Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix HTTP multipart body file analysis.

Browse source 
Each part now gets assigned a different file handle/id.
This commit is contained in:
Jon Siwek 2013-05-21 15:35:22 -05:00
parent 38ac03d558
commit 3cbef60f57
8 changed files with 112 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

23
scripts/base/protocols/http/file-analysis.bro
View file

@ -6,20 +6,41 @@
module HTTP; module HTTP;
export { export {
redef record HTTP::Info += {
## Number of MIME entities in the HTTP request message body so far.
request_mime_level: count &default=0;
## Number of MIME entities in the HTTP response message body so far.
response_mime_level: count &default=0;
};
## Default file handle provider for HTTP. ## Default file handle provider for HTTP.
global get_file_handle: function(c: connection, is_orig: bool): string; global get_file_handle: function(c: connection, is_orig: bool): string;
} }
event http_begin_entity(c: connection, is_orig: bool) &priority=5
{
if ( ! c?$http ) return;
if ( is_orig )
++c$http$request_mime_level;
else
++c$http$response_mime_level;
}
function get_file_handle(c: connection, is_orig: bool): string function get_file_handle(c: connection, is_orig: bool): string
{ {
if ( ! c?$http ) return ""; if ( ! c?$http ) return "";
local mime_level: count =
is_orig ? c$http$request_mime_level : c$http$response_mime_level;
local mime_level_str: string = mime_level > 1 ? cat(mime_level) : "";
if ( c$http$range_request ) if ( c$http$range_request )
return cat(ANALYZER_HTTP, " ", is_orig, " ", c$id$orig_h, " ", return cat(ANALYZER_HTTP, " ", is_orig, " ", c$id$orig_h, " ",
build_url(c$http)); build_url(c$http));
return cat(ANALYZER_HTTP, " ", c$start_time, " ", is_orig, " ", return cat(ANALYZER_HTTP, " ", c$start_time, " ", is_orig, " ",
c$http$trans_depth, " ", id_string(c$id)); c$http$trans_depth, mime_level_str, " ", id_string(c$id));
} }
module GLOBAL; module GLOBAL;

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/QJO04kPdawk-file Normal file
View file

@ -0,0 +1 @@
test2

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TJdltRTxco1-file Normal file
View file

@ -0,0 +1 @@
test

21
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/TaUJcEIboHh-file Normal file
View file

@ -0,0 +1,21 @@
{
"data": "",
"form": {
"example": "test",
"example2": "test2",
"example3": "test3"
},
"origin": "141.142.228.5",
"json": null,
"url": "http://httpbin.org/post",
"args": {},
"headers": {
"Content-Type": "multipart/form-data; boundary=----------------------------4ebf00fbcf09",
"User-Agent": "curl/7.30.0",
"Connection": "close",
"Accept": "*/*",
"Content-Length": "350",
"Host": "httpbin.org"
},
"files": {}
}

1
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/dDH5dHdsRH4-file Normal file
View file

@ -0,0 +1 @@
test3

53
testing/btest/Baseline/scripts.base.frameworks.file-analysis.http.multipart/out Normal file
View file

@ -0,0 +1,53 @@
FILE_NEW
TJdltRTxco1, 0, 0
FILE_BOF_BUFFER
test^M^J
MIME_TYPE
text/plain
FILE_STATE_REMOVE
TJdltRTxco1, 6, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
source: HTTP
MD5: 9f06243abcb89c70e0c331c61d871fa7
SHA1: fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4
SHA256: 837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b
FILE_NEW
QJO04kPdawk, 0, 0
FILE_BOF_BUFFER
test2^M^J
MIME_TYPE
text/plain
FILE_STATE_REMOVE
QJO04kPdawk, 7, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
source: HTTP
MD5: d68af81ef370b3873d50f09140068810
SHA1: 51a7b6f2d91f6a87822dc04560f2972bc14fc97e
SHA256: de0edd0ac4a705aff70f34734e90a1d0a1d8b76abe4bb53f3ea934bc105b3b17
FILE_NEW
dDH5dHdsRH4, 0, 0
FILE_BOF_BUFFER
test3^M^J
MIME_TYPE
text/plain
FILE_STATE_REMOVE
dDH5dHdsRH4, 7, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
source: HTTP
MD5: 1a3d75d44753ad246f0bd333cdaf08b0
SHA1: 4f98809ab09272dfcc58266e3f23ae2393f70e76
SHA256: 018c67a2c30ed9977e1dddfe98cac542165dac355cf9764c91a362613e752933
FILE_NEW
TaUJcEIboHh, 0, 0
FILE_BOF_BUFFER
{^J "data":
MIME_TYPE
text/plain
FILE_STATE_REMOVE
TaUJcEIboHh, 465, 0
[orig_h=141.142.228.5, orig_p=57262/tcp, resp_h=54.243.88.146, resp_p=80/tcp]
total bytes: 465
source: HTTP
MD5: 226244811006caf4ac904344841168dd
SHA1: 7222902b8b8e68e25c0422e7f8bdf344efeda54d
SHA256: dd485ecf240e12807516b0a27718fc3ab9a17c1158a452967343c98cefba07a0

BIN
testing/btest/Traces/http/multipart.trace Normal file
View file

Binary file not shown.

13
testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro Normal file
View file

@ -0,0 +1,13 @@
# @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
# @TEST-EXEC: btest-diff out
# @TEST-EXEC: btest-diff TJdltRTxco1-file
# @TEST-EXEC: btest-diff QJO04kPdawk-file
# @TEST-EXEC: btest-diff dDH5dHdsRH4-file
# @TEST-EXEC: btest-diff TaUJcEIboHh-file
redef test_file_analysis_source = "HTTP";
redef test_get_file_name = function(f: fa_file): string
{
return fmt("%s-file", f$id);
};