Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 23:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Adapt SSL analyzer to generate file analysis handles itself.

Browse source
This commit is contained in:
Jon Siwek 2014-04-23 16:57:19 -05:00
parent de8f8f87b6
commit 58efa09426
4 changed files with 29 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/base/protocols/ssl/files.bro
View file

@ -52,22 +52,8 @@ export {
function get_file_handle(c: connection, is_orig: bool): string function get_file_handle(c: connection, is_orig: bool): string
{ {
set_session(c); # Unused. File handles are generated in the analyzer.
return "";
local depth: count;
if ( is_orig )
{
depth = c$ssl$client_depth;
++c$ssl$client_depth;
}
else
{
depth = c$ssl$server_depth;
++c$ssl$server_depth;
}
return cat(Analyzer::ANALYZER_SSL, c$start_time, is_orig, id_string(c$id), depth);
} }
function describe_file(f: fa_file): string function describe_file(f: fa_file): string

11
src/Conn.cc
View file

@ -811,6 +811,17 @@ void Connection::Describe(ODesc* d) const
d->NL(); d->NL();
} }
void Connection::IDString(ODesc* d) const
{
d->Add(orig_addr);
d->AddRaw(":", 1);
d->Add(ntohs(orig_port));
d->AddRaw(" > ", 3);
d->Add(resp_addr);
d->AddRaw(":", 1);
d->Add(ntohs(resp_port));
}
bool Connection::Serialize(SerialInfo* info) const bool Connection::Serialize(SerialInfo* info) const
{ {
return SerialObj::Serialize(info); return SerialObj::Serialize(info);

1
src/Conn.h
View file

@ -204,6 +204,7 @@ public:
bool IsPersistent() { return persistent; } bool IsPersistent() { return persistent; }
void Describe(ODesc* d) const; void Describe(ODesc* d) const;
void IDString(ODesc* d) const;
TimerMgr* GetTimerMgr() const; TimerMgr* GetTimerMgr() const;

19
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -231,15 +231,26 @@ refine connection SSL_Conn += {
if ( certificates->size() == 0 ) if ( certificates->size() == 0 )
return true; return true;
ODesc common;
common.AddRaw("Analyzer::ANALYZER_SSL");
common.Add(bro_analyzer()->Conn()->StartTime());
common.AddRaw(${rec.is_orig} ? "T" : "F", 1);
bro_analyzer()->Conn()->IDString(&common);
for ( unsigned int i = 0; i < certificates->size(); ++i ) for ( unsigned int i = 0; i < certificates->size(); ++i )
{ {
const bytestring& cert = (*certificates)[i]; const bytestring& cert = (*certificates)[i];
string fid = file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()), cert.length(), ODesc file_handle;
bro_analyzer()->GetAnalyzerTag(), bro_analyzer()->Conn(), file_handle.Add(common.Description());
${rec.is_orig}); file_handle.Add(i);
file_mgr->EndOfFile(fid); string file_id = file_mgr->HashHandle(file_handle.Description());
file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
cert.length(), bro_analyzer()->GetAnalyzerTag(),
bro_analyzer()->Conn(), ${rec.is_orig}, file_id);
file_mgr->EndOfFile(file_id);
} }
return true; return true;
%} %}