More file reassembly work.

- The reassembly behavior can be modified per-file by enabling or disabling the reassembler and/or modifying the size of the reassembly buffer. - Changed the file extraction analyzer to use the stream to avoid issues with the chunk based approach not immediately triggering the file_new event due to mime-type detection delay. Early chunks frequently ended up lost before. - Generally things are working now and I'd consider this in testing.
2025-10-13 12:08:20 +00:00 · 2014-01-05 04:58:01 -05:00 · 2014-01-05 04:58:01 -05:00 · 38dbba7622
commit 38dbba7622
parent 0b78f444a1
23 changed files with 375 additions and 159 deletions
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/a.out
@ -1,5 +1,7 @@
 FILE_NEW
 file #0, 0, 0
+FILE_BOF_BUFFER
+%PDF-1.4^J%\xd0
 MIME_TYPE
 application/pdf
 FILE_OVER_NEW_CONNECTION
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/b.out
@ -1,5 +1,7 @@
 FILE_NEW
 file #0, 0, 0
+FILE_BOF_BUFFER
+MZ\x90\0^C\0\0\0^D\0\0
 MIME_TYPE
 application/x-dosexec
 FILE_OVER_NEW_CONNECTION
@ -8,14 +10,12 @@ file #0, 1022920, 0
 [orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
 total bytes: 1022920
 source: HTTP
-FILE_NEW
-file #1, 0, 0
-MIME_TYPE
-application/octet-stream
-FILE_OVER_NEW_CONNECTION
+MD5: fc13fee1d44ef737a3133f1298b21d28
+SHA1: 7d99803eaf3b6e8dfa3581348bc694089579d25a
+SHA256: dcb87a62a2b5d449abc138776000fd1b14edc690e9da6ea325b8f352ab033202
 FILE_TIMEOUT
 FILE_STATE_REMOVE
-file #1, 206024, 0
+file #0, 0, 0
 [orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
 total bytes: 1022920
 source: HTTP
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.partial-content/c.out
@ -1,12 +1,17 @@
 FILE_NEW
 file #0, 0, 0
+FILE_BOF_BUFFER
+%PDF-1.4^M%\xe2
 MIME_TYPE
-application/octet-stream
+application/pdf
 FILE_OVER_NEW_CONNECTION
 FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
-file #0, 498702, 0
+file #0, 498668, 0
 [orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
 [orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
 total bytes: 498668
 source: HTTP
+MD5: 94046a5fb1c5802d0f1e6d704cf3e10e
+SHA1: 250aa71dd1594363bc7083d25cfd0240e441b119
+SHA256: 5c3bc213c9eff85f98feceac8810b955f8415564e50e3889b447e847c50c5ba7