Merge remote-tracking branch 'origin/master' into topic/seth/files-tracking

Conflicts: scripts/base/frameworks/files/main.bro src/file_analysis/File.cc testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
2025-10-02 22:58:20 +00:00 · 2014-09-23 13:05:39 -04:00 · 2014-09-23 13:05:39 -04:00 · 42b2d56279
commit 42b2d56279
parent 8d72cd20a8 dae80fc119
486 changed files with 106378 additions and 85985 deletions
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -12,21 +12,26 @@
 #include "UID.h"

 #include "plugin/Manager.h"
+#include "analyzer/Manager.h"

 using namespace file_analysis;

 TableVal* Manager::disabled = 0;
+TableType* Manager::tag_set_type = 0;
 string Manager::salt;

 Manager::Manager()
 	: plugin::ComponentManager<file_analysis::Tag,
-	                           file_analysis::Component>("Files"),
+	                           file_analysis::Component>("Files", "Tag"),
 	id_map(), ignored(), current_file_id(), magic_state()
 	{
 	}

 Manager::~Manager()
 	{
+	for ( MIMEMap::iterator i = mime_types.begin(); i != mime_types.end(); i++ )
+		delete i->second;
+
 	// Have to assume that too much of Bro has been shutdown by this point
 	// to do anything more than reclaim memory.

@ -48,11 +53,6 @@ Manager::~Manager()

 void Manager::InitPreScript()
 	{
-	std::list<Component*> analyzers = plugin_mgr->Components<Component>();
-
-	for ( std::list<Component*>::const_iterator i = analyzers.begin();
-	      i != analyzers.end(); ++i )
-	      RegisterComponent(*i, "ANALYZER_");
 	}

 void Manager::InitPostScript()
@ -104,6 +104,7 @@ void Manager::SetHandle(const string& handle)
 	if ( handle.empty() )
 		return;

+	DBG_LOG(DBG_FILE_ANALYSIS, "Set current handle to %s", handle.c_str());
 	current_file_id = HashHandle(handle);
 	}

@ -286,6 +287,28 @@ bool Manager::AddAnalyzer(const string& file_id, file_analysis::Tag tag,
 	return file->AddAnalyzer(tag, args);
 	}

+TableVal* Manager::AddAnalyzersForMIMEType(const string& file_id, const string& mtype,
+					   RecordVal* args)
+	{
+	if ( ! tag_set_type )
+		tag_set_type = internal_type("files_tag_set")->AsTableType();
+
+	TableVal* sval = new TableVal(tag_set_type);
+	TagSet* l = LookupMIMEType(mtype, false);
+
+	if ( ! l )
+		return sval;
+
+	for ( TagSet::const_iterator i = l->begin(); i != l->end(); i++ )
+		{
+		file_analysis::Tag tag = *i;
+		if ( AddAnalyzer(file_id, tag, args) )
+			sval->Assign(tag.AsEnumVal(), 0);
+		}
+
+	return sval;
+	}
+
 bool Manager::RemoveAnalyzer(const string& file_id, file_analysis::Tag tag,
                             RecordVal* args) const
 	{
@ -405,6 +428,9 @@ string Manager::GetFileID(analyzer::Tag tag, Connection* c, bool is_orig)
 	if ( ! get_file_handle )
 		return "";

+	DBG_LOG(DBG_FILE_ANALYSIS, "Raise get_file_handle() for protocol analyzer %s",
+		analyzer_mgr->GetComponentName(tag).c_str());
+
 	EnumVal* tagval = tag.AsEnumVal();
 	Ref(tagval);

@ -451,11 +477,78 @@ Analyzer* Manager::InstantiateAnalyzer(Tag tag, RecordVal* args, File* f) const
 	if ( ! c->Factory() )
 		{
 		reporter->InternalWarning("file analyzer %s cannot be instantiated "
-								"dynamically", c->CanonicalName());
+					  "dynamically", c->CanonicalName().c_str());
 		return 0;
 		}

-	return c->Factory()(args, f);
+	DBG_LOG(DBG_FILE_ANALYSIS, "Instantiate analyzer %s for file %s",
+		GetComponentName(tag).c_str(), f->id.c_str());
+
+	Analyzer* a = c->Factory()(args, f);
+
+	if ( ! a )
+		reporter->InternalError("file analyzer instantiation failed");
+
+	a->SetAnalyzerTag(tag);
+
+	return a;
+	}
+
+Manager::TagSet* Manager::LookupMIMEType(const string& mtype, bool add_if_not_found)
+	{
+	MIMEMap::const_iterator i = mime_types.find(to_upper(mtype));
+
+	if ( i != mime_types.end() )
+		return i->second;
+
+	if ( ! add_if_not_found )
+		return 0;
+
+	TagSet* l = new TagSet;
+	mime_types.insert(std::make_pair(to_upper(mtype), l));
+	return l;
+	}
+
+bool Manager::RegisterAnalyzerForMIMEType(EnumVal* tag, StringVal* mtype)
+	{
+	Component* p = Lookup(tag);
+
+	if ( ! p  )
+		return false;
+
+	return RegisterAnalyzerForMIMEType(p->Tag(), mtype->CheckString());
+	}
+
+bool Manager::RegisterAnalyzerForMIMEType(Tag tag, const string& mtype)
+	{
+	TagSet* l = LookupMIMEType(mtype, true);
+
+	DBG_LOG(DBG_FILE_ANALYSIS, "Register analyzer %s for MIME type %s",
+		GetComponentName(tag).c_str(), mtype.c_str());
+
+	l->insert(tag);
+	return true;
+	}
+
+bool Manager::UnregisterAnalyzerForMIMEType(EnumVal* tag, StringVal* mtype)
+	{
+	Component* p = Lookup(tag);
+
+	if ( ! p  )
+		return false;
+
+	return UnregisterAnalyzerForMIMEType(p->Tag(), mtype->CheckString());
+	}
+
+bool Manager::UnregisterAnalyzerForMIMEType(Tag tag, const string& mtype)
+	{
+	TagSet* l = LookupMIMEType(mtype, true);
+
+	DBG_LOG(DBG_FILE_ANALYSIS, "Unregister analyzer %s for MIME type %s",
+		GetComponentName(tag).c_str(), mtype.c_str());
+
+	l->erase(tag);
+	return true;
 	}

 RuleMatcher::MIME_Matches* Manager::DetectMIME(const u_char* data, uint64 len,