FileAnalysis: move unique file handle string generation to script-layer

And add minimal integration with HTTP analyzer.
2025-10-08 01:28:20 +00:00 · 2013-03-12 13:40:18 -05:00 · 2013-03-12 13:40:18 -05:00 · 3dd513e26e
commit 3dd513e26e
parent 1f6cac9b6d
18 changed files with 365 additions and 81 deletions
--- a/scripts/base/frameworks/file-analysis/main.bro
+++ b/scripts/base/frameworks/file-analysis/main.bro
@ -5,6 +5,11 @@
 # TODO: do logging here?
@load base/frameworks/logging

+# dependendies for file handle determination
+@load base/protocols/http/main
+@load base/protocols/http/utils
+@load base/protocols/ftp/main
+
 module FileAnalysis;

 export {
@ -105,5 +110,35 @@ export {
 	## TODO: document
 	global policy: hook(trig: Trigger, info: Info);

+	global get_handle: function(c: connection, is_orig: bool): string &redef;
+
 	# TODO: wrapper functions for BiFs ?
 }
+
+function conn_str(c: connection): string
+	{
+	return fmt("%s:%s -> %s:%s", c$id$orig_h, c$id$orig_p,
+	           c$id$resp_h, c$id$resp_p);
+	}
+
+function get_handle(c: connection, is_orig: bool): string
+	{
+	local rval: string = "";
+	local cid: conn_id = c$id;
+
+	if ( "ftp-data" in c$service )
+		rval = fmt("%s: %s", "ftp-data", conn_str(c));
+
+	else if ( c?$http )
+		{
+		if ( c$http$range_request )
+			rval = fmt("http(%s): %s: %s", is_orig, c$id$orig_h,
+			           HTTP::build_url(c$http));
+		else
+			rval = fmt("http(%s, %s): %s", is_orig, c$http$trans_depth,
+			           conn_str(c));
+		}
+
+	#print fmt("file handle: %s", rval);
+	return rval;
+	}
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -300,7 +300,7 @@ type connection: record {
 	## one protocol analyzer is able to parse the same data. If so, all will
 	## be recorded. Also note that the recorced services are independent of any
 	## transport-level protocols.
-        service: set[string];
+	service: set[string];
 	addl: string;	##< Deprecated.
 	hot: count;	##< Deprecated.
 	history: string;	##< State history of connections. See *history* in :bro:see:`Conn::Info`.
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -71,6 +71,10 @@ export {
 		
 		## All of the headers that may indicate if the request was proxied.
 		proxied:                 set[string] &log &optional;
+
+		## Indicates if this request can assume 206 partial content in
+		## response.
+		range_request:           bool      &default=F;
 	};
 	
 	## Structure to maintain state for an HTTP connection with multiple 
@ -235,6 +239,9 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 		else if ( name == "HOST" )
 			# The split is done to remove the occasional port value that shows up here.
 			c$http$host = split1(value, /:/)[1];
+
+		else if ( name == "RANGE" )
+			c$http$range_request = T;
 		
 		else if ( name == "USER-AGENT" )
 			c$http$user_agent = value;