mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
FileAnalysis: separating IRC/FTP data analyzers.
It simplifies the file handle string callbacks.
This commit is contained in:
Jon Siwek
parent
59ed5c75f1
commit
661677d452
37 changed files with 156 additions and 95 deletions
|
|
@ -107,28 +107,7 @@ export {
|
||||||
|
|
||||||
const handle_callbacks: table[AnalyzerTag] of HandleCallback = {} &redef;
|
const handle_callbacks: table[AnalyzerTag] of HandleCallback = {} &redef;
|
||||||
|
|
||||||
const service_handle_callbacks: table[string] of HandleCallback = {} &redef;
|
|
||||||
|
|
||||||
global get_handle: function(c: connection, is_orig: bool): string &redef;
|
global get_handle: function(c: connection, is_orig: bool): string &redef;
|
||||||
|
|
||||||
# TODO: wrapper functions for BiFs ?
|
# TODO: wrapper functions for BiFs ?
|
||||||
}
|
}
|
||||||
|
|
||||||
function get_file_handle_by_service(c: connection, is_orig: bool): string
|
|
||||||
{
|
|
||||||
local handle: string = "";
|
|
||||||
|
|
||||||
for ( serv in c$service )
|
|
||||||
{
|
|
||||||
if ( serv in service_handle_callbacks )
|
|
||||||
{
|
|
||||||
handle = service_handle_callbacks[serv](c, is_orig);
|
|
||||||
if ( handle != "" ) return handle;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return handle;
|
|
||||||
}
|
|
||||||
|
|
||||||
redef FileAnalysis::handle_callbacks += {
|
|
||||||
[ANALYZER_FILE] = get_file_handle_by_service,
|
|
||||||
};
|
|
||||||
|
|
|
||||||
|
|
@ -2,10 +2,11 @@
|
||||||
@load base/utils/conn-ids
|
@load base/utils/conn-ids
|
||||||
@load base/frameworks/file-analysis/main
|
@load base/frameworks/file-analysis/main
|
||||||
|
|
||||||
redef FileAnalysis::service_handle_callbacks += {
|
redef FileAnalysis::handle_callbacks += {
|
||||||
["ftp-data"] = function(c: connection, is_orig: bool): string
|
[ANALYZER_FTP_DATA] = function(c: connection, is_orig: bool): string
|
||||||
{
|
{
|
||||||
if ( is_orig ) return "";
|
if ( is_orig ) return "";
|
||||||
return fmt("%s ftp-data: %s", c$start_time, id_string(c$id));
|
return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time,
|
||||||
|
id_string(c$id));
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -228,7 +228,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
|
||||||
{
|
{
|
||||||
c$ftp$passive=F;
|
c$ftp$passive=F;
|
||||||
ftp_data_expected[data$h, data$p] = c$ftp;
|
ftp_data_expected[data$h, data$p] = c$ftp;
|
||||||
expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
|
expect_connection(id$resp_h, data$h, data$p, ANALYZER_FTP_DATA,
|
||||||
|
5mins);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
@ -281,7 +282,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
|
||||||
data$h = id$resp_h;
|
data$h = id$resp_h;
|
||||||
|
|
||||||
ftp_data_expected[data$h, data$p] = c$ftp;
|
ftp_data_expected[data$h, data$p] = c$ftp;
|
||||||
expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
|
expect_connection(id$orig_h, data$h, data$p, ANALYZER_FTP_DATA,
|
||||||
|
5mins);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -10,10 +10,10 @@ function get_file_handle(c: connection, is_orig: bool): string
|
||||||
if ( ! c?$http ) return "";
|
if ( ! c?$http ) return "";
|
||||||
|
|
||||||
if ( c$http$range_request )
|
if ( c$http$range_request )
|
||||||
return fmt("http(%s): %s: %s", is_orig, c$id$orig_h,
|
return fmt("%s %s %s %s", ANALYZER_HTTP, is_orig, c$id$orig_h,
|
||||||
build_url(c$http));
|
build_url(c$http));
|
||||||
|
|
||||||
return fmt("%s http(%s, %s): %s", c$start_time, is_orig,
|
return fmt("%s %s %s %s %s", ANALYZER_HTTP, c$start_time, is_orig,
|
||||||
c$http$trans_depth, id_string(c$id));
|
c$http$trans_depth, id_string(c$id));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
|
||||||
c$irc$dcc_file_name = argument;
|
c$irc$dcc_file_name = argument;
|
||||||
c$irc$dcc_file_size = size;
|
c$irc$dcc_file_size = size;
|
||||||
local p = count_to_port(dest_port, tcp);
|
local p = count_to_port(dest_port, tcp);
|
||||||
expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min);
|
expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_IRC_DATA, 5 min);
|
||||||
dcc_expected_transfers[address, p] = c$irc;
|
dcc_expected_transfers[address, p] = c$irc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,10 +2,11 @@
|
||||||
@load base/utils/conn-ids
|
@load base/utils/conn-ids
|
||||||
@load base/frameworks/file-analysis/main
|
@load base/frameworks/file-analysis/main
|
||||||
|
|
||||||
redef FileAnalysis::service_handle_callbacks += {
|
redef FileAnalysis::handle_callbacks += {
|
||||||
["irc-dcc-data"] = function(c: connection, is_orig: bool): string
|
[ANALYZER_IRC_DATA] = function(c: connection, is_orig: bool): string
|
||||||
{
|
{
|
||||||
if ( is_orig ) return "";
|
if ( is_orig ) return "";
|
||||||
return fmt("%s irc-dcc-data: %s", c$start_time, id_string(c$id));
|
return fmt("%s %s %s", ANALYZER_IRC_DATA, c$start_time,
|
||||||
|
id_string(c$id));
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ function get_file_handle(c: connection, is_orig: bool): string
|
||||||
{
|
{
|
||||||
if ( ! c?$smtp ) return "";
|
if ( ! c?$smtp ) return "";
|
||||||
|
|
||||||
return fmt("%s smtp(%s, %s)", c$start_time, c$smtp$trans_depth,
|
return fmt("%s %s %s %s", ANALYZER_SMTP, c$start_time, c$smtp$trans_depth,
|
||||||
c$smtp_state$mime_level);
|
c$smtp_state$mime_level);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -150,6 +150,10 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
|
||||||
|
|
||||||
{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
|
{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
|
||||||
File_Analyzer::Available, 0, false },
|
File_Analyzer::Available, 0, false },
|
||||||
|
{ AnalyzerTag::FTP_Data, "FTP_DATA", FTP_Data::InstantiateAnalyzer,
|
||||||
|
FTP_Data::Available, 0, false },
|
||||||
|
{ AnalyzerTag::IRC_Data, "IRC_DATA", IRC_Data::InstantiateAnalyzer,
|
||||||
|
IRC_Data::Available, 0, false },
|
||||||
{ AnalyzerTag::Backdoor, "BACKDOOR",
|
{ AnalyzerTag::Backdoor, "BACKDOOR",
|
||||||
BackDoor_Analyzer::InstantiateAnalyzer,
|
BackDoor_Analyzer::InstantiateAnalyzer,
|
||||||
BackDoor_Analyzer::Available, 0, false },
|
BackDoor_Analyzer::Available, 0, false },
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ namespace AnalyzerTag {
|
||||||
GTPv1,
|
GTPv1,
|
||||||
|
|
||||||
// Other
|
// Other
|
||||||
File, Backdoor, InterConn, SteppingStone, TCPStats,
|
File, IRC_Data, FTP_Data, Backdoor, InterConn, SteppingStone, TCPStats,
|
||||||
ConnSize,
|
ConnSize,
|
||||||
|
|
||||||
// Support-analyzers
|
// Support-analyzers
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,8 @@
|
||||||
magic_t File_Analyzer::magic = 0;
|
magic_t File_Analyzer::magic = 0;
|
||||||
magic_t File_Analyzer::magic_mime = 0;
|
magic_t File_Analyzer::magic_mime = 0;
|
||||||
|
|
||||||
File_Analyzer::File_Analyzer(Connection* conn)
|
File_Analyzer::File_Analyzer(AnalyzerTag::Tag tag, Connection* conn)
|
||||||
: TCP_ApplicationAnalyzer(AnalyzerTag::File, conn)
|
: TCP_ApplicationAnalyzer(tag, conn)
|
||||||
{
|
{
|
||||||
buffer_len = 0;
|
buffer_len = 0;
|
||||||
|
|
||||||
|
|
@ -21,8 +21,6 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
|
||||||
{
|
{
|
||||||
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
|
TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
|
||||||
|
|
||||||
file_mgr->DataIn(data, len, Conn(), orig);
|
|
||||||
|
|
||||||
int n = min(len, BUFFER_SIZE - buffer_len);
|
int n = min(len, BUFFER_SIZE - buffer_len);
|
||||||
|
|
||||||
if ( n )
|
if ( n )
|
||||||
|
|
@ -39,16 +37,12 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
|
||||||
void File_Analyzer::Undelivered(int seq, int len, bool orig)
|
void File_Analyzer::Undelivered(int seq, int len, bool orig)
|
||||||
{
|
{
|
||||||
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
|
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
|
||||||
|
|
||||||
file_mgr->Gap(seq, len, Conn(), orig);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void File_Analyzer::Done()
|
void File_Analyzer::Done()
|
||||||
{
|
{
|
||||||
TCP_ApplicationAnalyzer::Done();
|
TCP_ApplicationAnalyzer::Done();
|
||||||
|
|
||||||
file_mgr->EndOfFile(Conn());
|
|
||||||
|
|
||||||
if ( buffer_len && buffer_len != BUFFER_SIZE )
|
if ( buffer_len && buffer_len != BUFFER_SIZE )
|
||||||
Identify();
|
Identify();
|
||||||
}
|
}
|
||||||
|
|
@ -71,3 +65,49 @@ void File_Analyzer::Identify()
|
||||||
vl->append(new StringVal(mime ? mime : "<unknown>"));
|
vl->append(new StringVal(mime ? mime : "<unknown>"));
|
||||||
ConnectionEvent(file_transferred, vl);
|
ConnectionEvent(file_transferred, vl);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
IRC_Data::IRC_Data(Connection* conn)
|
||||||
|
: File_Analyzer(AnalyzerTag::IRC_Data, conn)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
void IRC_Data::Done()
|
||||||
|
{
|
||||||
|
File_Analyzer::Done();
|
||||||
|
file_mgr->EndOfFile(Conn());
|
||||||
|
}
|
||||||
|
|
||||||
|
void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
|
||||||
|
{
|
||||||
|
File_Analyzer::DeliverStream(len, data, orig);
|
||||||
|
file_mgr->DataIn(data, len, Conn(), orig);
|
||||||
|
}
|
||||||
|
|
||||||
|
void IRC_Data::Undelivered(int seq, int len, bool orig)
|
||||||
|
{
|
||||||
|
File_Analyzer::Undelivered(seq, len, orig);
|
||||||
|
file_mgr->Gap(seq, len, Conn(), orig);
|
||||||
|
}
|
||||||
|
|
||||||
|
FTP_Data::FTP_Data(Connection* conn)
|
||||||
|
: File_Analyzer(AnalyzerTag::FTP_Data, conn)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
void FTP_Data::Done()
|
||||||
|
{
|
||||||
|
File_Analyzer::Done();
|
||||||
|
file_mgr->EndOfFile(Conn());
|
||||||
|
}
|
||||||
|
|
||||||
|
void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)
|
||||||
|
{
|
||||||
|
File_Analyzer::DeliverStream(len, data, orig);
|
||||||
|
file_mgr->DataIn(data, len, Conn(), orig);
|
||||||
|
}
|
||||||
|
|
||||||
|
void FTP_Data::Undelivered(int seq, int len, bool orig)
|
||||||
|
{
|
||||||
|
File_Analyzer::Undelivered(seq, len, orig);
|
||||||
|
file_mgr->Gap(seq, len, Conn(), orig);
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
class File_Analyzer : public TCP_ApplicationAnalyzer {
|
class File_Analyzer : public TCP_ApplicationAnalyzer {
|
||||||
public:
|
public:
|
||||||
File_Analyzer(Connection* conn);
|
File_Analyzer(AnalyzerTag::Tag tag, Connection* conn);
|
||||||
|
|
||||||
virtual void Done();
|
virtual void Done();
|
||||||
|
|
||||||
|
|
@ -19,7 +19,7 @@ public:
|
||||||
void Undelivered(int seq, int len, bool orig);
|
void Undelivered(int seq, int len, bool orig);
|
||||||
|
|
||||||
static Analyzer* InstantiateAnalyzer(Connection* conn)
|
static Analyzer* InstantiateAnalyzer(Connection* conn)
|
||||||
{ return new File_Analyzer(conn); }
|
{ return new File_Analyzer(AnalyzerTag::File, conn); }
|
||||||
|
|
||||||
static bool Available() { return file_transferred; }
|
static bool Available() { return file_transferred; }
|
||||||
|
|
||||||
|
|
@ -36,4 +36,38 @@ protected:
|
||||||
static magic_t magic_mime;
|
static magic_t magic_mime;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
class IRC_Data : public File_Analyzer {
|
||||||
|
public:
|
||||||
|
|
||||||
|
IRC_Data(Connection* conn);
|
||||||
|
|
||||||
|
virtual void Done();
|
||||||
|
|
||||||
|
virtual void DeliverStream(int len, const u_char* data, bool orig);
|
||||||
|
|
||||||
|
void Undelivered(int seq, int len, bool orig);
|
||||||
|
|
||||||
|
static Analyzer* InstantiateAnalyzer(Connection* conn)
|
||||||
|
{ return new IRC_Data(conn); }
|
||||||
|
|
||||||
|
static bool Available() { return true; }
|
||||||
|
};
|
||||||
|
|
||||||
|
class FTP_Data : public File_Analyzer {
|
||||||
|
public:
|
||||||
|
|
||||||
|
FTP_Data(Connection* conn);
|
||||||
|
|
||||||
|
virtual void Done();
|
||||||
|
|
||||||
|
virtual void DeliverStream(int len, const u_char* data, bool orig);
|
||||||
|
|
||||||
|
void Undelivered(int seq, int len, bool orig);
|
||||||
|
|
||||||
|
static Analyzer* InstantiateAnalyzer(Connection* conn)
|
||||||
|
{ return new FTP_Data(conn); }
|
||||||
|
|
||||||
|
static bool Available() { return true; }
|
||||||
|
};
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
XRXY932iwza, 0, 0
|
sidhzrR4IT8, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
The Nationa
|
The Nationa
|
||||||
|
|
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
XRXY932iwza, 16557, 0
|
sidhzrR4IT8, 16557, 0
|
||||||
{
|
{
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
LMA6EHLacYc, 0, 0
|
kg59rqyYxN, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
{^J "origin
|
{^J "origin
|
||||||
|
|
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
LMA6EHLacYc, 197, 0
|
kg59rqyYxN, 197, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
KPVibShQgUc, 0, 0
|
Cx92a0ym5R8, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
^J0.26 | 201
|
^J0.26 | 201
|
||||||
|
|
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
KPVibShQgUc, 4705, 0
|
Cx92a0ym5R8, 4705, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
uj9AtyGOiZ8, 0, 0
|
7gZBKVUgy4l, 0, 0
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
uj9AtyGOiZ8, 555523, 0
|
7gZBKVUgy4l, 555523, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf,
|
UWkUyAuUGXf,
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
555523 uj9AtyGOiZ8-file0
|
555523 7gZBKVUgy4l-file0
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
ns7As4DOZcj, 0, 0
|
oDwT1BbzjM1, 0, 0
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
ns7As4DOZcj, 1022920, 0
|
oDwT1BbzjM1, 1022920, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
@ -11,10 +11,10 @@ UWkUyAuUGXf
|
||||||
total bytes: 1022920
|
total bytes: 1022920
|
||||||
source: HTTP
|
source: HTTP
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
ns7As4DOZcj, 0, 0
|
oDwT1BbzjM1, 0, 0
|
||||||
FileAnalysis::TRIGGER_TIMEOUT
|
FileAnalysis::TRIGGER_TIMEOUT
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
ns7As4DOZcj, 206024, 0
|
oDwT1BbzjM1, 206024, 0
|
||||||
{
|
{
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
1022920 ns7As4DOZcj-file0
|
1022920 oDwT1BbzjM1-file0
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
MHMkq2nFxej, 0, 0
|
uHS14uhRKGe, 0, 0
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
MHMkq2nFxej, 498702, 0
|
uHS14uhRKGe, 498702, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf,
|
UWkUyAuUGXf,
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
498668 MHMkq2nFxej-file0
|
498668 uHS14uhRKGe-file0
|
||||||
|
|
|
||||||
|
Before Width: | Height: | Size: 94 B After Width: | Height: | Size: 94 B |
|
Before Width: | Height: | Size: 2.3 KiB After Width: | Height: | Size: 2.3 KiB |
|
|
@ -1,5 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
Z3kT1FyLnfk, 0, 0
|
aFQKI8SPOL2, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
/*^J********
|
/*^J********
|
||||||
|
|
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
Z3kT1FyLnfk, 2675, 0
|
aFQKI8SPOL2, 2675, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
@ -19,7 +19,7 @@ SHA1: 0e42ae17eea9b074981bd3a34535ad3a22d02706
|
||||||
MD5: b932c3310ce47e158d1a5a42e0b01279
|
MD5: b932c3310ce47e158d1a5a42e0b01279
|
||||||
SHA256: 5b037a2c5e36f56e63a3012c73e46a04b27741d8ff8f8b62c832fb681fc60f42
|
SHA256: 5b037a2c5e36f56e63a3012c73e46a04b27741d8ff8f8b62c832fb681fc60f42
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
WLJWC1FMBq9, 0, 0
|
CCU3vUEr06l, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
//-- Google
|
//-- Google
|
||||||
|
|
@ -27,7 +27,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
WLJWC1FMBq9, 21421, 0
|
CCU3vUEr06l, 21421, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
@ -39,7 +39,7 @@ SHA1: 8f241117afaa8ca5f41dc059e66d75c283dcc983
|
||||||
MD5: e732f7bf1d7cb4eedcb1661697d7bc8c
|
MD5: e732f7bf1d7cb4eedcb1661697d7bc8c
|
||||||
SHA256: 6a509fd05aa7c8fa05080198894bb19e638554ffcee0e0b3d7bc8ff54afee1da
|
SHA256: 6a509fd05aa7c8fa05080198894bb19e638554ffcee0e0b3d7bc8ff54afee1da
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
Ac8PLL9KL49, 0, 0
|
HCzA0dVwDPj, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
GIF89a^D\0^D\0\xb3
|
GIF89a^D\0^D\0\xb3
|
||||||
|
|
@ -47,7 +47,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
Ac8PLL9KL49, 94, 0
|
HCzA0dVwDPj, 94, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
@ -60,7 +60,7 @@ SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e
|
||||||
MD5: d903de7e30db1691d3130ba5eae6b9a7
|
MD5: d903de7e30db1691d3130ba5eae6b9a7
|
||||||
SHA256: 6fb22aa9d780ea63bd7a2e12b92b16fcbf1c4874f1d3e11309a5ba984433c315
|
SHA256: 6fb22aa9d780ea63bd7a2e12b92b16fcbf1c4874f1d3e11309a5ba984433c315
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
NV2MvAX0Is4, 0, 0
|
a1Zu1fteVEf, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
\x89PNG^M^J^Z^J\0\0\0
|
\x89PNG^M^J^Z^J\0\0\0
|
||||||
|
|
@ -68,7 +68,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
NV2MvAX0Is4, 2349, 0
|
a1Zu1fteVEf, 2349, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
@ -81,7 +81,7 @@ SHA1: 560eab5a0177246827a94042dd103916d8765ac7
|
||||||
MD5: e0029eea80812e9a8e57b8d05d52938a
|
MD5: e0029eea80812e9a8e57b8d05d52938a
|
||||||
SHA256: e0b4500c1fd1d675da4137461cbe64d3c8489f4180d194e47683b20e7fb876f4
|
SHA256: e0b4500c1fd1d675da4137461cbe64d3c8489f4180d194e47683b20e7fb876f4
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
YLndcRpw5Ge, 0, 0
|
xXlF7wFdsR, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
\x89PNG^M^J^Z^J\0\0\0
|
\x89PNG^M^J^Z^J\0\0\0
|
||||||
|
|
@ -89,7 +89,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
YLndcRpw5Ge, 27579, 0
|
xXlF7wFdsR, 27579, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
Before Width: | Height: | Size: 27 KiB After Width: | Height: | Size: 27 KiB |
|
|
@ -1,5 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
WDJLxTGN0m8, 0, 0
|
v5HLI7MxPQh, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
hello world
|
hello world
|
||||||
|
|
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
WDJLxTGN0m8, 11, 0
|
v5HLI7MxPQh, 11, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
@ -20,7 +20,7 @@ SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
|
||||||
MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3
|
MD5: 5eb63bbbe01eeed093cb22bb8f5acdc3
|
||||||
SHA256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
|
SHA256: b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
LkolCF6OeHh, 0, 0
|
PZS1XGHkIf1, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
{^J "origin
|
{^J "origin
|
||||||
|
|
@ -28,7 +28,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
LkolCF6OeHh, 366, 0
|
PZS1XGHkIf1, 366, 0
|
||||||
{
|
{
|
||||||
UWkUyAuUGXf
|
UWkUyAuUGXf
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
6w2n1vAlfzk, 0, 0
|
wqKMAamJVSb, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
PK^C^D^T\0\0\0^H\0\xae
|
PK^C^D^T\0\0\0^H\0\xae
|
||||||
|
|
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
6w2n1vAlfzk, 42208, 0
|
wqKMAamJVSb, 42208, 0
|
||||||
{
|
{
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
wBZuaIADU0b, 0, 0
|
9VCisPgrqVj, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
Hello^M^J^M^J ^M
|
Hello^M^J^M^J ^M
|
||||||
|
|
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
wBZuaIADU0b, 79, 0
|
9VCisPgrqVj, 79, 0
|
||||||
{
|
{
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
}
|
}
|
||||||
|
|
@ -19,7 +19,7 @@ SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13
|
||||||
MD5: 92bca2e6cdcde73647125da7dccbdd07
|
MD5: 92bca2e6cdcde73647125da7dccbdd07
|
||||||
SHA256: 785a8a044d1454ec88837108f443bbb30cc4f529393ffd57118261036bfe59f5
|
SHA256: 785a8a044d1454ec88837108f443bbb30cc4f529393ffd57118261036bfe59f5
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
i3lOtWMsCWb, 0, 0
|
ZAOEQmRyxv1, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
<html xmlns
|
<html xmlns
|
||||||
|
|
@ -27,7 +27,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
i3lOtWMsCWb, 1918, 0
|
ZAOEQmRyxv1, 1918, 0
|
||||||
{
|
{
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
}
|
}
|
||||||
|
|
@ -39,7 +39,7 @@ SHA1: e54af6c6616525611364b80bd6557a7ea21dae94
|
||||||
MD5: d194c6359c85bb88b54caee18b1e9b44
|
MD5: d194c6359c85bb88b54caee18b1e9b44
|
||||||
SHA256: b9556e92ddbe52379b64804136f830d111cafe7fcd78e54817fe40f3bc24268d
|
SHA256: b9556e92ddbe52379b64804136f830d111cafe7fcd78e54817fe40f3bc24268d
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
LgCRm1TGd09, 0, 0
|
Ltd7QO7jEv3, 0, 0
|
||||||
FileAnalysis::TRIGGER_BOF
|
FileAnalysis::TRIGGER_BOF
|
||||||
FileAnalysis::TRIGGER_BOF_BUFFER
|
FileAnalysis::TRIGGER_BOF_BUFFER
|
||||||
Version 4.9
|
Version 4.9
|
||||||
|
|
@ -47,7 +47,7 @@ FileAnalysis::TRIGGER_TYPE
|
||||||
file type is set
|
file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
LgCRm1TGd09, 10823, 0
|
Ltd7QO7jEv3, 10823, 0
|
||||||
{
|
{
|
||||||
arKYeMETxOg
|
arKYeMETxOg
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,8 +2,8 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace %INPUT >get-gzip.out
|
# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace %INPUT >get-gzip.out
|
||||||
# @TEST-EXEC: btest-diff get.out
|
# @TEST-EXEC: btest-diff get.out
|
||||||
# @TEST-EXEC: btest-diff get-gzip.out
|
# @TEST-EXEC: btest-diff get-gzip.out
|
||||||
# @TEST-EXEC: btest-diff KPVibShQgUc-file
|
# @TEST-EXEC: btest-diff Cx92a0ym5R8-file
|
||||||
# @TEST-EXEC: btest-diff LMA6EHLacYc-file
|
# @TEST-EXEC: btest-diff kg59rqyYxN-file
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
global actions: set[FileAnalysis::ActionArgs];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,16 +1,16 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap %INPUT >a.out
|
# @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap %INPUT >a.out
|
||||||
# @TEST-EXEC: btest-diff a.out
|
# @TEST-EXEC: btest-diff a.out
|
||||||
# @TEST-EXEC: wc -c uj9AtyGOiZ8-file0 >a.size
|
# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 >a.size
|
||||||
# @TEST-EXEC: btest-diff a.size
|
# @TEST-EXEC: btest-diff a.size
|
||||||
|
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap %INPUT >b.out
|
# @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap %INPUT >b.out
|
||||||
# @TEST-EXEC: btest-diff b.out
|
# @TEST-EXEC: btest-diff b.out
|
||||||
# @TEST-EXEC: wc -c ns7As4DOZcj-file0 >b.size
|
# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 >b.size
|
||||||
# @TEST-EXEC: btest-diff b.size
|
# @TEST-EXEC: btest-diff b.size
|
||||||
|
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap %INPUT >c.out
|
# @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap %INPUT >c.out
|
||||||
# @TEST-EXEC: btest-diff c.out
|
# @TEST-EXEC: btest-diff c.out
|
||||||
# @TEST-EXEC: wc -c MHMkq2nFxej-file0 >c.size
|
# @TEST-EXEC: wc -c uHS14uhRKGe-file0 >c.size
|
||||||
# @TEST-EXEC: btest-diff c.size
|
# @TEST-EXEC: btest-diff c.size
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
global actions: set[FileAnalysis::ActionArgs];
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,10 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
# @TEST-EXEC: btest-diff Z3kT1FyLnfk-file
|
# @TEST-EXEC: btest-diff aFQKI8SPOL2-file
|
||||||
# @TEST-EXEC: btest-diff WLJWC1FMBq9-file
|
# @TEST-EXEC: btest-diff CCU3vUEr06l-file
|
||||||
# @TEST-EXEC: btest-diff Ac8PLL9KL49-file
|
# @TEST-EXEC: btest-diff HCzA0dVwDPj-file
|
||||||
# @TEST-EXEC: btest-diff NV2MvAX0Is4-file
|
# @TEST-EXEC: btest-diff a1Zu1fteVEf-file
|
||||||
# @TEST-EXEC: btest-diff YLndcRpw5Ge-file
|
# @TEST-EXEC: btest-diff xXlF7wFdsR-file
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
global actions: set[FileAnalysis::ActionArgs];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/post.trace %INPUT >out
|
# @TEST-EXEC: bro -r $TRACES/http/post.trace %INPUT >out
|
||||||
# @TEST-EXEC: btest-diff out
|
# @TEST-EXEC: btest-diff out
|
||||||
# @TEST-EXEC: btest-diff WDJLxTGN0m8-file
|
# @TEST-EXEC: btest-diff v5HLI7MxPQh-file
|
||||||
# @TEST-EXEC: btest-diff LkolCF6OeHh-file
|
# @TEST-EXEC: btest-diff PZS1XGHkIf1-file
|
||||||
|
|
||||||
global actions: set[FileAnalysis::ActionArgs];
|
global actions: set[FileAnalysis::ActionArgs];
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue