mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
Internal simplication for FTP analysis scripts.
This commit is contained in:
Seth Hall
parent
8600b676e6
commit
686946d0dd
2 changed files with 8 additions and 19 deletions
|
|
@ -28,8 +28,7 @@ event file_transferred(c: connection, prefix: string, descr: string,
|
|||
if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
|
||||
return;
|
||||
|
||||
local expected = ftp_data_expected[id$resp_h, id$resp_p];
|
||||
local s = expected$state;
|
||||
local s = ftp_data_expected[id$resp_h, id$resp_p];
|
||||
|
||||
if ( extract_file_types in s$mime_type )
|
||||
{
|
||||
|
|
@ -46,8 +45,7 @@ event file_transferred(c: connection, prefix: string, descr: string,
|
|||
if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
|
||||
return;
|
||||
|
||||
local expected = ftp_data_expected[id$resp_h, id$resp_p];
|
||||
local s = expected$state;
|
||||
local s = ftp_data_expected[id$resp_h, id$resp_p];
|
||||
|
||||
if ( s$extract_file )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -48,12 +48,7 @@ export {
|
|||
## This determines if the password will be captured for this request.
|
||||
capture_password: bool &default=default_capture_password;
|
||||
};
|
||||
|
||||
type ExpectedConn: record {
|
||||
host: addr;
|
||||
state: Info;
|
||||
};
|
||||
|
||||
|
||||
## This record is to hold a parsed FTP reply code. For example, for the
|
||||
## 201 status code, the digits would be parsed as: x->2, y->0, z=>1.
|
||||
type ReplyCode: record {
|
||||
|
|
@ -91,7 +86,7 @@ redef capture_filters += { ["ftp"] = "port 21" };
|
|||
redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
|
||||
|
||||
# Establish the variable for tracking expected connections.
|
||||
global ftp_data_expected: table[addr, port] of ExpectedConn &create_expire=5mins;
|
||||
global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
|
|
@ -211,9 +206,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
|
|||
if ( data$valid )
|
||||
{
|
||||
c$ftp$passive=F;
|
||||
|
||||
local expected = [$host=id$resp_h, $state=copy(c$ftp)];
|
||||
ftp_data_expected[data$h, data$p] = expected;
|
||||
ftp_data_expected[data$h, data$p] = c$ftp;
|
||||
expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
|
||||
}
|
||||
else
|
||||
|
|
@ -266,8 +259,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
|
|||
if ( code == 229 && data$h == 0.0.0.0 )
|
||||
data$h = id$resp_h;
|
||||
|
||||
local expected = [$host=id$orig_h, $state=copy(c$ftp)];
|
||||
ftp_data_expected[data$h, data$p] = expected;
|
||||
ftp_data_expected[data$h, data$p] = c$ftp;
|
||||
expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
|
||||
}
|
||||
else
|
||||
|
|
@ -312,9 +304,8 @@ event file_transferred(c: connection, prefix: string, descr: string,
|
|||
local id = c$id;
|
||||
if ( [id$resp_h, id$resp_p] in ftp_data_expected )
|
||||
{
|
||||
local expected = ftp_data_expected[id$resp_h, id$resp_p];
|
||||
local s = expected$state;
|
||||
s$mime_type = mime_type;
|
||||
local s = ftp_data_expected[id$resp_h, id$resp_p];
|
||||
s$mime_type = split1(mime_type, /;/)[1];
|
||||
s$mime_desc = descr;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue