Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 09:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Extend file extraction log.

Browse source 
- New fields: extracted_cutoff and extracted_size.
   These fields will be null if the file isn't extracted.

 - Extended the extraction test to test the files log too.
This commit is contained in:
Seth Hall 2017-01-25 01:16:46 -05:00
parent fdb19872b4
commit 2d1f007186
3 changed files with 25 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/files/extract/main.bro
View file

@ -14,6 +14,13 @@ export {
redef record Files::Info += {
## Local filename of extracted file.
extracted: string &optional &log;
## Set to true if the file being extracted was cut off
## so the whole file was not logged.
extracted_cutoff: bool &optional &log;
## The number of bytes extracted to disk.
extracted_size: count &optional &log;
};
redef record Files::AnalyzerArgs += {
@ -58,9 +65,16 @@ function on_add(f: fa_file, args: Files::AnalyzerArgs)
f$info$extracted = args$extract_filename;
args$extract_filename = build_path_compressed(prefix, args$extract_filename);
f$info$extracted_cutoff = F;
mkdir(prefix);
}
event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count) &priority=10
{
f$info$extracted_cutoff = T;
f$info$extracted_size = limit;
}
event bro_init() &priority=10
{
Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);