diff --git a/scripts/policy/frameworks/intel/seen/file-names.zeek b/scripts/policy/frameworks/intel/seen/file-names.zeek index ade0d0f18a..10c563f05e 100644 --- a/scripts/policy/frameworks/intel/seen/file-names.zeek +++ b/scripts/policy/frameworks/intel/seen/file-names.zeek @@ -3,9 +3,28 @@ event file_new(f: fa_file) { + # If there are connections attached, we'll be using + # file_over_new_connection() for reporting the + # filename instead as it's more likely to be populated. + if ( f?$conns && |f$conns| > 0 ) + return; + if ( f?$info && f$info?$filename ) Intel::seen([$indicator=f$info$filename, $indicator_type=Intel::FILE_NAME, $f=f, $where=Files::IN_NAME]); - } \ No newline at end of file + } + +event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 + { + # Skip SMB, there's a custom implementation in smb-filenames.zeek + if ( f$source == "SMB" ) + return; + + if ( f?$info && f$info?$filename ) + Intel::seen([$indicator=f$info$filename, + $indicator_type=Intel::FILE_NAME, + $f=f, + $where=Files::IN_NAME]); + } diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.filename-in-http-get-response/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.filename-in-http-get-response/intel.log new file mode 100644 index 0000000000..edb8b0c243 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.filename-in-http-get-response/intel.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc +#types time string addr port addr port string enum enum string set[enum] set[string] string string string +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.1.9.63 63526 54.175.222.246 80 test.json Intel::FILE_NAME Files::IN_NAME zeek Intel::FILE_NAME source1 FiokML36uuy5agr5x3 - http://httpbin.org/response-headers?Content-Type=application/octet-stream; charset=UTF-8&Content-Disposition=attachment; filename="test.json" +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.filename-in-http-post/intel.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.filename-in-http-post/intel.log new file mode 100644 index 0000000000..72e1fc345e --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.filename-in-http-post/intel.log @@ -0,0 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path intel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p seen.indicator seen.indicator_type seen.where seen.node matched sources fuid file_mime_type file_desc +#types time string addr port addr port string enum enum string set[enum] set[string] string string string +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 56880 127.0.0.1 8080 putty.exe Intel::FILE_NAME Files::IN_NAME zeek Intel::FILE_NAME source1 FxbYSsEfeslxAei7 - http://localhost:8080:8080/upload +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/http/putty-upload.pcap b/testing/btest/Traces/http/putty-upload.pcap new file mode 100644 index 0000000000..c91721f0dd Binary files /dev/null and b/testing/btest/Traces/http/putty-upload.pcap differ diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-get-response.zeek b/testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-get-response.zeek new file mode 100644 index 0000000000..f951776f4a --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-get-response.zeek @@ -0,0 +1,24 @@ +# @TEST-EXEC: zeek -b -r $TRACES/http/http-filename.pcap %INPUT +# @TEST-EXEC: btest-diff intel.log + +@load base/frameworks/intel +@load frameworks/intel/seen +@load base/protocols/http + +redef Intel::read_files = { "./intel.dat" }; + +@TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.desc meta.url +test.json Intel::FILE_NAME source1 A JSON file https://www.json.org/json-en.html +@TEST-END-FILE + +event zeek_init() + { + suspend_processing(); + } + +event Input::end_of_data(name: string, source: string) + { + if ( /intel.dat/ in source ) + continue_processing(); + } diff --git a/testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-post.zeek b/testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-post.zeek new file mode 100644 index 0000000000..dc0db99e09 --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-post.zeek @@ -0,0 +1,25 @@ +# @TEST-EXEC: zeek -b -r $TRACES/http/putty-upload.pcap %INPUT +# @TEST-EXEC: btest-diff intel.log + +@load base/frameworks/intel +@load frameworks/intel/seen +@load base/protocols/http + +redef Intel::read_files = { "./intel.dat" }; + +@TEST-START-FILE intel.dat +#fields indicator indicator_type meta.source meta.desc meta.url +putty.exe Intel::FILE_NAME source1 SSH utility https://www.putty.org +zeek.exe Intel::FILE_NAME source1 A network monitor https://zeek.org +@TEST-END-FILE + +event zeek_init() + { + suspend_processing(); + } + +event Input::end_of_data(name: string, source: string) + { + if ( /intel.dat/ in source ) + continue_processing(); + }