Adding extra fields to smtp and http to track transaction depth.

- This will for help linking in analysis scripts and databases later. - Test baseline updates coming in a few minutes.
2025-10-02 06:38:20 +00:00 · 2011-10-25 11:34:48 -04:00 · 2011-10-25 11:34:48 -04:00 · 4753f2aeca
commit 4753f2aeca
parent 2131468b08
3 changed files with 18 additions and 11 deletions
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -18,6 +18,9 @@ export {
 		ts:                      time     &log;
 		uid:                     string   &log;
 		id:                      conn_id  &log;
+		## This represents the pipelined depth into the connection of this 
+		## request/response transaction.
+		trans_depth:             count    &log;
 		## The verb used in the HTTP request (GET, POST, HEAD, etc.).
 		method:                  string   &log &optional;
 		## The value of the HOST header.
@ -123,6 +126,9 @@ function new_http_session(c: connection): Info
 	tmp$ts=network_time();
 	tmp$uid=c$uid;
 	tmp$id=c$id;
+	# $current_request is set prior to the Info record creation so we 
+	# can use the value directly here.
+	tmp$trans_depth = c$http_state$current_request;
 	return tmp;
 	}
 	
--- a/scripts/base/protocols/smtp/entities.bro
+++ b/scripts/base/protocols/smtp/entities.bro
@ -19,9 +19,9 @@ export {
 		ts:               time    &log;
 		uid:              string  &log;
 		id:               conn_id &log;
-		## Internally generated "message id" that ties back to the particular
-		## message in the SMTP log where this entity was seen.
-		mid:              string  &log;
+		## A count to represent the depth of this message transaction in a 
+		## single connection where multiple messages were transferred.
+		trans_depth:      count  &log;
 		## The filename seen in the Content-Disposition header.
 		filename:         string  &log &optional;
 		## Track how many bytes of the MIME encoded file have been seen.
@ -90,7 +90,7 @@ function set_session(c: connection, new_entity: bool)
 		info$ts=network_time();
 		info$uid=c$uid;
 		info$id=c$id;
-		info$mid=c$smtp$mid;
+		info$trans_depth=c$smtp$trans_depth;
 		
 		c$smtp$current_entity = info;
 		++c$smtp_state$mime_level;
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -11,10 +11,9 @@ export {
 		ts:                time            &log;
 		uid:               string          &log;
 		id:                conn_id         &log;
-		## This is an internally generated "message id" that can be used to
-		## map between SMTP messages and MIME entities in the SMTP entities
-		## log.
-		mid:               string          &log;
+		## This is a number that indicates the number of messages deep into
+		## this connection where this particular message was transferred.
+		trans_depth:       count           &log;
 		helo:              string          &log &optional;
 		mailfrom:          string          &log &optional;
 		rcptto:            set[string]     &log &optional;
@ -98,8 +97,11 @@ function new_smtp_log(c: connection): Info
 	l$ts=network_time();
 	l$uid=c$uid;
 	l$id=c$id;
-	l$mid=unique_id("@");
-	if ( c?$smtp_state && c$smtp_state?$helo )
+	# The messages_transferred count isn't incremented until the message is 
+	# finished so we need to increment the count by 1 here.
+	l$trans_depth = c$smtp_state$messages_transferred+1;
+	
+	if ( c$smtp_state?$helo )
 		l$helo = c$smtp_state$helo;
 	
 	# The path will always end with the hosts involved in this connection.
@ -165,7 +167,6 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
 event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
                 msg: string, cont_resp: bool) &priority=-5
 	{
-	set_smtp_session(c);
 	if ( cmd == "." )
 		{
 		# Track the number of messages seen in this session.