mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
Add an is_orig parameter to file_over_new_connection event.
This commit is contained in:
Jon Siwek
parent
efe878f3de
commit
73155c321b
12 changed files with 21 additions and 17 deletions
|
|
@ -293,7 +293,7 @@ event file_new(f: fa_file) &priority=10
|
||||||
set_info(f);
|
set_info(f);
|
||||||
}
|
}
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection) &priority=10
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=10
|
||||||
{
|
{
|
||||||
set_info(f);
|
set_info(f);
|
||||||
add f$info$conn_uids[c$uid];
|
add f$info$conn_uids[c$uid];
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@ event bro_init() &priority=5
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||||
{
|
{
|
||||||
if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
|
if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||||
{
|
{
|
||||||
if ( f$source == "HTTP" && c$http?$entity )
|
if ( f$source == "HTTP" && c$http?$entity )
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ event bro_init() &priority=5
|
||||||
Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle);
|
Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle);
|
||||||
}
|
}
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||||
{
|
{
|
||||||
if ( c?$http )
|
if ( c?$http )
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ event bro_init() &priority=5
|
||||||
Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, IRC::get_file_handle);
|
Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, IRC::get_file_handle);
|
||||||
}
|
}
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||||
{
|
{
|
||||||
if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers )
|
if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ event mime_begin_entity(c: connection) &priority=10
|
||||||
++c$smtp_state$mime_depth;
|
++c$smtp_state$mime_depth;
|
||||||
}
|
}
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||||
{
|
{
|
||||||
if ( f$source != "SMTP" )
|
if ( f$source != "SMTP" )
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ event bro_init() &priority=5
|
||||||
Files::register_protocol(Analyzer::ANALYZER_SMTP, SMTP::get_file_handle);
|
Files::register_protocol(Analyzer::ANALYZER_SMTP, SMTP::get_file_handle);
|
||||||
}
|
}
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||||
{
|
{
|
||||||
if ( c?$smtp )
|
if ( c?$smtp )
|
||||||
c$smtp$fuids[|c$smtp$fuids|] = f$id;
|
c$smtp$fuids[|c$smtp$fuids|] = f$id;
|
||||||
|
|
|
||||||
|
|
@ -911,8 +911,10 @@ event file_new%(f: fa_file%);
|
||||||
##
|
##
|
||||||
## c: The new connection over which the file is seen being transferred.
|
## c: The new connection over which the file is seen being transferred.
|
||||||
##
|
##
|
||||||
|
## is_orig: true if the originator of *c* is the one sending the file.
|
||||||
|
##
|
||||||
## .. bro:see:: file_new file_timeout file_gap file_state_remove
|
## .. bro:see:: file_new file_timeout file_gap file_state_remove
|
||||||
event file_over_new_connection%(f: fa_file, c: connection%);
|
event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%);
|
||||||
|
|
||||||
## Indicates that file analysis has timed out because no activity was seen
|
## Indicates that file analysis has timed out because no activity was seen
|
||||||
## for the file in a while.
|
## for the file in a while.
|
||||||
|
|
|
||||||
|
|
@ -90,7 +90,7 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag,
|
||||||
// add source, connection, is_orig fields
|
// add source, connection, is_orig fields
|
||||||
SetSource(analyzer_mgr->GetAnalyzerName(tag));
|
SetSource(analyzer_mgr->GetAnalyzerName(tag));
|
||||||
val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
|
val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
|
||||||
UpdateConnectionFields(conn);
|
UpdateConnectionFields(conn, is_orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
UpdateLastActivityTime();
|
UpdateLastActivityTime();
|
||||||
|
|
@ -113,7 +113,7 @@ double File::GetLastActivityTime() const
|
||||||
return val->Lookup(last_active_idx)->AsTime();
|
return val->Lookup(last_active_idx)->AsTime();
|
||||||
}
|
}
|
||||||
|
|
||||||
void File::UpdateConnectionFields(Connection* conn)
|
void File::UpdateConnectionFields(Connection* conn, bool is_orig)
|
||||||
{
|
{
|
||||||
if ( ! conn )
|
if ( ! conn )
|
||||||
return;
|
return;
|
||||||
|
|
@ -137,6 +137,7 @@ void File::UpdateConnectionFields(Connection* conn)
|
||||||
val_list* vl = new val_list();
|
val_list* vl = new val_list();
|
||||||
vl->append(val->Ref());
|
vl->append(val->Ref());
|
||||||
vl->append(conn_val->Ref());
|
vl->append(conn_val->Ref());
|
||||||
|
vl->append(new Val(is_orig, TYPE_BOOL));
|
||||||
|
|
||||||
if ( did_file_new_event )
|
if ( did_file_new_event )
|
||||||
FileEvent(file_over_new_connection, vl);
|
FileEvent(file_over_new_connection, vl);
|
||||||
|
|
|
||||||
|
|
@ -173,8 +173,9 @@ protected:
|
||||||
* Updates the "conn_ids" and "conn_uids" fields in #val record with the
|
* Updates the "conn_ids" and "conn_uids" fields in #val record with the
|
||||||
* \c conn_id and UID taken from \a conn.
|
* \c conn_id and UID taken from \a conn.
|
||||||
* @param conn the connection over which a part of the file has been seen.
|
* @param conn the connection over which a part of the file has been seen.
|
||||||
|
* @param is_orig true if the connection originator is sending the file.
|
||||||
*/
|
*/
|
||||||
void UpdateConnectionFields(Connection* conn);
|
void UpdateConnectionFields(Connection* conn, bool is_orig);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Increment a byte count field of #val record by \a size.
|
* Increment a byte count field of #val record by \a size.
|
||||||
|
|
|
||||||
|
|
@ -250,7 +250,7 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
|
||||||
rval->UpdateLastActivityTime();
|
rval->UpdateLastActivityTime();
|
||||||
|
|
||||||
if ( update_conn )
|
if ( update_conn )
|
||||||
rval->UpdateConnectionFields(conn);
|
rval->UpdateConnectionFields(conn, is_orig);
|
||||||
}
|
}
|
||||||
|
|
||||||
return rval;
|
return rval;
|
||||||
|
|
|
||||||
|
|
@ -66,7 +66,7 @@ event file_new(f: fa_file)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event file_over_new_connection(f: fa_file, c: connection)
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
|
||||||
{
|
{
|
||||||
print "FILE_OVER_NEW_CONNECTION";
|
print "FILE_OVER_NEW_CONNECTION";
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue