mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
FileAnalysis: replace script-layer http file analysis.
Other misc: - Remove HTTP::MD5 notice. - Add "last_active" field to FileAnalysis::Info record. - Replace "conn_uids", "conn_ids" fields in FileAnalysis::Info record with just a "conns" fields containing full connection records. - The http-methods unit test is failing now, but I think it will be fixed once I change the file handle callback mechanism to use events instead.
This commit is contained in:
Jon Siwek
parent
7034785810
commit
71f0e2d276
61 changed files with 411 additions and 625 deletions
|
|
@ -54,12 +54,11 @@ export {
|
||||||
## path which was read, or some other input source.
|
## path which was read, or some other input source.
|
||||||
source: string &log &optional;
|
source: string &log &optional;
|
||||||
|
|
||||||
## The set of connections over which the file was transferred,
|
## The set of connections over which the file was transferred.
|
||||||
## indicated by UID strings.
|
conns: table[conn_id] of connection &optional;
|
||||||
conn_uids: set[string] &log &optional;
|
|
||||||
## The set of connections over which the file was transferred,
|
## The time at which the last activity for the file was seen.
|
||||||
## indicated by 5-tuples.
|
last_active: time &log;
|
||||||
conn_ids: set[conn_id] &optional;
|
|
||||||
|
|
||||||
## Number of bytes provided to the file analysis engine for the file.
|
## Number of bytes provided to the file analysis engine for the file.
|
||||||
seen_bytes: count &log &default=0;
|
seen_bytes: count &log &default=0;
|
||||||
|
|
@ -123,6 +122,7 @@ event bro_init() &priority=5
|
||||||
}
|
}
|
||||||
|
|
||||||
redef record FileAnalysis::Info += {
|
redef record FileAnalysis::Info += {
|
||||||
|
conn_uids: set[string] &log &optional;
|
||||||
actions_taken: set[Action] &log &optional;
|
actions_taken: set[Action] &log &optional;
|
||||||
extracted_files: set[string] &log &optional;
|
extracted_files: set[string] &log &optional;
|
||||||
md5: string &log &optional;
|
md5: string &log &optional;
|
||||||
|
|
@ -136,6 +136,11 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
if ( trig != FileAnalysis::TRIGGER_EOF &&
|
if ( trig != FileAnalysis::TRIGGER_EOF &&
|
||||||
trig != FileAnalysis::TRIGGER_DONE ) return;
|
trig != FileAnalysis::TRIGGER_DONE ) return;
|
||||||
|
|
||||||
|
info$conn_uids = set();
|
||||||
|
if ( info?$conns )
|
||||||
|
for ( cid in info$conns )
|
||||||
|
add info$conn_uids[info$conns[cid]$uid];
|
||||||
|
|
||||||
info$actions_taken = set();
|
info$actions_taken = set();
|
||||||
info$extracted_files = set();
|
info$extracted_files = set();
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,8 +2,7 @@
|
||||||
##! the message body from the server can be extracted with this script.
|
##! the message body from the server can be extracted with this script.
|
||||||
|
|
||||||
@load ./main
|
@load ./main
|
||||||
@load ./file-ident
|
@load ./file-analysis
|
||||||
@load base/utils/files
|
|
||||||
|
|
||||||
module HTTP;
|
module HTTP;
|
||||||
|
|
||||||
|
|
@ -16,45 +15,77 @@ export {
|
||||||
|
|
||||||
redef record Info += {
|
redef record Info += {
|
||||||
## On-disk file where the response body was extracted to.
|
## On-disk file where the response body was extracted to.
|
||||||
extraction_file: file &log &optional;
|
extraction_file: string &log &optional;
|
||||||
|
|
||||||
## Indicates if the response body is to be extracted or not. Must be
|
## Indicates if the response body is to be extracted or not. Must be
|
||||||
## set before or by the first :bro:id:`http_entity_data` event for the
|
## set before or by the first :bro:enum:`FileAnalysis::TRIGGER_NEW`
|
||||||
## content.
|
## for the file content.
|
||||||
extract_file: bool &default=F;
|
extract_file: bool &default=F;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=-5
|
global extract_count: count = 0;
|
||||||
{
|
|
||||||
# Client body extraction is not currently supported in this script.
|
|
||||||
if ( is_orig )
|
|
||||||
return;
|
|
||||||
|
|
||||||
if ( c$http$first_chunk )
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=5
|
||||||
{
|
{
|
||||||
if ( c$http?$mime_type &&
|
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
|
||||||
extract_file_types in c$http$mime_type )
|
if ( ! info?$mime_type ) return;
|
||||||
|
if ( ! info?$source ) return;
|
||||||
|
if ( info$source != "HTTP" ) return;
|
||||||
|
if ( extract_file_types !in info$mime_type ) return;
|
||||||
|
|
||||||
|
for ( act in info$actions )
|
||||||
|
if ( act$act == FileAnalysis::ACTION_EXTRACT ) return;
|
||||||
|
|
||||||
|
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id,
|
||||||
|
extract_count);
|
||||||
|
++extract_count;
|
||||||
|
FileAnalysis::add_action(info$file_id, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||||
|
$extract_filename=fname]);
|
||||||
|
|
||||||
|
if ( ! info?$conns ) return;
|
||||||
|
|
||||||
|
for ( cid in info$conns )
|
||||||
{
|
{
|
||||||
c$http$extract_file = T;
|
local c: connection = info$conns[cid];
|
||||||
|
|
||||||
|
if ( ! c?$http ) next;
|
||||||
|
|
||||||
|
c$http$extraction_file = fname;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=5
|
||||||
|
{
|
||||||
|
if ( trig != FileAnalysis::TRIGGER_NEW ) return;
|
||||||
|
if ( ! info?$source ) return;
|
||||||
|
if ( info$source != "HTTP" ) return;
|
||||||
|
if ( ! info?$conns ) return;
|
||||||
|
|
||||||
|
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, info$file_id,
|
||||||
|
extract_count);
|
||||||
|
local extracting: bool = F;
|
||||||
|
|
||||||
|
for ( cid in info$conns )
|
||||||
|
{
|
||||||
|
local c: connection = info$conns[cid];
|
||||||
|
|
||||||
|
if ( ! c?$http ) next;
|
||||||
|
|
||||||
if ( c$http$extract_file )
|
if ( c$http$extract_file )
|
||||||
{
|
{
|
||||||
local suffix = fmt("%s_%d.dat", is_orig ? "orig" : "resp", c$http_state$current_response);
|
if ( ! extracting )
|
||||||
local fname = generate_extraction_filename(extraction_prefix, c, suffix);
|
|
||||||
|
|
||||||
c$http$extraction_file = open(fname);
|
|
||||||
enable_raw_output(c$http$extraction_file);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( c$http?$extraction_file )
|
|
||||||
print c$http$extraction_file, data;
|
|
||||||
}
|
|
||||||
|
|
||||||
event http_end_entity(c: connection, is_orig: bool)
|
|
||||||
{
|
{
|
||||||
if ( c$http?$extraction_file )
|
FileAnalysis::add_action(info$file_id,
|
||||||
close(c$http$extraction_file);
|
[$act=FileAnalysis::ACTION_EXTRACT,
|
||||||
|
$extract_filename=fname]);
|
||||||
|
extracting = T;
|
||||||
|
++extract_count;
|
||||||
|
}
|
||||||
|
|
||||||
|
c$http$extraction_file = fname;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,11 @@
|
||||||
##! Calculate hashes for HTTP body transfers.
|
##! Calculate hashes for HTTP body transfers.
|
||||||
|
|
||||||
@load ./file-ident
|
@load ./main
|
||||||
|
@load ./file-analysis
|
||||||
|
|
||||||
module HTTP;
|
module HTTP;
|
||||||
|
|
||||||
export {
|
export {
|
||||||
redef enum Notice::Type += {
|
|
||||||
## Indicates that an MD5 sum was calculated for an HTTP response body.
|
|
||||||
MD5,
|
|
||||||
};
|
|
||||||
|
|
||||||
redef record Info += {
|
redef record Info += {
|
||||||
## MD5 sum for a file transferred over HTTP calculated from the
|
## MD5 sum for a file transferred over HTTP calculated from the
|
||||||
## response body.
|
## response body.
|
||||||
|
|
@ -19,10 +15,6 @@ export {
|
||||||
## if a file should have an MD5 sum generated. It must be
|
## if a file should have an MD5 sum generated. It must be
|
||||||
## set to T at the time of or before the first chunk of body data.
|
## set to T at the time of or before the first chunk of body data.
|
||||||
calc_md5: bool &default=F;
|
calc_md5: bool &default=F;
|
||||||
|
|
||||||
## Indicates if an MD5 sum is being calculated for the current
|
|
||||||
## request/response pair.
|
|
||||||
md5_handle: opaque of md5 &optional;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
## Generate MD5 sums for these filetypes.
|
## Generate MD5 sums for these filetypes.
|
||||||
|
|
@ -31,62 +23,67 @@ export {
|
||||||
&redef;
|
&redef;
|
||||||
}
|
}
|
||||||
|
|
||||||
## Initialize and calculate the hash.
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=5
|
&priority=5
|
||||||
{
|
{
|
||||||
if ( is_orig || ! c?$http ) return;
|
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
|
||||||
|
if ( ! info?$mime_type ) return;
|
||||||
|
if ( ! info?$source ) return;
|
||||||
|
if ( info$source != "HTTP" ) return;
|
||||||
|
|
||||||
if ( c$http$first_chunk )
|
if ( generate_md5 in info$mime_type )
|
||||||
|
FileAnalysis::add_action(info$file_id, [$act=FileAnalysis::ACTION_MD5]);
|
||||||
|
else if ( info?$conns )
|
||||||
{
|
{
|
||||||
if ( c$http$calc_md5 ||
|
for ( cid in info$conns )
|
||||||
(c$http?$mime_type && generate_md5 in c$http$mime_type) )
|
|
||||||
{
|
{
|
||||||
c$http$md5_handle = md5_hash_init();
|
local c: connection = info$conns[cid];
|
||||||
|
|
||||||
|
if ( ! c?$http ) next;
|
||||||
|
|
||||||
|
if ( c$http$calc_md5 )
|
||||||
|
{
|
||||||
|
FileAnalysis::add_action(info$file_id,
|
||||||
|
[$act=FileAnalysis::ACTION_MD5]);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( c$http?$md5_handle )
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
md5_hash_update(c$http$md5_handle, data);
|
&priority=5
|
||||||
}
|
|
||||||
|
|
||||||
## In the event of a content gap during a file transfer, detect the state for
|
|
||||||
## the MD5 sum calculation and stop calculating the MD5 since it would be
|
|
||||||
## incorrect anyway.
|
|
||||||
event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
|
|
||||||
{
|
{
|
||||||
if ( is_orig || ! c?$http || ! c$http?$md5_handle ) return;
|
if ( trig != FileAnalysis::TRIGGER_DONE &&
|
||||||
|
trig != FileAnalysis::TRIGGER_EOF ) return;
|
||||||
|
if ( ! info?$source ) return;
|
||||||
|
if ( info$source != "HTTP" ) return;
|
||||||
|
if ( ! info?$conns ) return;
|
||||||
|
|
||||||
set_state(c, F, is_orig);
|
local act: FileAnalysis::ActionArgs = [$act=FileAnalysis::ACTION_MD5];
|
||||||
md5_hash_finish(c$http$md5_handle); # Ignore return value.
|
|
||||||
delete c$http$md5_handle;
|
|
||||||
}
|
|
||||||
|
|
||||||
## When the file finishes downloading, finish the hash and generate a notice.
|
if ( act !in info$actions ) return;
|
||||||
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority=-3
|
|
||||||
|
local result = info$actions[act];
|
||||||
|
|
||||||
|
if ( ! result?$md5 ) return;
|
||||||
|
|
||||||
|
for ( cid in info$conns )
|
||||||
{
|
{
|
||||||
if ( is_orig || ! c?$http ) return;
|
local c: connection = info$conns[cid];
|
||||||
|
|
||||||
if ( c$http?$md5_handle )
|
if ( ! c?$http ) next;
|
||||||
{
|
|
||||||
local url = build_url_http(c$http);
|
|
||||||
c$http$md5 = md5_hash_finish(c$http$md5_handle);
|
|
||||||
delete c$http$md5_handle;
|
|
||||||
|
|
||||||
NOTICE([$note=MD5, $msg=fmt("%s %s %s", c$id$orig_h, c$http$md5, url),
|
c$http$md5 = result$md5;
|
||||||
$sub=c$http$md5, $conn=c]);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event connection_state_remove(c: connection) &priority=-5
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=5
|
||||||
{
|
{
|
||||||
if ( c?$http_state &&
|
if ( trig != FileAnalysis::TRIGGER_GAP ) return;
|
||||||
c$http_state$current_response in c$http_state$pending &&
|
if ( ! info?$source ) return;
|
||||||
c$http_state$pending[c$http_state$current_response]?$md5_handle )
|
if ( info$source != "HTTP" ) return;
|
||||||
{
|
|
||||||
# The MD5 sum isn't going to be saved anywhere since the entire
|
FileAnalysis::add_action(info$file_id, [$act=FileAnalysis::ACTION_MD5]);
|
||||||
# body wouldn't have been seen anyway and we'd just be giving an
|
|
||||||
# incorrect MD5 sum.
|
|
||||||
md5_hash_finish(c$http$md5_handle);
|
|
||||||
delete c$http$md5_handle;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,9 @@
|
||||||
##! Identification of file types in HTTP response bodies with file content sniffing.
|
##! Identification of file types in HTTP response bodies with file content sniffing.
|
||||||
|
|
||||||
@load base/frameworks/signatures
|
|
||||||
@load base/frameworks/notice
|
@load base/frameworks/notice
|
||||||
@load ./main
|
@load ./main
|
||||||
@load ./utils
|
@load ./utils
|
||||||
|
@load ./file-analysis
|
||||||
# Add the magic number signatures to the core signature set.
|
|
||||||
@load-sigs ./file-ident.sig
|
|
||||||
|
|
||||||
# Ignore the signatures used to match files
|
|
||||||
redef Signatures::ignored_ids += /^matchfile-/;
|
|
||||||
|
|
||||||
module HTTP;
|
module HTTP;
|
||||||
|
|
||||||
|
|
@ -22,11 +16,6 @@ export {
|
||||||
redef record Info += {
|
redef record Info += {
|
||||||
## Mime type of response body identified by content sniffing.
|
## Mime type of response body identified by content sniffing.
|
||||||
mime_type: string &log &optional;
|
mime_type: string &log &optional;
|
||||||
|
|
||||||
## Indicates that no data of the current file transfer has been
|
|
||||||
## seen yet. After the first :bro:id:`http_entity_data` event, it
|
|
||||||
## will be set to F.
|
|
||||||
first_chunk: bool &default=T;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
## Mapping between mime types and regular expressions for URLs
|
## Mapping between mime types and regular expressions for URLs
|
||||||
|
|
@ -43,43 +32,34 @@ export {
|
||||||
const ignored_incorrect_file_type_urls = /^$/ &redef;
|
const ignored_incorrect_file_type_urls = /^$/ &redef;
|
||||||
}
|
}
|
||||||
|
|
||||||
event signature_match(state: signature_state, msg: string, data: string) &priority=5
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=5
|
||||||
{
|
{
|
||||||
# Only signatures matching file types are dealt with here.
|
if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
|
||||||
if ( /^matchfile-/ !in state$sig_id ) return;
|
if ( ! info?$mime_type ) return;
|
||||||
|
if ( ! info?$source ) return;
|
||||||
|
if ( info$source != "HTTP" ) return;
|
||||||
|
if ( ! info?$conns ) return;
|
||||||
|
|
||||||
local c = state$conn;
|
for ( cid in info$conns )
|
||||||
set_state(c, F, F);
|
|
||||||
|
|
||||||
# Not much point in any of this if we don't know about the HTTP session.
|
|
||||||
if ( ! c?$http ) return;
|
|
||||||
|
|
||||||
# Set the mime type that was detected.
|
|
||||||
c$http$mime_type = msg;
|
|
||||||
|
|
||||||
if ( msg in mime_types_extensions &&
|
|
||||||
c$http?$uri && mime_types_extensions[msg] !in c$http$uri )
|
|
||||||
{
|
{
|
||||||
|
local c: connection = info$conns[cid];
|
||||||
|
|
||||||
|
if ( ! c?$http ) next;
|
||||||
|
|
||||||
|
c$http$mime_type = info$mime_type;
|
||||||
|
|
||||||
|
if ( info$mime_type !in mime_types_extensions ) next;
|
||||||
|
if ( ! c$http?$uri ) next;
|
||||||
|
if ( mime_types_extensions[info$mime_type] in c$http$uri ) next;
|
||||||
|
|
||||||
local url = build_url_http(c$http);
|
local url = build_url_http(c$http);
|
||||||
|
|
||||||
if ( url == ignored_incorrect_file_type_urls )
|
if ( url == ignored_incorrect_file_type_urls ) next;
|
||||||
return;
|
|
||||||
|
|
||||||
local message = fmt("%s %s %s", msg, c$http$method, url);
|
local message = fmt("%s %s %s", info$mime_type, c$http$method, url);
|
||||||
NOTICE([$note=Incorrect_File_Type,
|
NOTICE([$note=Incorrect_File_Type,
|
||||||
$msg=message,
|
$msg=message,
|
||||||
$conn=c]);
|
$conn=c]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=5
|
|
||||||
{
|
|
||||||
if ( c$http$first_chunk && ! c$http?$mime_type )
|
|
||||||
c$http$mime_type = split1(identify_data(data, T), /;/)[1];
|
|
||||||
}
|
|
||||||
|
|
||||||
event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=-10
|
|
||||||
{
|
|
||||||
if ( c$http$first_chunk )
|
|
||||||
c$http$first_chunk=F;
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -1,144 +0,0 @@
|
||||||
# These signatures are used as a replacement for libmagic. The signature
|
|
||||||
# name needs to start with "matchfile" and the "event" directive takes
|
|
||||||
# the mime type of the file matched by the http-reply-body pattern.
|
|
||||||
#
|
|
||||||
# Signatures from: http://www.garykessler.net/library/file_sigs.html
|
|
||||||
|
|
||||||
signature matchfile-exe {
|
|
||||||
http-reply-body /\x4D\x5A/
|
|
||||||
event "application/x-dosexec"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-elf {
|
|
||||||
http-reply-body /\x7F\x45\x4C\x46/
|
|
||||||
event "application/x-executable"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-script {
|
|
||||||
# This is meant to match the interpreter declaration at the top of many
|
|
||||||
# interpreted scripts.
|
|
||||||
http-reply-body /\#\![[:blank:]]?\//
|
|
||||||
event "application/x-script"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-wmv {
|
|
||||||
http-reply-body /\x30\x26\xB2\x75\x8E\x66\xCF\x11\xA6\xD9\x00\xAA\x00\x62\xCE\x6C/
|
|
||||||
event "video/x-ms-wmv"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-flv {
|
|
||||||
http-reply-body /\x46\x4C\x56\x01/
|
|
||||||
event "video/x-flv"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-swf {
|
|
||||||
http-reply-body /[\x46\x43]\x57\x53/
|
|
||||||
event "application/x-shockwave-flash"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-jar {
|
|
||||||
http-reply-body /\x5F\x27\xA8\x89/
|
|
||||||
event "application/java-archive"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-class {
|
|
||||||
http-reply-body /\xCA\xFE\xBA\xBE/
|
|
||||||
event "application/java-byte-code"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-msoffice-2007 {
|
|
||||||
# MS Office 2007 XML documents
|
|
||||||
http-reply-body /\x50\x4B\x03\x04\x14\x00\x06\x00/
|
|
||||||
event "application/msoffice"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-msoffice {
|
|
||||||
# Older MS Office files
|
|
||||||
http-reply-body /\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1/
|
|
||||||
event "application/msoffice"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-rtf {
|
|
||||||
http-reply-body /\x7B\x5C\x72\x74\x66\x31/
|
|
||||||
event "application/rtf"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-lnk {
|
|
||||||
http-reply-body /\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46/
|
|
||||||
event "application/x-ms-shortcut"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-torrent {
|
|
||||||
http-reply-body /\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65/
|
|
||||||
event "application/x-bittorrent"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-pdf {
|
|
||||||
http-reply-body /\x25\x50\x44\x46/
|
|
||||||
event "application/pdf"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-html {
|
|
||||||
http-reply-body /<[hH][tT][mM][lL]/
|
|
||||||
event "text/html"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-html2 {
|
|
||||||
http-reply-body /<![dD][oO][cC][tT][yY][pP][eE][[:blank:]][hH][tT][mM][lL]/
|
|
||||||
event "text/html"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-xml {
|
|
||||||
http-reply-body /<\??[xX][mM][lL]/
|
|
||||||
event "text/xml"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-gif {
|
|
||||||
http-reply-body /\x47\x49\x46\x38[\x37\x39]\x61/
|
|
||||||
event "image/gif"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-jpg {
|
|
||||||
http-reply-body /\xFF\xD8\xFF[\xDB\xE0\xE1\xE2\xE3\xE8]..[\x4A\x45\x53][\x46\x78\x50][\x49\x69][\x46\x66]/
|
|
||||||
event "image/jpeg"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-tiff {
|
|
||||||
http-reply-body /\x4D\x4D\x00[\x2A\x2B]/
|
|
||||||
event "image/tiff"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-png {
|
|
||||||
http-reply-body /\x89\x50\x4e\x47/
|
|
||||||
event "image/png"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-zip {
|
|
||||||
http-reply-body /\x50\x4B\x03\x04/
|
|
||||||
event "application/zip"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-bzip {
|
|
||||||
http-reply-body /\x42\x5A\x68/
|
|
||||||
event "application/bzip2"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-gzip {
|
|
||||||
http-reply-body /\x1F\x8B\x08/
|
|
||||||
event "application/x-gzip"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-cab {
|
|
||||||
http-reply-body /\x4D\x53\x43\x46/
|
|
||||||
event "application/vnd.ms-cab-compressed"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-rar {
|
|
||||||
http-reply-body /\x52\x61\x72\x21\x1A\x07\x00/
|
|
||||||
event "application/x-rar-compressed"
|
|
||||||
}
|
|
||||||
|
|
||||||
signature matchfile-7z {
|
|
||||||
http-reply-body /\x37\x7A\xBC\xAF\x27\x1C/
|
|
||||||
event "application/x-7z-compressed"
|
|
||||||
}
|
|
||||||
|
|
@ -150,10 +150,10 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
|
||||||
|
|
||||||
{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
|
{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
|
||||||
File_Analyzer::Available, 0, false },
|
File_Analyzer::Available, 0, false },
|
||||||
{ AnalyzerTag::FTP_Data, "FTP_DATA", FTP_Data::InstantiateAnalyzer,
|
|
||||||
FTP_Data::Available, 0, false },
|
|
||||||
{ AnalyzerTag::IRC_Data, "IRC_DATA", IRC_Data::InstantiateAnalyzer,
|
{ AnalyzerTag::IRC_Data, "IRC_DATA", IRC_Data::InstantiateAnalyzer,
|
||||||
IRC_Data::Available, 0, false },
|
IRC_Data::Available, 0, false },
|
||||||
|
{ AnalyzerTag::FTP_Data, "FTP_DATA", FTP_Data::InstantiateAnalyzer,
|
||||||
|
FTP_Data::Available, 0, false },
|
||||||
{ AnalyzerTag::Backdoor, "BACKDOOR",
|
{ AnalyzerTag::Backdoor, "BACKDOOR",
|
||||||
BackDoor_Analyzer::InstantiateAnalyzer,
|
BackDoor_Analyzer::InstantiateAnalyzer,
|
||||||
BackDoor_Analyzer::Available, 0, false },
|
BackDoor_Analyzer::Available, 0, false },
|
||||||
|
|
|
||||||
|
|
@ -80,13 +80,13 @@ void IRC_Data::Done()
|
||||||
void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
|
void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
|
||||||
{
|
{
|
||||||
File_Analyzer::DeliverStream(len, data, orig);
|
File_Analyzer::DeliverStream(len, data, orig);
|
||||||
file_mgr->DataIn(data, len, Conn(), orig);
|
file_mgr->DataIn(data, len, GetTag(), Conn(), orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
void IRC_Data::Undelivered(int seq, int len, bool orig)
|
void IRC_Data::Undelivered(int seq, int len, bool orig)
|
||||||
{
|
{
|
||||||
File_Analyzer::Undelivered(seq, len, orig);
|
File_Analyzer::Undelivered(seq, len, orig);
|
||||||
file_mgr->Gap(seq, len, Conn(), orig);
|
file_mgr->Gap(seq, len, GetTag(), Conn(), orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
FTP_Data::FTP_Data(Connection* conn)
|
FTP_Data::FTP_Data(Connection* conn)
|
||||||
|
|
@ -103,11 +103,11 @@ void FTP_Data::Done()
|
||||||
void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)
|
void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)
|
||||||
{
|
{
|
||||||
File_Analyzer::DeliverStream(len, data, orig);
|
File_Analyzer::DeliverStream(len, data, orig);
|
||||||
file_mgr->DataIn(data, len, Conn(), orig);
|
file_mgr->DataIn(data, len, GetTag(), Conn(), orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
void FTP_Data::Undelivered(int seq, int len, bool orig)
|
void FTP_Data::Undelivered(int seq, int len, bool orig)
|
||||||
{
|
{
|
||||||
File_Analyzer::Undelivered(seq, len, orig);
|
File_Analyzer::Undelivered(seq, len, orig);
|
||||||
file_mgr->Gap(seq, len, Conn(), orig);
|
file_mgr->Gap(seq, len, GetTag(), Conn(), orig);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
22
src/HTTP.cc
22
src/HTTP.cc
|
|
@ -42,7 +42,7 @@ HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity,
|
||||||
expect_data_length = 0;
|
expect_data_length = 0;
|
||||||
body_length = 0;
|
body_length = 0;
|
||||||
header_length = 0;
|
header_length = 0;
|
||||||
deliver_body = (http_entity_data != 0);
|
deliver_body = true;
|
||||||
encoding = IDENTITY;
|
encoding = IDENTITY;
|
||||||
zip = 0;
|
zip = 0;
|
||||||
is_partial_content = false;
|
is_partial_content = false;
|
||||||
|
|
@ -238,6 +238,11 @@ int HTTP_Entity::Undelivered(int64_t len)
|
||||||
if ( end_of_data && in_header )
|
if ( end_of_data && in_header )
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
file_mgr->Gap(body_length, len,
|
||||||
|
http_message->MyHTTP_Analyzer()->GetTag(),
|
||||||
|
http_message->MyHTTP_Analyzer()->Conn(),
|
||||||
|
http_message->IsOrig());
|
||||||
|
|
||||||
if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
|
if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
|
||||||
{
|
{
|
||||||
if ( chunked_transfer_state == EXPECT_CHUNK_DATA &&
|
if ( chunked_transfer_state == EXPECT_CHUNK_DATA &&
|
||||||
|
|
@ -291,9 +296,11 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
|
||||||
{
|
{
|
||||||
if ( send_size && instance_length > 0 )
|
if ( send_size && instance_length > 0 )
|
||||||
file_mgr->SetSize(instance_length,
|
file_mgr->SetSize(instance_length,
|
||||||
|
http_message->MyHTTP_Analyzer()->GetTag(),
|
||||||
http_message->MyHTTP_Analyzer()->Conn(),
|
http_message->MyHTTP_Analyzer()->Conn(),
|
||||||
http_message->IsOrig());
|
http_message->IsOrig());
|
||||||
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
|
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len, offset,
|
||||||
|
http_message->MyHTTP_Analyzer()->GetTag(),
|
||||||
http_message->MyHTTP_Analyzer()->Conn(),
|
http_message->MyHTTP_Analyzer()->Conn(),
|
||||||
http_message->IsOrig());
|
http_message->IsOrig());
|
||||||
offset += len;
|
offset += len;
|
||||||
|
|
@ -302,9 +309,11 @@ void HTTP_Entity::SubmitData(int len, const char* buf)
|
||||||
{
|
{
|
||||||
if ( send_size && content_length > 0 )
|
if ( send_size && content_length > 0 )
|
||||||
file_mgr->SetSize(content_length,
|
file_mgr->SetSize(content_length,
|
||||||
|
http_message->MyHTTP_Analyzer()->GetTag(),
|
||||||
http_message->MyHTTP_Analyzer()->Conn(),
|
http_message->MyHTTP_Analyzer()->Conn(),
|
||||||
http_message->IsOrig());
|
http_message->IsOrig());
|
||||||
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
|
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
|
||||||
|
http_message->MyHTTP_Analyzer()->GetTag(),
|
||||||
http_message->MyHTTP_Analyzer()->Conn(),
|
http_message->MyHTTP_Analyzer()->Conn(),
|
||||||
http_message->IsOrig());
|
http_message->IsOrig());
|
||||||
}
|
}
|
||||||
|
|
@ -554,6 +563,10 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
|
||||||
// DEBUG_MSG("%.6f HTTP message done.\n", network_time);
|
// DEBUG_MSG("%.6f HTTP message done.\n", network_time);
|
||||||
top_level->EndOfData();
|
top_level->EndOfData();
|
||||||
|
|
||||||
|
if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
|
||||||
|
// multipart/byteranges may span multiple connections
|
||||||
|
file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig);
|
||||||
|
|
||||||
if ( http_message_done )
|
if ( http_message_done )
|
||||||
{
|
{
|
||||||
val_list* vl = new val_list;
|
val_list* vl = new val_list;
|
||||||
|
|
@ -563,10 +576,6 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
|
||||||
GetAnalyzer()->ConnectionEvent(http_message_done, vl);
|
GetAnalyzer()->ConnectionEvent(http_message_done, vl);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
|
|
||||||
// multipart/byteranges may span multiple connections
|
|
||||||
file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig);
|
|
||||||
|
|
||||||
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
|
MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
|
||||||
|
|
||||||
delete_strings(buffers);
|
delete_strings(buffers);
|
||||||
|
|
@ -689,9 +698,6 @@ void HTTP_Message::SubmitData(int len, const char* buf)
|
||||||
|
|
||||||
int HTTP_Message::RequestBuffer(int* plen, char** pbuf)
|
int HTTP_Message::RequestBuffer(int* plen, char** pbuf)
|
||||||
{
|
{
|
||||||
if ( ! http_entity_data )
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if ( ! data_buffer )
|
if ( ! data_buffer )
|
||||||
if ( ! InitBuffer(mime_segment_length) )
|
if ( ! InitBuffer(mime_segment_length) )
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
||||||
|
|
@ -1127,8 +1127,9 @@ void MIME_Mail::SubmitData(int len, const char* buf)
|
||||||
analyzer->ConnectionEvent(mime_segment_data, vl);
|
analyzer->ConnectionEvent(mime_segment_data, vl);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// is_orig param not available, doesn't matter as long as it's consistent
|
||||||
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
|
file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
|
||||||
analyzer->Conn(), false); // is_orig param N/A
|
analyzer->GetTag(), analyzer->Conn(), false);
|
||||||
|
|
||||||
buffer_start = (buf + len) - (char*)data_buffer->Bytes();
|
buffer_start = (buf + len) - (char*)data_buffer->Bytes();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -8,22 +8,15 @@
|
||||||
#include "Reporter.h"
|
#include "Reporter.h"
|
||||||
#include "Val.h"
|
#include "Val.h"
|
||||||
#include "Type.h"
|
#include "Type.h"
|
||||||
|
#include "Analyzer.h"
|
||||||
|
|
||||||
using namespace file_analysis;
|
using namespace file_analysis;
|
||||||
|
|
||||||
static TableVal* empty_conn_id_set()
|
static TableVal* empty_connection_table()
|
||||||
{
|
{
|
||||||
TypeList* set_index = new TypeList(conn_id);
|
TypeList* tbl_index = new TypeList(conn_id);
|
||||||
set_index->Append(conn_id->Ref());
|
tbl_index->Append(conn_id->Ref());
|
||||||
return new TableVal(new SetType(set_index, 0));
|
return new TableVal(new TableType(tbl_index, connection_type->Ref()));
|
||||||
}
|
|
||||||
|
|
||||||
static StringVal* get_conn_uid_val(Connection* conn)
|
|
||||||
{
|
|
||||||
char tmp[20];
|
|
||||||
if ( ! conn->GetUID() )
|
|
||||||
conn->SetUID(calculate_unique_id());
|
|
||||||
return new StringVal(uitoa_n(conn->GetUID(), tmp, sizeof(tmp), 62));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static RecordVal* get_conn_id_val(const Connection* conn)
|
static RecordVal* get_conn_id_val(const Connection* conn)
|
||||||
|
|
@ -39,8 +32,8 @@ static RecordVal* get_conn_id_val(const Connection* conn)
|
||||||
int Info::file_id_idx = -1;
|
int Info::file_id_idx = -1;
|
||||||
int Info::parent_file_id_idx = -1;
|
int Info::parent_file_id_idx = -1;
|
||||||
int Info::source_idx = -1;
|
int Info::source_idx = -1;
|
||||||
int Info::conn_uids_idx = -1;
|
int Info::conns_idx = -1;
|
||||||
int Info::conn_ids_idx = -1;
|
int Info::last_active_idx = -1;
|
||||||
int Info::seen_bytes_idx = -1;
|
int Info::seen_bytes_idx = -1;
|
||||||
int Info::total_bytes_idx = -1;
|
int Info::total_bytes_idx = -1;
|
||||||
int Info::missing_bytes_idx = -1;
|
int Info::missing_bytes_idx = -1;
|
||||||
|
|
@ -64,8 +57,8 @@ void Info::StaticInit()
|
||||||
file_id_idx = Idx("file_id");
|
file_id_idx = Idx("file_id");
|
||||||
parent_file_id_idx = Idx("parent_file_id");
|
parent_file_id_idx = Idx("parent_file_id");
|
||||||
source_idx = Idx("source");
|
source_idx = Idx("source");
|
||||||
conn_uids_idx = Idx("conn_uids");
|
conns_idx = Idx("conns");
|
||||||
conn_ids_idx = Idx("conn_ids");
|
last_active_idx = Idx("last_active");
|
||||||
seen_bytes_idx = Idx("seen_bytes");
|
seen_bytes_idx = Idx("seen_bytes");
|
||||||
total_bytes_idx = Idx("total_bytes");
|
total_bytes_idx = Idx("total_bytes");
|
||||||
missing_bytes_idx = Idx("missing_bytes");
|
missing_bytes_idx = Idx("missing_bytes");
|
||||||
|
|
@ -83,10 +76,9 @@ void Info::StaticInit()
|
||||||
salt = BifConst::FileAnalysis::salt->CheckString();
|
salt = BifConst::FileAnalysis::salt->CheckString();
|
||||||
}
|
}
|
||||||
|
|
||||||
Info::Info(const string& unique, Connection* conn)
|
Info::Info(const string& unique, Connection* conn, AnalyzerTag::Tag tag)
|
||||||
: file_id(unique), unique(unique), val(0), last_activity_time(network_time),
|
: file_id(unique), unique(unique), val(0), postpone_timeout(false),
|
||||||
postpone_timeout(false), need_reassembly(false), done(false),
|
need_reassembly(false), done(false), actions(this)
|
||||||
actions(this)
|
|
||||||
{
|
{
|
||||||
StaticInit();
|
StaticInit();
|
||||||
|
|
||||||
|
|
@ -106,29 +98,15 @@ Info::Info(const string& unique, Connection* conn)
|
||||||
|
|
||||||
if ( conn )
|
if ( conn )
|
||||||
{
|
{
|
||||||
// update source and connection fields
|
// add source and connection fields
|
||||||
RecordVal* cval = conn->BuildConnVal();
|
val->Assign(source_idx, new StringVal(Analyzer::GetTagName(tag)));
|
||||||
ListVal* services = cval->Lookup(5)->AsTableVal()->ConvertToPureList();
|
|
||||||
Unref(cval);
|
|
||||||
string source;
|
|
||||||
|
|
||||||
for ( int i = 0; i < services->Length(); ++i )
|
|
||||||
{
|
|
||||||
if ( i > 0 )
|
|
||||||
source += ", ";
|
|
||||||
source += services->Index(i)->AsStringVal()->CheckString();
|
|
||||||
}
|
|
||||||
|
|
||||||
Unref(services);
|
|
||||||
|
|
||||||
if ( ! source.empty() )
|
|
||||||
val->Assign(source_idx, new StringVal(source.c_str()));
|
|
||||||
|
|
||||||
UpdateConnectionFields(conn);
|
UpdateConnectionFields(conn);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
// use the unique file handle as source
|
// use the unique file handle as source
|
||||||
val->Assign(source_idx, new StringVal(unique.c_str()));
|
val->Assign(source_idx, new StringVal(unique.c_str()));
|
||||||
|
|
||||||
|
UpdateLastActivityTime();
|
||||||
}
|
}
|
||||||
|
|
||||||
Info::~Info()
|
Info::~Info()
|
||||||
|
|
@ -137,19 +115,28 @@ Info::~Info()
|
||||||
Unref(val);
|
Unref(val);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void Info::UpdateLastActivityTime()
|
||||||
|
{
|
||||||
|
val->Assign(last_active_idx, new Val(network_time, TYPE_TIME));
|
||||||
|
}
|
||||||
|
|
||||||
|
double Info::GetLastActivityTime() const
|
||||||
|
{
|
||||||
|
return val->Lookup(last_active_idx)->AsTime();
|
||||||
|
}
|
||||||
|
|
||||||
void Info::UpdateConnectionFields(Connection* conn)
|
void Info::UpdateConnectionFields(Connection* conn)
|
||||||
{
|
{
|
||||||
if ( ! conn ) return;
|
if ( ! conn ) return;
|
||||||
|
|
||||||
Val* conn_uids = val->Lookup(conn_uids_idx);
|
Val* conns = val->Lookup(conns_idx);
|
||||||
Val* conn_ids = val->Lookup(conn_ids_idx);
|
|
||||||
if ( ! conn_uids )
|
|
||||||
val->Assign(conn_uids_idx, conn_uids = new TableVal(string_set));
|
|
||||||
if ( ! conn_ids )
|
|
||||||
val->Assign(conn_ids_idx, conn_ids = empty_conn_id_set());
|
|
||||||
|
|
||||||
conn_uids->AsTableVal()->Assign(get_conn_uid_val(conn), 0);
|
if ( ! conns )
|
||||||
conn_ids->AsTableVal()->Assign(get_conn_id_val(conn), 0);
|
val->Assign(conns_idx, conns = empty_connection_table());
|
||||||
|
|
||||||
|
Val* idx = get_conn_id_val(conn);
|
||||||
|
conns->AsTableVal()->Assign(idx, conn->BuildConnVal());
|
||||||
|
Unref(idx);
|
||||||
}
|
}
|
||||||
|
|
||||||
uint64 Info::LookupFieldDefaultCount(int idx) const
|
uint64 Info::LookupFieldDefaultCount(int idx) const
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@
|
||||||
#include <vector>
|
#include <vector>
|
||||||
#include <magic.h>
|
#include <magic.h>
|
||||||
|
|
||||||
|
#include "AnalyzerTags.h"
|
||||||
#include "Conn.h"
|
#include "Conn.h"
|
||||||
#include "Val.h"
|
#include "Val.h"
|
||||||
#include "ActionSet.h"
|
#include "ActionSet.h"
|
||||||
|
|
@ -49,14 +50,14 @@ public:
|
||||||
string GetUnique() const { return unique; }
|
string GetUnique() const { return unique; }
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return #last_activity_time
|
* @return value of "last_active" field in #val record;
|
||||||
*/
|
*/
|
||||||
double GetLastActivityTime() const { return last_activity_time; }
|
double GetLastActivityTime() const;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Refreshes #last_activity_time with current network time.
|
* Refreshes "last_active" field of #val record with current network time.
|
||||||
*/
|
*/
|
||||||
void UpdateLastActivityTime() { last_activity_time = network_time; }
|
void UpdateLastActivityTime();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set "total_bytes" field of #val record to \a size.
|
* Set "total_bytes" field of #val record to \a size.
|
||||||
|
|
@ -73,7 +74,7 @@ public:
|
||||||
/**
|
/**
|
||||||
* Create a timer to be dispatched after the amount of time indicated by
|
* Create a timer to be dispatched after the amount of time indicated by
|
||||||
* the "timeout_interval" field of the #val record in order to check if
|
* the "timeout_interval" field of the #val record in order to check if
|
||||||
* #last_activity_time is old enough to timeout analysis of the file.
|
* "last_active" field is old enough to timeout analysis of the file.
|
||||||
*/
|
*/
|
||||||
void ScheduleInactivityTimer() const;
|
void ScheduleInactivityTimer() const;
|
||||||
|
|
||||||
|
|
@ -117,7 +118,8 @@ protected:
|
||||||
/**
|
/**
|
||||||
* Constructor; only file_analysis::Manager should be creating these.
|
* Constructor; only file_analysis::Manager should be creating these.
|
||||||
*/
|
*/
|
||||||
Info(const string& unique, Connection* conn = 0);
|
Info(const string& unique, Connection* conn = 0,
|
||||||
|
AnalyzerTag::Tag tag = AnalyzerTag::Error);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates the "conn_ids" and "conn_uids" fields in #val record with the
|
* Updates the "conn_ids" and "conn_uids" fields in #val record with the
|
||||||
|
|
@ -156,7 +158,6 @@ protected:
|
||||||
FileID file_id; /**< A pretty hash that likely identifies file*/
|
FileID file_id; /**< A pretty hash that likely identifies file*/
|
||||||
string unique; /**< A string that uniquely identifies file */
|
string unique; /**< A string that uniquely identifies file */
|
||||||
RecordVal* val; /**< \c FileAnalysis::Info from script layer. */
|
RecordVal* val; /**< \c FileAnalysis::Info from script layer. */
|
||||||
double last_activity_time; /**< Time of last activity. */
|
|
||||||
bool postpone_timeout; /**< Whether postponing timeout is requested. */
|
bool postpone_timeout; /**< Whether postponing timeout is requested. */
|
||||||
bool need_reassembly; /**< Whether file stream reassembly is needed. */
|
bool need_reassembly; /**< Whether file stream reassembly is needed. */
|
||||||
bool done; /**< If this object is about to be deleted. */
|
bool done; /**< If this object is about to be deleted. */
|
||||||
|
|
@ -192,8 +193,8 @@ public:
|
||||||
static int file_id_idx;
|
static int file_id_idx;
|
||||||
static int parent_file_id_idx;
|
static int parent_file_id_idx;
|
||||||
static int source_idx;
|
static int source_idx;
|
||||||
static int conn_uids_idx;
|
static int conns_idx;
|
||||||
static int conn_ids_idx;
|
static int last_active_idx;
|
||||||
static int seen_bytes_idx;
|
static int seen_bytes_idx;
|
||||||
static int total_bytes_idx;
|
static int total_bytes_idx;
|
||||||
static int missing_bytes_idx;
|
static int missing_bytes_idx;
|
||||||
|
|
|
||||||
|
|
@ -108,7 +108,7 @@ void Manager::Terminate()
|
||||||
}
|
}
|
||||||
|
|
||||||
bool Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
|
bool Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
|
||||||
Connection* conn, bool is_orig)
|
AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
|
||||||
{
|
{
|
||||||
DrainPending();
|
DrainPending();
|
||||||
|
|
||||||
|
|
@ -116,12 +116,12 @@ bool Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
|
||||||
|
|
||||||
if ( ! unique.empty() )
|
if ( ! unique.empty() )
|
||||||
{
|
{
|
||||||
DataIn(data, len, offset, GetInfo(unique, conn));
|
DataIn(data, len, offset, GetInfo(unique, conn, tag));
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! is_draining )
|
if ( ! is_draining )
|
||||||
pending.push_back(new PendingDataInChunk(data, len, offset, conn,
|
pending.push_back(new PendingDataInChunk(data, len, offset, tag, conn,
|
||||||
is_orig));
|
is_orig));
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
|
|
@ -146,8 +146,8 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
|
||||||
RemoveFile(info->GetUnique());
|
RemoveFile(info->GetUnique());
|
||||||
}
|
}
|
||||||
|
|
||||||
bool Manager::DataIn(const u_char* data, uint64 len, Connection* conn,
|
bool Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
|
||||||
bool is_orig)
|
Connection* conn, bool is_orig)
|
||||||
{
|
{
|
||||||
DrainPending();
|
DrainPending();
|
||||||
|
|
||||||
|
|
@ -155,12 +155,13 @@ bool Manager::DataIn(const u_char* data, uint64 len, Connection* conn,
|
||||||
|
|
||||||
if ( ! unique.empty() )
|
if ( ! unique.empty() )
|
||||||
{
|
{
|
||||||
DataIn(data, len, GetInfo(unique, conn));
|
DataIn(data, len, GetInfo(unique, conn, tag));
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! is_draining )
|
if ( ! is_draining )
|
||||||
pending.push_back(new PendingDataInStream(data, len, conn, is_orig));
|
pending.push_back(new PendingDataInStream(data, len, tag, conn,
|
||||||
|
is_orig));
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -212,7 +213,8 @@ void Manager::EndOfFile(const string& unique)
|
||||||
RemoveFile(unique);
|
RemoveFile(unique);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool Manager::Gap(uint64 offset, uint64 len, Connection* conn, bool is_orig)
|
bool Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag,
|
||||||
|
Connection* conn, bool is_orig)
|
||||||
{
|
{
|
||||||
DrainPending();
|
DrainPending();
|
||||||
|
|
||||||
|
|
@ -220,12 +222,12 @@ bool Manager::Gap(uint64 offset, uint64 len, Connection* conn, bool is_orig)
|
||||||
|
|
||||||
if ( ! unique.empty() )
|
if ( ! unique.empty() )
|
||||||
{
|
{
|
||||||
Gap(offset, len, GetInfo(unique, conn));
|
Gap(offset, len, GetInfo(unique, conn, tag));
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! is_draining )
|
if ( ! is_draining )
|
||||||
pending.push_back(new PendingGap(offset, len, conn, is_orig));
|
pending.push_back(new PendingGap(offset, len, tag, conn, is_orig));
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -244,7 +246,8 @@ void Manager::Gap(uint64 offset, uint64 len, Info* info)
|
||||||
info->Gap(offset, len);
|
info->Gap(offset, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool Manager::SetSize(uint64 size, Connection* conn, bool is_orig)
|
bool Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
|
||||||
|
bool is_orig)
|
||||||
{
|
{
|
||||||
DrainPending();
|
DrainPending();
|
||||||
|
|
||||||
|
|
@ -252,12 +255,12 @@ bool Manager::SetSize(uint64 size, Connection* conn, bool is_orig)
|
||||||
|
|
||||||
if ( ! unique.empty() )
|
if ( ! unique.empty() )
|
||||||
{
|
{
|
||||||
SetSize(size, GetInfo(unique, conn));
|
SetSize(size, GetInfo(unique, conn, tag));
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( ! is_draining )
|
if ( ! is_draining )
|
||||||
pending.push_back(new PendingSize(size, conn, is_orig));
|
pending.push_back(new PendingSize(size, tag, conn, is_orig));
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -326,7 +329,8 @@ bool Manager::RemoveAction(const FileID& file_id, const RecordVal* args) const
|
||||||
return info->RemoveAction(args);
|
return info->RemoveAction(args);
|
||||||
}
|
}
|
||||||
|
|
||||||
Info* Manager::GetInfo(const string& unique, Connection* conn)
|
Info* Manager::GetInfo(const string& unique, Connection* conn,
|
||||||
|
AnalyzerTag::Tag tag)
|
||||||
{
|
{
|
||||||
if ( IsIgnored(unique) ) return 0;
|
if ( IsIgnored(unique) ) return 0;
|
||||||
|
|
||||||
|
|
@ -334,7 +338,7 @@ Info* Manager::GetInfo(const string& unique, Connection* conn)
|
||||||
|
|
||||||
if ( ! rval )
|
if ( ! rval )
|
||||||
{
|
{
|
||||||
rval = str_map[unique] = new Info(unique, conn);
|
rval = str_map[unique] = new Info(unique, conn, tag);
|
||||||
FileID id = rval->GetFileID();
|
FileID id = rval->GetFileID();
|
||||||
|
|
||||||
if ( id_map[id] )
|
if ( id_map[id] )
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@
|
||||||
#include <list>
|
#include <list>
|
||||||
|
|
||||||
#include "Net.h"
|
#include "Net.h"
|
||||||
|
#include "AnalyzerTags.h"
|
||||||
#include "Conn.h"
|
#include "Conn.h"
|
||||||
#include "Val.h"
|
#include "Val.h"
|
||||||
#include "Analyzer.h"
|
#include "Analyzer.h"
|
||||||
|
|
@ -47,7 +48,7 @@ public:
|
||||||
* Pass in non-sequential file data.
|
* Pass in non-sequential file data.
|
||||||
*/
|
*/
|
||||||
bool DataIn(const u_char* data, uint64 len, uint64 offset,
|
bool DataIn(const u_char* data, uint64 len, uint64 offset,
|
||||||
Connection* conn, bool is_orig);
|
AnalyzerTag::Tag tag, Connection* conn, bool is_orig);
|
||||||
void DataIn(const u_char* data, uint64 len, uint64 offset,
|
void DataIn(const u_char* data, uint64 len, uint64 offset,
|
||||||
const string& unique);
|
const string& unique);
|
||||||
void DataIn(const u_char* data, uint64 len, uint64 offset,
|
void DataIn(const u_char* data, uint64 len, uint64 offset,
|
||||||
|
|
@ -56,7 +57,8 @@ public:
|
||||||
/**
|
/**
|
||||||
* Pass in sequential file data.
|
* Pass in sequential file data.
|
||||||
*/
|
*/
|
||||||
bool DataIn(const u_char* data, uint64 len, Connection* conn, bool is_orig);
|
bool DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
|
||||||
|
Connection* conn, bool is_orig);
|
||||||
void DataIn(const u_char* data, uint64 len, const string& unique);
|
void DataIn(const u_char* data, uint64 len, const string& unique);
|
||||||
void DataIn(const u_char* data, uint64 len, Info* info);
|
void DataIn(const u_char* data, uint64 len, Info* info);
|
||||||
|
|
||||||
|
|
@ -70,14 +72,16 @@ public:
|
||||||
/**
|
/**
|
||||||
* Signal a gap in the file data stream.
|
* Signal a gap in the file data stream.
|
||||||
*/
|
*/
|
||||||
bool Gap(uint64 offset, uint64 len, Connection* conn, bool is_orig);
|
bool Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn,
|
||||||
|
bool is_orig);
|
||||||
void Gap(uint64 offset, uint64 len, const string& unique);
|
void Gap(uint64 offset, uint64 len, const string& unique);
|
||||||
void Gap(uint64 offset, uint64 len, Info* info);
|
void Gap(uint64 offset, uint64 len, Info* info);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Provide the expected number of bytes that comprise a file.
|
* Provide the expected number of bytes that comprise a file.
|
||||||
*/
|
*/
|
||||||
bool SetSize(uint64 size, Connection* conn, bool is_orig);
|
bool SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
|
||||||
|
bool is_orig);
|
||||||
void SetSize(uint64 size, const string& unique);
|
void SetSize(uint64 size, const string& unique);
|
||||||
void SetSize(uint64 size, Info* info);
|
void SetSize(uint64 size, Info* info);
|
||||||
|
|
||||||
|
|
@ -131,7 +135,8 @@ protected:
|
||||||
* activity time is refreshed along with any connection-related
|
* activity time is refreshed along with any connection-related
|
||||||
* fields.
|
* fields.
|
||||||
*/
|
*/
|
||||||
Info* GetInfo(const string& unique, Connection* conn = 0);
|
Info* GetInfo(const string& unique, Connection* conn = 0,
|
||||||
|
AnalyzerTag::Tag tag = AnalyzerTag::Error);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return a string which can uniquely identify the file being transported
|
* @return a string which can uniquely identify the file being transported
|
||||||
|
|
|
||||||
|
|
@ -20,8 +20,10 @@ static string conn_str(Connection* c)
|
||||||
return rval;
|
return rval;
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingFile::PendingFile(Connection* arg_conn, bool arg_is_orig)
|
PendingFile::PendingFile(Connection* arg_conn, bool arg_is_orig,
|
||||||
: conn(arg_conn), is_orig(arg_is_orig), creation_time(network_time)
|
AnalyzerTag::Tag arg_tag)
|
||||||
|
: conn(arg_conn), is_orig(arg_is_orig), creation_time(network_time),
|
||||||
|
tag(arg_tag)
|
||||||
{
|
{
|
||||||
Ref(conn);
|
Ref(conn);
|
||||||
DBG_LOG(DBG_FILE_ANALYSIS, "New pending file: %s", conn_str(conn).c_str());
|
DBG_LOG(DBG_FILE_ANALYSIS, "New pending file: %s", conn_str(conn).c_str());
|
||||||
|
|
@ -47,16 +49,18 @@ bool PendingFile::IsStale() const
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingDataInChunk::PendingDataInChunk(const u_char* arg_data, uint64 arg_len,
|
PendingDataInChunk::PendingDataInChunk(const u_char* arg_data, uint64 arg_len,
|
||||||
uint64 arg_offset, Connection* arg_conn,
|
uint64 arg_offset,
|
||||||
bool arg_is_orig)
|
AnalyzerTag::Tag arg_tag,
|
||||||
: PendingFile(arg_conn, arg_is_orig), len(arg_len), offset(arg_offset)
|
Connection* arg_conn, bool arg_is_orig)
|
||||||
|
: PendingFile(arg_conn, arg_is_orig, arg_tag), len(arg_len),
|
||||||
|
offset(arg_offset)
|
||||||
{
|
{
|
||||||
copy_data(&data, arg_data, len);
|
copy_data(&data, arg_data, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool PendingDataInChunk::Retry() const
|
bool PendingDataInChunk::Retry() const
|
||||||
{
|
{
|
||||||
return file_mgr->DataIn(data, len, offset, conn, is_orig);
|
return file_mgr->DataIn(data, len, offset, tag, conn, is_orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingDataInChunk::~PendingDataInChunk()
|
PendingDataInChunk::~PendingDataInChunk()
|
||||||
|
|
@ -65,15 +69,16 @@ PendingDataInChunk::~PendingDataInChunk()
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingDataInStream::PendingDataInStream(const u_char* arg_data, uint64 arg_len,
|
PendingDataInStream::PendingDataInStream(const u_char* arg_data, uint64 arg_len,
|
||||||
|
AnalyzerTag::Tag arg_tag,
|
||||||
Connection* arg_conn, bool arg_is_orig)
|
Connection* arg_conn, bool arg_is_orig)
|
||||||
: PendingFile(arg_conn, arg_is_orig), len(arg_len)
|
: PendingFile(arg_conn, arg_is_orig, arg_tag), len(arg_len)
|
||||||
{
|
{
|
||||||
copy_data(&data, arg_data, len);
|
copy_data(&data, arg_data, len);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool PendingDataInStream::Retry() const
|
bool PendingDataInStream::Retry() const
|
||||||
{
|
{
|
||||||
return file_mgr->DataIn(data, len, conn, is_orig);
|
return file_mgr->DataIn(data, len, tag, conn, is_orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingDataInStream::~PendingDataInStream()
|
PendingDataInStream::~PendingDataInStream()
|
||||||
|
|
@ -81,15 +86,17 @@ PendingDataInStream::~PendingDataInStream()
|
||||||
delete [] data;
|
delete [] data;
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingGap::PendingGap(uint64 arg_offset, uint64 arg_len, Connection* arg_conn,
|
PendingGap::PendingGap(uint64 arg_offset, uint64 arg_len,
|
||||||
|
AnalyzerTag::Tag arg_tag, Connection* arg_conn,
|
||||||
bool arg_is_orig)
|
bool arg_is_orig)
|
||||||
: PendingFile(arg_conn, arg_is_orig), offset(arg_offset), len(arg_len)
|
: PendingFile(arg_conn, arg_is_orig, arg_tag), offset(arg_offset),
|
||||||
|
len(arg_len)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
bool PendingGap::Retry() const
|
bool PendingGap::Retry() const
|
||||||
{
|
{
|
||||||
return file_mgr->Gap(offset, len, conn, is_orig);
|
return file_mgr->Gap(offset, len, tag, conn, is_orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingEOF::PendingEOF(Connection* arg_conn, bool arg_is_orig)
|
PendingEOF::PendingEOF(Connection* arg_conn, bool arg_is_orig)
|
||||||
|
|
@ -102,13 +109,13 @@ bool PendingEOF::Retry() const
|
||||||
return file_mgr->EndOfFile(conn, is_orig);
|
return file_mgr->EndOfFile(conn, is_orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
PendingSize::PendingSize(uint64 arg_size, Connection* arg_conn,
|
PendingSize::PendingSize(uint64 arg_size, AnalyzerTag::Tag arg_tag,
|
||||||
bool arg_is_orig)
|
Connection* arg_conn, bool arg_is_orig)
|
||||||
: PendingFile(arg_conn, arg_is_orig), size(arg_size)
|
: PendingFile(arg_conn, arg_is_orig, arg_tag), size(arg_size)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
bool PendingSize::Retry() const
|
bool PendingSize::Retry() const
|
||||||
{
|
{
|
||||||
return file_mgr->SetSize(size, conn, is_orig);
|
return file_mgr->SetSize(size, tag, conn, is_orig);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
#ifndef FILE_ANALYSIS_PENDINGFILE_H
|
#ifndef FILE_ANALYSIS_PENDINGFILE_H
|
||||||
#define FILE_ANALYSIS_PENDINGFILE_H
|
#define FILE_ANALYSIS_PENDINGFILE_H
|
||||||
|
|
||||||
|
#include "AnalyzerTags.h"
|
||||||
#include "Conn.h"
|
#include "Conn.h"
|
||||||
|
|
||||||
namespace file_analysis {
|
namespace file_analysis {
|
||||||
|
|
@ -16,19 +17,21 @@ public:
|
||||||
|
|
||||||
protected:
|
protected:
|
||||||
|
|
||||||
PendingFile(Connection* arg_conn, bool arg_is_orig);
|
PendingFile(Connection* arg_conn, bool arg_is_orig,
|
||||||
|
AnalyzerTag::Tag arg_tag = AnalyzerTag::Error);
|
||||||
|
|
||||||
Connection* conn;
|
Connection* conn;
|
||||||
bool is_orig;
|
bool is_orig;
|
||||||
double creation_time;
|
double creation_time;
|
||||||
|
AnalyzerTag::Tag tag;
|
||||||
};
|
};
|
||||||
|
|
||||||
class PendingDataInChunk : public PendingFile {
|
class PendingDataInChunk : public PendingFile {
|
||||||
public:
|
public:
|
||||||
|
|
||||||
PendingDataInChunk(const u_char* arg_data, uint64 arg_len,
|
PendingDataInChunk(const u_char* arg_data, uint64 arg_len,
|
||||||
uint64 arg_offset, Connection* arg_conn,
|
uint64 arg_offset, AnalyzerTag::Tag tag,
|
||||||
bool arg_is_orig);
|
Connection* arg_conn, bool arg_is_orig);
|
||||||
|
|
||||||
virtual ~PendingDataInChunk();
|
virtual ~PendingDataInChunk();
|
||||||
|
|
||||||
|
|
@ -45,7 +48,8 @@ class PendingDataInStream : public PendingFile {
|
||||||
public:
|
public:
|
||||||
|
|
||||||
PendingDataInStream(const u_char* arg_data, uint64 arg_len,
|
PendingDataInStream(const u_char* arg_data, uint64 arg_len,
|
||||||
Connection* arg_conn, bool arg_is_orig);
|
AnalyzerTag::Tag tag, Connection* arg_conn,
|
||||||
|
bool arg_is_orig);
|
||||||
|
|
||||||
virtual ~PendingDataInStream();
|
virtual ~PendingDataInStream();
|
||||||
|
|
||||||
|
|
@ -60,8 +64,8 @@ protected:
|
||||||
class PendingGap : public PendingFile {
|
class PendingGap : public PendingFile {
|
||||||
public:
|
public:
|
||||||
|
|
||||||
PendingGap(uint64 arg_offset, uint64 arg_len, Connection* arg_conn,
|
PendingGap(uint64 arg_offset, uint64 arg_len, AnalyzerTag::Tag tag,
|
||||||
bool arg_is_orig);
|
Connection* arg_conn, bool arg_is_orig);
|
||||||
|
|
||||||
virtual bool Retry() const;
|
virtual bool Retry() const;
|
||||||
|
|
||||||
|
|
@ -82,7 +86,8 @@ public:
|
||||||
class PendingSize : public PendingFile {
|
class PendingSize : public PendingFile {
|
||||||
public:
|
public:
|
||||||
|
|
||||||
PendingSize(uint64 arg_size, Connection* arg_conn, bool arg_is_orig);
|
PendingSize(uint64 arg_size, AnalyzerTag::Tag tag, Connection* arg_conn,
|
||||||
|
bool arg_is_orig);
|
||||||
|
|
||||||
virtual bool Retry() const;
|
virtual bool Retry() const;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,10 +3,10 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2009-11-08-04-41-41
|
#open 2013-03-22-14-38-11
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html - -
|
1257655301.652206 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 10102 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
|
||||||
1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - -
|
1257655302.514424 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 2 GET ipv6.google.com /csi?v=3&s=webhp&action=&tran=undefined&e=17259,19771,21517,21766,21887,22212&ei=BUz2Su7PMJTglQfz3NzCAw&rt=prt.77,xjs.565,ol.645 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - -
|
||||||
1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - -
|
1257655303.603569 5OKnoww6xl4 2001:4978:f:4c::2 53382 2001:4860:b002::68 80 3 GET ipv6.google.com /gen_204?atyp=i&ct=fade&cad=1254&ei=BUz2Su7PMJTglQfz3NzCAw&zx=1257655303600 http://ipv6.google.com/ Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en; rv:1.9.0.15pre) Gecko/2009091516 Camino/2.0b4 (like Firefox/3.0.15pre) 0 0 204 No Content - - - (empty) - - - - - -
|
||||||
#close 2009-11-08-04-41-57
|
#close 2013-03-22-14-38-11
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2012-10-19-17-03-55
|
#open 2013-03-22-14-37-45
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - -
|
1333458850.340368 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 1 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash; charset=binary - -
|
||||||
1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash - -
|
1333458850.399501 arKYeMETxOg 10.131.17.170 51803 173.199.115.168 80 2 GET cdn.epicgameads.com /ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881 http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 0 31461 200 OK - - - (empty) - - - application/x-shockwave-flash; charset=binary - -
|
||||||
#close 2012-10-19-17-03-55
|
#close 2013-03-22-14-37-45
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2012-10-19-16-44-02
|
#open 2013-03-22-14-37-46
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - application/octet-stream - -
|
1333458850.375568 arKYeMETxOg 10.131.47.185 1923 79.101.110.141 80 1 GET o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com /videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1 http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11 0 56320 206 Partial Content - - - (empty) - - - - - -
|
||||||
#close 2012-10-19-16-44-02
|
#close 2013-03-22-14-37-46
|
||||||
|
|
|
||||||
|
|
@ -3,11 +3,11 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2008-05-16-15-50-58
|
#open 2013-03-22-14-37-44
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1210953057.917183 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - Syncer/4.80 (av_pro-1169;f) 589 0 204 <empty> - - - (empty) - - - text/plain - -
|
1210953057.917183 3PKsZ2Uye21 192.168.2.16 1578 75.126.203.78 80 1 POST download913.avast.com /cgi-bin/iavs4stats.cgi - Syncer/4.80 (av_pro-1169;f) 589 0 204 <empty> - - - (empty) - - - text/plain; charset=us-ascii - -
|
||||||
1210953061.585996 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - -
|
1210953061.585996 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
|
||||||
1210953073.381474 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - -
|
1210953073.381474 70MGiRM1Qf4 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
|
||||||
1210953074.674817 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - - (empty) - - - text/xml - -
|
1210953074.674817 c4Zw9TmAE05 192.168.2.16 1580 67.228.110.120 80 1 GET www.wireshark.org / http://ipv6.google.com/search?hl=en&q=Wireshark+%21&btnG=Google+Search Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 11845 200 OK - - - (empty) - - - application/xml; charset=us-ascii - -
|
||||||
#close 2008-05-16-15-51-16
|
#close 2013-03-22-14-37-44
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2012-06-19-17-39-37
|
#open 2013-03-22-14-37-44
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1340127577.361683 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html - -
|
1340127577.361683 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 1 GET ipv6.google.com / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 6640 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
|
||||||
1340127577.379360 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html - -
|
1340127577.379360 FrJExwHcSal 2001:0:4137:9e50:8000:f12a:b9c8:2815 1286 2001:4860:0:2001::68 80 2 GET ipv6.google.com /search?hl=en&q=Wireshark+!&btnG=Google+Search http://ipv6.google.com/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 0 25119 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
|
||||||
#close 2012-06-19-17-39-37
|
#close 2013-03-22-14-37-44
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2012-07-20-01-53-03
|
#open 2013-03-22-21-05-55
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
1363986354.505533 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - -
|
||||||
#close 2012-07-20-01-53-04
|
#close 2013-03-22-21-05-56
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2012-07-20-01-53-03
|
#open 2013-03-22-21-05-55
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1342749182.906082 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
1363986354.505533 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - -
|
||||||
#close 2012-07-20-01-53-04
|
#close 2013-03-22-21-05-56
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2012-07-20-01-53-12
|
#open 2013-03-22-21-03-17
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
1363986197.076696 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - -
|
||||||
#close 2012-07-20-01-53-13
|
#close 2013-03-22-21-03-18
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2012-07-20-01-53-12
|
#open 2013-03-22-21-03-17
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1342749191.765740 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - -
|
1363986197.076696 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - - - -
|
||||||
#close 2012-07-20-01-53-13
|
#close 2013-03-22-21-03-18
|
||||||
|
|
|
||||||
|
|
@ -17,12 +17,7 @@ file_stream, Cx92a0ym5R8, 1024, copied source (Jon Siwek)^J^J * Small tweak to
|
||||||
file_chunk, Cx92a0ym5R8, 1024, 3000, copied source (Jon Siwek)^J^J * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J * Fix to not let updates scripts loose their executable permissions.^J (Robin Sommer)^J^J * devel-tools/update-changes now looks for a 'release' tag to^J idenfify the stable version, and 'beta' for the beta versions.^J (Robin Sommer).^J^J * Distribution cleanup. (Robin Sommer)^J^J * New script devel-tools/make-release to create source tar balls.^J (Robin Sommer)^J^J * Removing bdcat. With the new log format, this isn't very useful^J anymore. (Robin Sommer)^J^J * Adding script that shows all pending git fastpath commits. (Robin^J Sommer)^J^J * Script to measure CPU time by loading an increasing set of^J scripts. (Robin Sommer)^J^J * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J * Tiny update to output a valid CA list file for SSL cert^J validation. (Seth Hall)^J^J * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J * FindPCAP
|
file_chunk, Cx92a0ym5R8, 1024, 3000, copied source (Jon Siwek)^J^J * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J * Fix to not let updates scripts loose their executable permissions.^J (Robin Sommer)^J^J * devel-tools/update-changes now looks for a 'release' tag to^J idenfify the stable version, and 'beta' for the beta versions.^J (Robin Sommer).^J^J * Distribution cleanup. (Robin Sommer)^J^J * New script devel-tools/make-release to create source tar balls.^J (Robin Sommer)^J^J * Removing bdcat. With the new log format, this isn't very useful^J anymore. (Robin Sommer)^J^J * Adding script that shows all pending git fastpath commits. (Robin^J Sommer)^J^J * Script to measure CPU time by loading an increasing set of^J scripts. (Robin Sommer)^J^J * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J * Tiny update to output a valid CA list file for SSL cert^J validation. (Seth Hall)^J^J * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J * FindPCAP
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
Cx92a0ym5R8, 4705, 0
|
Cx92a0ym5R8, 4705, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 4705
|
total bytes: 4705
|
||||||
source: HTTP
|
source: HTTP
|
||||||
file_stream, Cx92a0ym5R8, 476, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J
|
file_stream, Cx92a0ym5R8, 476, now links against thread library when necessary (e.g.^J PF_RING's libpcap) (Jon Siwek)^J^J * Install binaries with an RPATH (Jon Siwek)^J^J * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J * Add a script for generating Mozilla's CA list for the SSL analyzer.^J (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J * Converting build process to CMake. (Jon Siwek)^J
|
||||||
|
|
|
||||||
|
|
@ -2,12 +2,7 @@ FileAnalysis::TRIGGER_NEW
|
||||||
oDwT1BbzjM1, 0, 0
|
oDwT1BbzjM1, 0, 0
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
oDwT1BbzjM1, 1022920, 0
|
oDwT1BbzjM1, 1022920, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
|
[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 1022920
|
total bytes: 1022920
|
||||||
source: HTTP
|
source: HTTP
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
|
|
@ -16,11 +11,6 @@ FileAnalysis::TRIGGER_TIMEOUT
|
||||||
FileAnalysis::TRIGGER_TIMEOUT
|
FileAnalysis::TRIGGER_TIMEOUT
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
oDwT1BbzjM1, 206024, 0
|
oDwT1BbzjM1, 206024, 0
|
||||||
{
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
|
[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 1022920
|
total bytes: 1022920
|
||||||
source: HTTP
|
source: HTTP
|
||||||
|
|
|
||||||
|
|
@ -8,11 +8,6 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
Cx92a0ym5R8, 4705, 0
|
Cx92a0ym5R8, 4705, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 4705
|
total bytes: 4705
|
||||||
source: HTTP
|
source: HTTP
|
||||||
|
|
|
||||||
|
|
@ -8,13 +8,8 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
sidhzrR4IT8, 16557, 0
|
sidhzrR4IT8, 16557, 0
|
||||||
{
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp]
|
[orig_h=141.142.228.5, orig_p=50737/tcp, resp_h=141.142.192.162, resp_p=38141/tcp]
|
||||||
}
|
source: FTP_DATA
|
||||||
source: ftp-data
|
|
||||||
SHA1: 44586aed07cfe19cad25076af98f535585cd5797
|
SHA1: 44586aed07cfe19cad25076af98f535585cd5797
|
||||||
MD5: 7192a8075196267203adb3dfaa5c908d
|
MD5: 7192a8075196267203adb3dfaa5c908d
|
||||||
SHA256: 202674eba48e832690a4475113acf8b16a3f6c82c04c94b36bb2c7ce457ac8d2
|
SHA256: 202674eba48e832690a4475113acf8b16a3f6c82c04c94b36bb2c7ce457ac8d2
|
||||||
|
|
|
||||||
|
|
@ -8,12 +8,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
kg59rqyYxN, 197, 0
|
kg59rqyYxN, 197, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=141.142.228.5, orig_p=50153/tcp, resp_h=54.243.118.187, resp_p=80/tcp]
|
[orig_h=141.142.228.5, orig_p=50153/tcp, resp_h=54.243.118.187, resp_p=80/tcp]
|
||||||
}
|
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: e351b8c693c3353716787c02e2923f4d12ebbb31
|
SHA1: e351b8c693c3353716787c02e2923f4d12ebbb31
|
||||||
MD5: 5baba7eea57bc8a42a92c817ed566d72
|
MD5: 5baba7eea57bc8a42a92c817ed566d72
|
||||||
|
|
|
||||||
|
|
@ -8,12 +8,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
Cx92a0ym5R8, 4705, 0
|
Cx92a0ym5R8, 4705, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 4705
|
total bytes: 4705
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: 1dd7ac0398df6cbc0696445a91ec681facf4dc47
|
SHA1: 1dd7ac0398df6cbc0696445a91ec681facf4dc47
|
||||||
|
|
|
||||||
|
|
@ -2,13 +2,7 @@ FileAnalysis::TRIGGER_NEW
|
||||||
7gZBKVUgy4l, 0, 0
|
7gZBKVUgy4l, 0, 0
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
7gZBKVUgy4l, 555523, 0
|
7gZBKVUgy4l, 555523, 0
|
||||||
{
|
[orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp]
|
||||||
UWkUyAuUGXf,
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=10.101.84.70, orig_p=10978/tcp, resp_h=129.174.93.161, resp_p=80/tcp],
|
|
||||||
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp]
|
[orig_h=10.101.84.70, orig_p=10977/tcp, resp_h=129.174.93.161, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 555523
|
total bytes: 555523
|
||||||
source: HTTP
|
source: HTTP
|
||||||
|
|
|
||||||
|
|
@ -2,12 +2,7 @@ FileAnalysis::TRIGGER_NEW
|
||||||
oDwT1BbzjM1, 0, 0
|
oDwT1BbzjM1, 0, 0
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
oDwT1BbzjM1, 1022920, 0
|
oDwT1BbzjM1, 1022920, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
|
[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 1022920
|
total bytes: 1022920
|
||||||
source: HTTP
|
source: HTTP
|
||||||
FileAnalysis::TRIGGER_NEW
|
FileAnalysis::TRIGGER_NEW
|
||||||
|
|
@ -15,11 +10,6 @@ oDwT1BbzjM1, 0, 0
|
||||||
FileAnalysis::TRIGGER_TIMEOUT
|
FileAnalysis::TRIGGER_TIMEOUT
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
oDwT1BbzjM1, 206024, 0
|
oDwT1BbzjM1, 206024, 0
|
||||||
{
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
|
[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 1022920
|
total bytes: 1022920
|
||||||
source: HTTP
|
source: HTTP
|
||||||
|
|
|
||||||
|
|
@ -2,13 +2,7 @@ FileAnalysis::TRIGGER_NEW
|
||||||
uHS14uhRKGe, 0, 0
|
uHS14uhRKGe, 0, 0
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
uHS14uhRKGe, 498702, 0
|
uHS14uhRKGe, 498702, 0
|
||||||
{
|
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
|
||||||
UWkUyAuUGXf,
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=10.45.179.94, orig_p=19950/tcp, resp_h=129.174.93.170, resp_p=80/tcp],
|
|
||||||
[orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
|
[orig_h=10.45.179.94, orig_p=19953/tcp, resp_h=129.174.93.170, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 498668
|
total bytes: 498668
|
||||||
source: HTTP
|
source: HTTP
|
||||||
|
|
|
||||||
|
|
@ -8,12 +8,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
aFQKI8SPOL2, 2675, 0
|
aFQKI8SPOL2, 2675, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
||||||
}
|
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: 0e42ae17eea9b074981bd3a34535ad3a22d02706
|
SHA1: 0e42ae17eea9b074981bd3a34535ad3a22d02706
|
||||||
MD5: b932c3310ce47e158d1a5a42e0b01279
|
MD5: b932c3310ce47e158d1a5a42e0b01279
|
||||||
|
|
@ -28,12 +23,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
CCU3vUEr06l, 21421, 0
|
CCU3vUEr06l, 21421, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
||||||
}
|
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: 8f241117afaa8ca5f41dc059e66d75c283dcc983
|
SHA1: 8f241117afaa8ca5f41dc059e66d75c283dcc983
|
||||||
MD5: e732f7bf1d7cb4eedcb1661697d7bc8c
|
MD5: e732f7bf1d7cb4eedcb1661697d7bc8c
|
||||||
|
|
@ -48,12 +38,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
HCzA0dVwDPj, 94, 0
|
HCzA0dVwDPj, 94, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 94
|
total bytes: 94
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e
|
SHA1: 81f5f056ce5e97d940854bb0c48017b45dd9f15e
|
||||||
|
|
@ -69,12 +54,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
a1Zu1fteVEf, 2349, 0
|
a1Zu1fteVEf, 2349, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 2349
|
total bytes: 2349
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: 560eab5a0177246827a94042dd103916d8765ac7
|
SHA1: 560eab5a0177246827a94042dd103916d8765ac7
|
||||||
|
|
@ -90,12 +70,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
xXlF7wFdsR, 27579, 0
|
xXlF7wFdsR, 27579, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 27579
|
total bytes: 27579
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: ee2b41bdef85de14ef332da14fc392f110b84249
|
SHA1: ee2b41bdef85de14ef332da14fc392f110b84249
|
||||||
|
|
|
||||||
|
|
@ -8,12 +8,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
v5HLI7MxPQh, 11, 0
|
v5HLI7MxPQh, 11, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp]
|
[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 11
|
total bytes: 11
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
|
SHA1: 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
|
||||||
|
|
@ -29,12 +24,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_DONE
|
FileAnalysis::TRIGGER_DONE
|
||||||
PZS1XGHkIf1, 366, 0
|
PZS1XGHkIf1, 366, 0
|
||||||
{
|
|
||||||
UWkUyAuUGXf
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp]
|
[orig_h=141.142.228.5, orig_p=53595/tcp, resp_h=54.243.55.129, resp_p=80/tcp]
|
||||||
}
|
|
||||||
total bytes: 366
|
total bytes: 366
|
||||||
source: HTTP
|
source: HTTP
|
||||||
SHA1: 6a1582672c203210c6d18d700322060b676365e7
|
SHA1: 6a1582672c203210c6d18d700322060b676365e7
|
||||||
|
|
|
||||||
|
|
@ -8,13 +8,8 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
wqKMAamJVSb, 42208, 0
|
wqKMAamJVSb, 42208, 0
|
||||||
{
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
|
[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
|
||||||
}
|
source: IRC_DATA
|
||||||
source: irc-dcc-data
|
|
||||||
SHA1: 8abe0239263fd7326eb803d4465cf494f8bea218
|
SHA1: 8abe0239263fd7326eb803d4465cf494f8bea218
|
||||||
MD5: 8c0803242f549c2780cb88b9a9215c65
|
MD5: 8c0803242f549c2780cb88b9a9215c65
|
||||||
SHA256: e4f0b0b9d7580e7a22dc1093c8db4df7d0115a4f3b03cc2875cc69705f0d0204
|
SHA256: e4f0b0b9d7580e7a22dc1093c8db4df7d0115a4f3b03cc2875cc69705f0d0204
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path file_analysis
|
#path file_analysis
|
||||||
#open 2013-03-20-18-29-14
|
#open 2013-03-22-20-24-04
|
||||||
#fields file_id parent_file_id source conn_uids seen_bytes total_bytes missing_bytes overflow_bytes timeout_interval bof_buffer_size file_type mime_type actions_taken extracted_files md5 sha1 sha256
|
#fields file_id parent_file_id source last_active seen_bytes total_bytes missing_bytes overflow_bytes timeout_interval bof_buffer_size file_type mime_type conn_uids actions_taken extracted_files md5 sha1 sha256
|
||||||
#types string string string table[string] count count count count interval count string string table[enum] table[string] string string string
|
#types string string string time count count count count interval count string string table[string] table[enum] table[string] string string string
|
||||||
Cx92a0ym5R8 - HTTP UWkUyAuUGXf 4705 4705 0 0 120.000000 1024 set set FileAnalysis::ACTION_SHA1,FileAnalysis::ACTION_EXTRACT,FileAnalysis::ACTION_DATA_EVENT,FileAnalysis::ACTION_MD5,FileAnalysis::ACTION_SHA256 Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
|
Cx92a0ym5R8 - HTTP 1362692527.009775 4705 4705 0 0 120.000000 1024 set set UWkUyAuUGXf FileAnalysis::ACTION_SHA1,FileAnalysis::ACTION_EXTRACT,FileAnalysis::ACTION_DATA_EVENT,FileAnalysis::ACTION_MD5,FileAnalysis::ACTION_SHA256 Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
|
||||||
#close 2013-03-20-18-29-14
|
#close 2013-03-22-20-24-04
|
||||||
|
|
|
||||||
|
|
@ -8,12 +8,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
9VCisPgrqVj, 79, 0
|
9VCisPgrqVj, 79, 0
|
||||||
{
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
|
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
|
||||||
}
|
|
||||||
source: SMTP
|
source: SMTP
|
||||||
SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13
|
SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13
|
||||||
MD5: 92bca2e6cdcde73647125da7dccbdd07
|
MD5: 92bca2e6cdcde73647125da7dccbdd07
|
||||||
|
|
@ -28,12 +23,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
ZAOEQmRyxv1, 1918, 0
|
ZAOEQmRyxv1, 1918, 0
|
||||||
{
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
|
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
|
||||||
}
|
|
||||||
source: SMTP
|
source: SMTP
|
||||||
SHA1: e54af6c6616525611364b80bd6557a7ea21dae94
|
SHA1: e54af6c6616525611364b80bd6557a7ea21dae94
|
||||||
MD5: d194c6359c85bb88b54caee18b1e9b44
|
MD5: d194c6359c85bb88b54caee18b1e9b44
|
||||||
|
|
@ -48,12 +38,7 @@ file type is set
|
||||||
mime type is set
|
mime type is set
|
||||||
FileAnalysis::TRIGGER_EOF
|
FileAnalysis::TRIGGER_EOF
|
||||||
Ltd7QO7jEv3, 10823, 0
|
Ltd7QO7jEv3, 10823, 0
|
||||||
{
|
|
||||||
arKYeMETxOg
|
|
||||||
}
|
|
||||||
{
|
|
||||||
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
|
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
|
||||||
}
|
|
||||||
source: SMTP
|
source: SMTP
|
||||||
SHA1: 43bf1cea1cd4b7d15243e15611859aa49d515665
|
SHA1: 43bf1cea1cd4b7d15243e15611859aa49d515665
|
||||||
MD5: a968bb0f9f9d95835b2e74c845877e87
|
MD5: a968bb0f9f9d95835b2e74c845877e87
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2011-09-12-03-57-36
|
#open 2013-03-22-14-38-21
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - (empty) - - - text/html - -
|
1315799856.264750 UWkUyAuUGXf 10.0.1.104 64216 193.40.5.162 80 1 GET lepo.it.da.ut.ee /~cect/teoreetilised seminarid_2010/arheoloogia_uurimisr\xfchma_seminar/Joyce et al - The Languages of Archaeology ~ Dialogue, Narrative and Writing.pdf - Wget/1.12 (darwin10.8.0) 0 346 404 Not Found - - - (empty) - - - text/html; charset=iso-8859-1 - -
|
||||||
#close 2011-09-12-03-57-37
|
#close 2013-03-22-14-38-21
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,9 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2011-03-18-19-06-08
|
#open 2013-03-22-14-38-24
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
1300475168.784020 j4u32Pc5bif 141.142.220.118 48649 208.80.152.118 80 1 GET bits.wikimedia.org /skins-1.5/monobook/main.css http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
||||||
1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
1300475168.916018 VW0XPVINV8a 141.142.220.118 49997 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/6/63/Wikipedia-logo.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
||||||
1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
1300475168.916183 3PKsZ2Uye21 141.142.220.118 49996 208.80.152.3 80 1 GET upload.wikimedia.org /wikipedia/commons/thumb/b/bb/Wikipedia_wordmark.svg/174px-Wikipedia_wordmark.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
||||||
|
|
@ -20,4 +20,4 @@
|
||||||
1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
1300475169.014619 Tw8jXtpTGu6 141.142.220.118 50000 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/4/4a/Commons-logo.svg/35px-Commons-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
||||||
1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
1300475169.014593 P654jzLoe3a 141.142.220.118 49999 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/9/91/Wikiversity-logo.svg/35px-Wikiversity-logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
||||||
1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
1300475169.014927 0Q4FH8sESw5 141.142.220.118 50001 208.80.152.3 80 2 GET upload.wikimedia.org /wikipedia/commons/thumb/7/75/Wikimedia_Community_Logo.svg/35px-Wikimedia_Community_Logo.svg.png http://www.wikipedia.org/ Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 0 0 304 Not Modified - - - (empty) - - - - - -
|
||||||
#close 2011-03-18-19-06-13
|
#close 2013-03-22-14-38-24
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2009-03-19-05-21-36
|
#open 2013-03-22-14-38-28
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1237440095.634312 UWkUyAuUGXf 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 60731 200 OK 100 Continue - (empty) - - - text/html - -
|
1237440095.634312 UWkUyAuUGXf 192.168.3.103 54102 128.146.216.51 80 1 POST www.osu.edu / - curl/7.17.1 (i386-apple-darwin8.11.1) libcurl/7.17.1 zlib/1.2.3 2001 60731 200 OK 100 Continue - (empty) - - - text/html; charset=us-ascii - -
|
||||||
#close 2009-03-19-05-21-36
|
#close 2013-03-22-14-38-28
|
||||||
|
|
|
||||||
|
|
@ -3,8 +3,8 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2005-10-07-23-23-56
|
#open 2013-03-22-14-38-28
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html - http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
|
1128727435.634189 arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 1 GET www.icir.org / - Wget/1.10 0 9130 200 OK - - - (empty) - - - text/html; charset=us-ascii - http-item-BFymS6bFgT3-0.dat
|
||||||
#close 2005-10-07-23-23-57
|
#close 2013-03-22-14-38-28
|
||||||
|
|
|
||||||
|
|
@ -3,12 +3,12 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2009-11-18-20-58-04
|
#open 2013-03-22-16-25-59
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
|
||||||
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - FAKE_MIME - -
|
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - text/plain; charset=us-ascii - -
|
||||||
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - FAKE_MIME - -
|
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - text/plain; charset=us-ascii - -
|
||||||
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - FAKE_MIME - -
|
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - image/gif; charset=binary - -
|
||||||
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - image/png e0029eea80812e9a8e57b8d05d52938a -
|
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - image/png; charset=binary e0029eea80812e9a8e57b8d05d52938a -
|
||||||
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - image/png 30aa926344f58019d047e85ba049ca1e -
|
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - image/png; charset=binary 30aa926344f58019d047e85ba049ca1e -
|
||||||
#close 2009-11-18-20-58-32
|
#close 2013-03-22-16-25-59
|
||||||
|
|
|
||||||
|
|
@ -3,12 +3,12 @@
|
||||||
#empty_field (empty)
|
#empty_field (empty)
|
||||||
#unset_field -
|
#unset_field -
|
||||||
#path http
|
#path http
|
||||||
#open 2009-11-18-20-58-04
|
#open 2013-03-22-14-38-28
|
||||||
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied md5 extraction_file
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied md5 extraction_file
|
||||||
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string file
|
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string
|
||||||
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - - -
|
1258577884.844956 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 1 GET www.mozilla.org /style/enhanced.css http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2675 200 OK - - - (empty) - - - - -
|
||||||
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - - -
|
1258577884.960135 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 2 GET www.mozilla.org /script/urchin.js http://www.mozilla.org/projects/calendar/ Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 21421 200 OK - - - (empty) - - - - -
|
||||||
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - - -
|
1258577885.317160 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 3 GET www.mozilla.org /images/template/screen/bullet_utility.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 94 200 OK - - - (empty) - - - - -
|
||||||
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - - -
|
1258577885.349639 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 4 GET www.mozilla.org /images/template/screen/key-point-top.png http://www.mozilla.org/style/screen.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 2349 200 OK - - - (empty) - - - - -
|
||||||
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - - -
|
1258577885.394612 UWkUyAuUGXf 192.168.1.104 1673 63.245.209.11 80 5 GET www.mozilla.org /projects/calendar/images/header-sunbird.png http://www.mozilla.org/projects/calendar/calendar.css Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 0 27579 200 OK - - - (empty) - - - - -
|
||||||
#close 2009-11-18-20-58-32
|
#close 2013-03-22-14-38-28
|
||||||
|
|
|
||||||
|
|
@ -41,6 +41,14 @@ redef ssl_ca_certificate = "../ca_cert.pem";
|
||||||
redef ssl_private_key = "../bro.pem";
|
redef ssl_private_key = "../bro.pem";
|
||||||
redef ssl_passphrase = "my-password";
|
redef ssl_passphrase = "my-password";
|
||||||
|
|
||||||
|
# File analysis that populates fields in the http.log would make the sender's
|
||||||
|
# log differ from the receiver's since hooks don't get sent to peers.
|
||||||
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=10
|
||||||
|
{
|
||||||
|
FileAnalysis::stop(info$file_id);
|
||||||
|
}
|
||||||
|
|
||||||
@TEST-END-FILE
|
@TEST-END-FILE
|
||||||
|
|
||||||
#############
|
#############
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,14 @@ redef peer_description = "events-send";
|
||||||
# it gets propagated but that's ok.)
|
# it gets propagated but that's ok.)
|
||||||
redef tcp_close_delay = 0secs;
|
redef tcp_close_delay = 0secs;
|
||||||
|
|
||||||
|
# File analysis that populates fields in the http.log would make the sender's
|
||||||
|
# log differ from the receiver's since hooks don't get sent to peers.
|
||||||
|
hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
&priority=10
|
||||||
|
{
|
||||||
|
FileAnalysis::stop(info$file_id);
|
||||||
|
}
|
||||||
|
|
||||||
@TEST-END-FILE
|
@TEST-END-FILE
|
||||||
|
|
||||||
#############
|
#############
|
||||||
|
|
|
||||||
|
|
@ -43,8 +43,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -55,8 +55,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -48,8 +48,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -43,8 +43,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
case FileAnalysis::TRIGGER_NEW:
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
|
|
||||||
if ( info$source == "ftp-data" )
|
if ( info$source == "FTP_DATA" )
|
||||||
{
|
{
|
||||||
for ( act in actions )
|
for ( act in actions )
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
FileAnalysis::add_action(info$file_id, act);
|
||||||
|
|
@ -34,8 +34,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
case FileAnalysis::TRIGGER_EOF:
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -44,8 +44,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -54,8 +54,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -45,8 +45,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -42,8 +42,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_NEW:
|
case FileAnalysis::TRIGGER_NEW:
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
|
|
||||||
if ( info$source == "irc-dcc-data" )
|
if ( info$source == "IRC_DATA" )
|
||||||
{
|
{
|
||||||
for ( act in actions )
|
for ( act in actions )
|
||||||
FileAnalysis::add_action(info$file_id, act);
|
FileAnalysis::add_action(info$file_id, act);
|
||||||
|
|
@ -34,8 +34,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
case FileAnalysis::TRIGGER_EOF:
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -55,8 +55,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
case FileAnalysis::TRIGGER_DONE:
|
case FileAnalysis::TRIGGER_DONE:
|
||||||
|
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -42,8 +42,9 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
|
||||||
|
|
||||||
case FileAnalysis::TRIGGER_EOF:
|
case FileAnalysis::TRIGGER_EOF:
|
||||||
print info$file_id, info$seen_bytes, info$missing_bytes;
|
print info$file_id, info$seen_bytes, info$missing_bytes;
|
||||||
print info$conn_uids;
|
if ( info?$conns )
|
||||||
print info$conn_ids;
|
for ( cid in info$conns )
|
||||||
|
print cid;
|
||||||
|
|
||||||
if ( info?$total_bytes )
|
if ( info?$total_bytes )
|
||||||
print "total bytes: " + fmt("%s", info$total_bytes);
|
print "total bytes: " + fmt("%s", info$total_bytes);
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
|
# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
|
||||||
# @TEST-EXEC: btest-diff http.log
|
# @TEST-EXEC: btest-diff http.log
|
||||||
# @TEST-EXEC: btest-diff http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
|
# @TEST-EXEC: btest-diff http-item-BFymS6bFgT3-0.dat
|
||||||
|
|
||||||
redef HTTP::extract_file_types += /text\/html/;
|
redef HTTP::extract_file_types += /text\/html/;
|
||||||
|
|
@ -1,21 +1,6 @@
|
||||||
# This tests md5 calculation for a specified mime type. The http.log
|
# This tests md5 calculation for a specified mime type.
|
||||||
# will normalize mime types other than the target type to prevent sensitivity
|
|
||||||
# to varying versions of libmagic.
|
|
||||||
|
|
||||||
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT > output
|
# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT > output
|
||||||
# @TEST-EXEC: btest-diff http.log
|
# @TEST-EXEC: btest-diff http.log
|
||||||
|
|
||||||
redef HTTP::generate_md5 += /image\/png/;
|
redef HTTP::generate_md5 += /image\/png/;
|
||||||
|
|
||||||
event bro_init()
|
|
||||||
{
|
|
||||||
Log::remove_default_filter(HTTP::LOG);
|
|
||||||
Log::add_filter(HTTP::LOG, [$name="normalized-mime-types",
|
|
||||||
$pred=function(rec: HTTP::Info): bool
|
|
||||||
{
|
|
||||||
if ( rec?$mime_type && HTTP::generate_md5 != rec$mime_type )
|
|
||||||
rec$mime_type = "FAKE_MIME";
|
|
||||||
return T;
|
|
||||||
}
|
|
||||||
]);
|
|
||||||
}
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue