_prefix="test"
|
||||
# @TEST-EXEC: test -e test-wqKMAamJVSb-0.dat
|
||||
# @TEST-EXEC: test -e test-wqKMAamJVSb.dat
|
||||
|
||||
redef IRC::extract_file_types=/.*/;
|
||||
|
||||
event bro_init()
|
||||
{
|
||||
Log::remove_default_filter(IRC::LOG);
|
||||
Log::add_filter(IRC::LOG, [$name="normalized-mime-types",
|
||||
$pred=function(rec: IRC::Info): bool
|
||||
{
|
||||
if ( rec?$dcc_mime_type )
|
||||
{
|
||||
rec$dcc_mime_type = "FAKE_MIME";
|
||||
}
|
||||
return T;
|
||||
}
|
||||
]);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff smtp_entities.log
|
||||
# @TEST-EXEC: btest-diff smtp-entity-cwR7l6Zctxb-0.dat
|
||||
# @TEST-EXEC: btest-diff smtp-entity-Ltd7QO7jEv3-1.dat
|
||||
# @TEST-EXEC: btest-diff smtp-entity-cwR7l6Zctxb.dat
|
||||
# @TEST-EXEC: btest-diff smtp-entity-Ltd7QO7jEv3.dat
|
||||
# @TEST-EXEC: bro -r $TRACES/smtp.trace %INPUT SMTP::extraction_prefix="test"
|
||||
# @TEST-EXEC: test -e test-cwR7l6Zctxb-0.dat
|
||||
# @TEST-EXEC: test -e test-Ltd7QO7jEv3-1.dat
|
||||
# @TEST-EXEC: test -e test-cwR7l6Zctxb.dat
|
||||
# @TEST-EXEC: test -e test-Ltd7QO7jEv3.dat
|
||||
|
||||
@load base/protocols/smtp
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue