Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 18:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Update base scripts and unit tests.

Browse source
This commit is contained in:
Matthias Vallentin 2012-12-11 16:26:17 -08:00
parent 833a559cac
commit 30bab14dbf
5 changed files with 67 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

30
scripts/base/protocols/http/file-hash.bro
View file

@ -13,16 +13,16 @@ export {
redef record Info += { redef record Info += {
## MD5 sum for a file transferred over HTTP calculated from the ## MD5 sum for a file transferred over HTTP calculated from the
## response body. ## response body.
md5: string &log &optional; md5: string &log &optional;
## This value can be set per-transfer to determine per request ## This value can be set per-transfer to determine per request
## if a file should have an MD5 sum generated. It must be ## if a file should have an MD5 sum generated. It must be
## set to T at the time of or before the first chunk of body data. ## set to T at the time of or before the first chunk of body data.
calc_md5: bool &default=F; calc_md5: bool &default=F;
## Indicates if an MD5 sum is being calculated for the current ## Indicates if an MD5 sum is being calculated for the current
## request/response pair. ## request/response pair.
calculating_md5: bool &default=F; md5_handle: opaque of md5 &optional;
}; };
## Generate MD5 sums for these filetypes. ## Generate MD5 sums for these filetypes.
@ -41,13 +41,12 @@ event http_entity_data(c: connection, is_orig: bool, length: count, data: string
if ( c$http$calc_md5 || if ( c$http$calc_md5 ||
(c$http?$mime_type && generate_md5 in c$http$mime_type) ) (c$http?$mime_type && generate_md5 in c$http$mime_type) )
{ {
c$http$calculating_md5 = T; c$http$md5_handle = md5_hash_init();
md5_hash_init(c$id);
} }
} }
if ( c$http$calculating_md5 ) if ( c$http?$md5_handle )
md5_hash_update(c$id, data); md5_hash_update(c$http$md5_handle, data);
} }
## In the event of a content gap during a file transfer, detect the state for ## In the event of a content gap during a file transfer, detect the state for
@ -55,11 +54,11 @@ event http_entity_data(c: connection, is_orig: bool, length: count, data: string
## incorrect anyway. ## incorrect anyway.
event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
{ {
if ( is_orig || ! c?$http || ! c$http$calculating_md5 ) return; if ( is_orig || ! c?$http || ! c$http?$md5_handle ) return;
set_state(c, F, is_orig); set_state(c, F, is_orig);
c$http$calculating_md5 = F; md5_hash_finish(c$http$md5_handle); # Ignore return value.
md5_hash_finish(c$id); delete c$http$md5_handle;
} }
## When the file finishes downloading, finish the hash and generate a notice. ## When the file finishes downloading, finish the hash and generate a notice.
@ -67,11 +66,11 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &
{ {
if ( is_orig || ! c?$http ) return; if ( is_orig || ! c?$http ) return;
if ( c$http$calculating_md5 ) if ( c$http?$md5_handle )
{ {
local url = build_url_http(c$http); local url = build_url_http(c$http);
c$http$calculating_md5 = F; c$http$md5 = md5_hash_finish(c$http$md5_handle);
c$http$md5 = md5_hash_finish(c$id); delete c$http$md5_handle;
NOTICE([$note=MD5, $msg=fmt("%s %s %s", c$id$orig_h, c$http$md5, url), NOTICE([$note=MD5, $msg=fmt("%s %s %s", c$id$orig_h, c$http$md5, url),
$sub=c$http$md5, $conn=c, $URL=url]); $sub=c$http$md5, $conn=c, $URL=url]);
@ -82,11 +81,12 @@ event connection_state_remove(c: connection) &priority=-5
{ {
if ( c?$http_state && if ( c?$http_state &&
c$http_state$current_response in c$http_state$pending && c$http_state$current_response in c$http_state$pending &&
c$http_state$pending[c$http_state$current_response]$calculating_md5 ) c$http_state$pending[c$http_state$current_response]?$md5_handle )
{ {
# The MD5 sum isn't going to be saved anywhere since the entire # The MD5 sum isn't going to be saved anywhere since the entire
# body wouldn't have been seen anyway and we'd just be giving an # body wouldn't have been seen anyway and we'd just be giving an
# incorrect MD5 sum. # incorrect MD5 sum.
md5_hash_finish(c$id); md5_hash_finish(c$http$md5_handle);
delete c$http$md5_handle;
} }
} }

55
scripts/base/protocols/smtp/entities.bro
View file

@ -16,33 +16,33 @@ export {
type EntityInfo: record { type EntityInfo: record {
## This is the timestamp of when the MIME content transfer began. ## This is the timestamp of when the MIME content transfer began.
ts: time &log; ts: time &log;
uid: string &log; uid: string &log;
id: conn_id &log; id: conn_id &log;
## A count to represent the depth of this message transaction in a ## A count to represent the depth of this message transaction in a
## single connection where multiple messages were transferred. ## single connection where multiple messages were transferred.
trans_depth: count &log; trans_depth: count &log;
## The filename seen in the Content-Disposition header. ## The filename seen in the Content-Disposition header.
filename: string &log &optional; filename: string &log &optional;
## Track how many bytes of the MIME encoded file have been seen. ## Track how many bytes of the MIME encoded file have been seen.
content_len: count &log &default=0; content_len: count &log &default=0;
## The mime type of the entity discovered through magic bytes identification. ## The mime type of the entity discovered through magic bytes identification.
mime_type: string &log &optional; mime_type: string &log &optional;
## The calculated MD5 sum for the MIME entity. ## The calculated MD5 sum for the MIME entity.
md5: string &log &optional; md5: string &log &optional;
## Optionally calculate the file's MD5 sum. Must be set prior to the ## Optionally calculate the file's MD5 sum. Must be set prior to the
## first data chunk being see in an event. ## first data chunk being see in an event.
calc_md5: bool &default=F; calc_md5: bool &default=F;
## This boolean value indicates if an MD5 sum is being calculated ## This boolean value indicates if an MD5 sum is being calculated
## for the current file transfer. ## for the current file transfer.
calculating_md5: bool &default=F; md5_handle: opaque of md5 &optional;
## Optionally write the file to disk. Must be set prior to first ## Optionally write the file to disk. Must be set prior to first
## data chunk being seen in an event. ## data chunk being seen in an event.
extract_file: bool &default=F; extract_file: bool &default=F;
## Store the file handle here for the file currently being extracted. ## Store the file handle here for the file currently being extracted.
extraction_file: file &log &optional; extraction_file: file &log &optional;
}; };
redef record Info += { redef record Info += {
@ -126,18 +126,16 @@ event mime_segment_data(c: connection, length: count, data: string) &priority=-5
if ( c$smtp$current_entity$content_len == 0 ) if ( c$smtp$current_entity$content_len == 0 )
{ {
if ( generate_md5 in c$smtp$current_entity$mime_type && ! never_calc_md5 ) local entity = c$smtp$current_entity;
c$smtp$current_entity$calc_md5 = T; if ( generate_md5 in entity$mime_type && ! never_calc_md5 )
entity$calc_md5 = T;
if ( c$smtp$current_entity$calc_md5 ) if ( entity$calc_md5 )
{ entity$md5_handle = md5_hash_init();
c$smtp$current_entity$calculating_md5 = T;
md5_hash_init(c$id);
}
} }
if ( c$smtp$current_entity$calculating_md5 ) if ( c$smtp$current_entity?$md5_handle )
md5_hash_update(c$id, data); md5_hash_update(entity$md5_handle, data);
} }
## In the event of a content gap during the MIME transfer, detect the state for ## In the event of a content gap during the MIME transfer, detect the state for
@ -147,10 +145,11 @@ event content_gap(c: connection, is_orig: bool, seq: count, length: count) &prio
{ {
if ( is_orig || ! c?$smtp || ! c$smtp?$current_entity ) return; if ( is_orig || ! c?$smtp || ! c$smtp?$current_entity ) return;
if ( c$smtp$current_entity$calculating_md5 ) local entity = c$smtp$current_entity;
if ( entity?$md5_handle )
{ {
c$smtp$current_entity$calculating_md5 = F; md5_hash_finish(entity$md5_handle);
md5_hash_finish(c$id); delete entity$md5_handle;
} }
} }
@ -161,12 +160,14 @@ event mime_end_entity(c: connection) &priority=-3
if ( ! c?$smtp || ! c$smtp?$current_entity ) if ( ! c?$smtp || ! c$smtp?$current_entity )
return; return;
if ( c$smtp$current_entity$calculating_md5 ) local entity = c$smtp$current_entity;
if ( entity?$md5_handle )
{ {
c$smtp$current_entity$md5 = md5_hash_finish(c$id); entity$md5 = md5_hash_finish(entity$md5_handle);
delete entity$md5_handle;
NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h), NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h),
$sub=c$smtp$current_entity$md5, $conn=c]); $sub=entity$md5, $conn=c]);
} }
} }

16
testing/btest/bifs/md5.test
View file

@ -4,16 +4,16 @@
print md5_hash("one"); print md5_hash("one");
print md5_hash("one", "two", "three"); print md5_hash("one", "two", "three");
md5_hash_init("a"); local a = md5_hash_init();
md5_hash_init("b"); local b = md5_hash_init();
md5_hash_update("a", "one"); md5_hash_update(a, "one");
md5_hash_update("b", "one"); md5_hash_update(b, "one");
md5_hash_update("b", "two"); md5_hash_update(b, "two");
md5_hash_update("b", "three"); md5_hash_update(b, "three");
print md5_hash_finish("a"); print md5_hash_finish(a);
print md5_hash_finish("b"); print md5_hash_finish(b);
print md5_hmac("one"); print md5_hmac("one");
print md5_hmac("one", "two", "three"); print md5_hmac("one", "two", "three");

16
testing/btest/bifs/sha1.test
View file

@ -4,13 +4,13 @@
print sha1_hash("one"); print sha1_hash("one");
print sha1_hash("one", "two", "three"); print sha1_hash("one", "two", "three");
sha1_hash_init("a"); local a = sha1_hash_init();
sha1_hash_init("b"); local b = sha1_hash_init();
sha1_hash_update("a", "one"); sha1_hash_update(a, "one");
sha1_hash_update("b", "one"); sha1_hash_update(b, "one");
sha1_hash_update("b", "two"); sha1_hash_update(b, "two");
sha1_hash_update("b", "three"); sha1_hash_update(b, "three");
print sha1_hash_finish("a"); print sha1_hash_finish(a);
print sha1_hash_finish("b"); print sha1_hash_finish(b);

16
testing/btest/bifs/sha256.test
View file

@ -4,13 +4,13 @@
print sha256_hash("one"); print sha256_hash("one");
print sha256_hash("one", "two", "three"); print sha256_hash("one", "two", "three");
sha256_hash_init("a"); local a = sha256_hash_init();
sha256_hash_init("b"); local b = sha256_hash_init();
sha256_hash_update("a", "one"); sha256_hash_update(a, "one");
sha256_hash_update("b", "one"); sha256_hash_update(b, "one");
sha256_hash_update("b", "two"); sha256_hash_update(b, "two");
sha256_hash_update("b", "three"); sha256_hash_update(b, "three");
print sha256_hash_finish("a"); print sha256_hash_finish(a);
print sha256_hash_finish("b"); print sha256_hash_finish(b);