Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Extend file extraction log.

Browse source 
- New fields: extracted_cutoff and extracted_size.
   These fields will be null if the file isn't extracted.

 - Extended the extraction test to test the files log too.
This commit is contained in:
Seth Hall 2017-01-25 01:16:46 -05:00
parent fdb19872b4
commit 2d1f007186
3 changed files with 25 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/files/extract/main.bro
View file

@ -14,6 +14,13 @@ export {
redef record Files::Info += { redef record Files::Info += {
## Local filename of extracted file. ## Local filename of extracted file.
extracted: string &optional &log; extracted: string &optional &log;
## Set to true if the file being extracted was cut off
## so the whole file was not logged.
extracted_cutoff: bool &optional &log;
## The number of bytes extracted to disk.
extracted_size: count &optional &log;
}; };
redef record Files::AnalyzerArgs += { redef record Files::AnalyzerArgs += {
@ -58,9 +65,16 @@ function on_add(f: fa_file, args: Files::AnalyzerArgs)
f$info$extracted = args$extract_filename; f$info$extracted = args$extract_filename;
args$extract_filename = build_path_compressed(prefix, args$extract_filename); args$extract_filename = build_path_compressed(prefix, args$extract_filename);
f$info$extracted_cutoff = F;
mkdir(prefix); mkdir(prefix);
} }
event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count) &priority=10
{
f$info$extracted_cutoff = T;
f$info$extracted_size = limit;
}
event bro_init() &priority=10 event bro_init() &priority=10
{ {
Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add); Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);

10
testing/btest/Baseline/scripts.base.files.extract.limit/files.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path files
#open 2017-01-25-06-12-45
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid extracted extracted_cutoff extracted_size md5 sha1 sha256
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string bool count string string string
1363628702.262149 FGy9Oo9JLY8SFxMJ2 141.142.192.162 141.142.228.5 ClEkJM2Vm5giqnMf4h FTP_DATA 0 EXTRACT text/plain - 0.001059 - F 16557 - 0 0 F - 2 T 6000 - - -
#close 2017-01-25-06-12-45

1
testing/btest/scripts/base/files/extract/limit.bro
View file

@ -4,6 +4,7 @@
# @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=3000 efname=2 double_it=T # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=3000 efname=2 double_it=T
# @TEST-EXEC: btest-diff extract_files/2 # @TEST-EXEC: btest-diff extract_files/2
# @TEST-EXEC: btest-diff 2.out # @TEST-EXEC: btest-diff 2.out
# @TEST-EXEC: btest-diff files.log
# @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=7000 efname=3 unlimit_it=T # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=7000 efname=3 unlimit_it=T
# @TEST-EXEC: btest-diff extract_files/3 # @TEST-EXEC: btest-diff extract_files/3
# @TEST-EXEC: btest-diff 3.out # @TEST-EXEC: btest-diff 3.out