Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 00:58:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Internal simplication for FTP analysis scripts.

Browse source
This commit is contained in:
Seth Hall 2011-10-07 13:36:02 -04:00
parent 8600b676e6
commit 686946d0dd
2 changed files with 8 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

6
scripts/base/protocols/ftp/file-extract.bro
View file

@ -28,8 +28,7 @@ event file_transferred(c: connection, prefix: string, descr: string,
if ( [id$resp_h, id$resp_p] !in ftp_data_expected ) if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
return; return;
local expected = ftp_data_expected[id$resp_h, id$resp_p]; local s = ftp_data_expected[id$resp_h, id$resp_p];
local s = expected$state;
if ( extract_file_types in s$mime_type ) if ( extract_file_types in s$mime_type )
{ {
@ -46,8 +45,7 @@ event file_transferred(c: connection, prefix: string, descr: string,
if ( [id$resp_h, id$resp_p] !in ftp_data_expected ) if ( [id$resp_h, id$resp_p] !in ftp_data_expected )
return; return;
local expected = ftp_data_expected[id$resp_h, id$resp_p]; local s = ftp_data_expected[id$resp_h, id$resp_p];
local s = expected$state;
if ( s$extract_file ) if ( s$extract_file )
{ {

19
scripts/base/protocols/ftp/main.bro
View file

@ -49,11 +49,6 @@ export {
capture_password: bool &default=default_capture_password; capture_password: bool &default=default_capture_password;
}; };
type ExpectedConn: record {
host: addr;
state: Info;
};
## This record is to hold a parsed FTP reply code. For example, for the ## This record is to hold a parsed FTP reply code. For example, for the
## 201 status code, the digits would be parsed as: x->2, y->0, z=>1. ## 201 status code, the digits would be parsed as: x->2, y->0, z=>1.
type ReplyCode: record { type ReplyCode: record {
@ -91,7 +86,7 @@ redef capture_filters += { ["ftp"] = "port 21" };
redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] }; redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
# Establish the variable for tracking expected connections. # Establish the variable for tracking expected connections.
global ftp_data_expected: table[addr, port] of ExpectedConn &create_expire=5mins; global ftp_data_expected: table[addr, port] of Info &create_expire=5mins;
event bro_init() &priority=5 event bro_init() &priority=5
{ {
@ -211,9 +206,7 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
if ( data$valid ) if ( data$valid )
{ {
c$ftp$passive=F; c$ftp$passive=F;
ftp_data_expected[data$h, data$p] = c$ftp;
local expected = [$host=id$resp_h, $state=copy(c$ftp)];
ftp_data_expected[data$h, data$p] = expected;
expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins); expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
} }
else else
@ -266,8 +259,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
if ( code == 229 && data$h == 0.0.0.0 ) if ( code == 229 && data$h == 0.0.0.0 )
data$h = id$resp_h; data$h = id$resp_h;
local expected = [$host=id$orig_h, $state=copy(c$ftp)]; ftp_data_expected[data$h, data$p] = c$ftp;
ftp_data_expected[data$h, data$p] = expected;
expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins); expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
} }
else else
@ -312,9 +304,8 @@ event file_transferred(c: connection, prefix: string, descr: string,
local id = c$id; local id = c$id;
if ( [id$resp_h, id$resp_p] in ftp_data_expected ) if ( [id$resp_h, id$resp_p] in ftp_data_expected )
{ {
local expected = ftp_data_expected[id$resp_h, id$resp_p]; local s = ftp_data_expected[id$resp_h, id$resp_p];
local s = expected$state; s$mime_type = split1(mime_type, /;/)[1];
s$mime_type = mime_type;
s$mime_desc = descr; s$mime_desc = descr;
} }
} }