Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add an is_orig parameter to file_over_new_connection event.

Browse source
This commit is contained in:
Jon Siwek 2013-07-09 15:58:28 -05:00
parent efe878f3de
commit 73155c321b
12 changed files with 21 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/frameworks/files/main.bro
View file

@ -293,7 +293,7 @@ event file_new(f: fa_file) &priority=10
set_info(f); set_info(f);
} }
event file_over_new_connection(f: fa_file, c: connection) &priority=10 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=10
{ {
set_info(f); set_info(f);
add f$info$conn_uids[c$uid]; add f$info$conn_uids[c$uid];

4
scripts/base/protocols/ftp/files.bro
View file

@ -28,7 +28,7 @@ event bro_init() &priority=5
} }
event file_over_new_connection(f: fa_file, c: connection) &priority=5 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
{ {
if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
return; return;
@ -37,4 +37,4 @@ event file_over_new_connection(f: fa_file, c: connection) &priority=5
ftp$fuid = f$id; ftp$fuid = f$id;
if ( f?$mime_type ) if ( f?$mime_type )
ftp$mime_type = f$mime_type; ftp$mime_type = f$mime_type;
} }

2
scripts/base/protocols/http/entities.bro
View file

@ -53,7 +53,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
} }
} }
event file_over_new_connection(f: fa_file, c: connection) &priority=5 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
{ {
if ( f$source == "HTTP" && c$http?$entity ) if ( f$source == "HTTP" && c$http?$entity )
{ {

4
scripts/base/protocols/http/files.bro
View file

@ -40,7 +40,7 @@ event bro_init() &priority=5
Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle); Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle);
} }
event file_over_new_connection(f: fa_file, c: connection) &priority=5 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
{ {
if ( c?$http ) if ( c?$http )
{ {
@ -49,4 +49,4 @@ event file_over_new_connection(f: fa_file, c: connection) &priority=5
else else
c$http$resp_fuids[|c$http$resp_fuids|] = f$id; c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
} }
} }

4
scripts/base/protocols/irc/files.bro
View file

@ -27,7 +27,7 @@ event bro_init() &priority=5
Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, IRC::get_file_handle); Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, IRC::get_file_handle);
} }
event file_over_new_connection(f: fa_file, c: connection) &priority=5 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
{ {
if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers ) if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers )
return; return;
@ -38,4 +38,4 @@ event file_over_new_connection(f: fa_file, c: connection) &priority=5
f$info$filename = irc$dcc_file_name; f$info$filename = irc$dcc_file_name;
if ( f?$mime_type ) if ( f?$mime_type )
irc$dcc_mime_type = f$mime_type; irc$dcc_mime_type = f$mime_type;
} }

2
scripts/base/protocols/smtp/entities.bro
View file

@ -31,7 +31,7 @@ event mime_begin_entity(c: connection) &priority=10
++c$smtp_state$mime_depth; ++c$smtp_state$mime_depth;
} }
event file_over_new_connection(f: fa_file, c: connection) &priority=5 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
{ {
if ( f$source != "SMTP" ) if ( f$source != "SMTP" )
return; return;

4
scripts/base/protocols/smtp/files.bro
View file

@ -27,8 +27,8 @@ event bro_init() &priority=5
Files::register_protocol(Analyzer::ANALYZER_SMTP, SMTP::get_file_handle); Files::register_protocol(Analyzer::ANALYZER_SMTP, SMTP::get_file_handle);
} }
event file_over_new_connection(f: fa_file, c: connection) &priority=5 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
{ {
if ( c?$smtp ) if ( c?$smtp )
c$smtp$fuids[|c$smtp$fuids|] = f$id; c$smtp$fuids[|c$smtp$fuids|] = f$id;
} }

4
src/event.bif
View file

@ -911,8 +911,10 @@ event file_new%(f: fa_file%);
## ##
## c: The new connection over which the file is seen being transferred. ## c: The new connection over which the file is seen being transferred.
## ##
## is_orig: true if the originator of *c* is the one sending the file.
##
## .. bro:see:: file_new file_timeout file_gap file_state_remove ## .. bro:see:: file_new file_timeout file_gap file_state_remove
event file_over_new_connection%(f: fa_file, c: connection%); event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%);
## Indicates that file analysis has timed out because no activity was seen ## Indicates that file analysis has timed out because no activity was seen
## for the file in a while. ## for the file in a while.

5
src/file_analysis/File.cc
View file

@ -90,7 +90,7 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag,
// add source, connection, is_orig fields // add source, connection, is_orig fields
SetSource(analyzer_mgr->GetAnalyzerName(tag)); SetSource(analyzer_mgr->GetAnalyzerName(tag));
val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL)); val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
UpdateConnectionFields(conn); UpdateConnectionFields(conn, is_orig);
} }
UpdateLastActivityTime(); UpdateLastActivityTime();
@ -113,7 +113,7 @@ double File::GetLastActivityTime() const
return val->Lookup(last_active_idx)->AsTime(); return val->Lookup(last_active_idx)->AsTime();
} }
void File::UpdateConnectionFields(Connection* conn) void File::UpdateConnectionFields(Connection* conn, bool is_orig)
{ {
if ( ! conn ) if ( ! conn )
return; return;
@ -137,6 +137,7 @@ void File::UpdateConnectionFields(Connection* conn)
val_list* vl = new val_list(); val_list* vl = new val_list();
vl->append(val->Ref()); vl->append(val->Ref());
vl->append(conn_val->Ref()); vl->append(conn_val->Ref());
vl->append(new Val(is_orig, TYPE_BOOL));
if ( did_file_new_event ) if ( did_file_new_event )
FileEvent(file_over_new_connection, vl); FileEvent(file_over_new_connection, vl);

3
src/file_analysis/File.h
View file

@ -173,8 +173,9 @@ protected:
* Updates the "conn_ids" and "conn_uids" fields in #val record with the * Updates the "conn_ids" and "conn_uids" fields in #val record with the
* \c conn_id and UID taken from \a conn. * \c conn_id and UID taken from \a conn.
* @param conn the connection over which a part of the file has been seen. * @param conn the connection over which a part of the file has been seen.
* @param is_orig true if the connection originator is sending the file.
*/ */
void UpdateConnectionFields(Connection* conn); void UpdateConnectionFields(Connection* conn, bool is_orig);
/** /**
* Increment a byte count field of #val record by \a size. * Increment a byte count field of #val record by \a size.

2
src/file_analysis/Manager.cc
View file

@ -250,7 +250,7 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
rval->UpdateLastActivityTime(); rval->UpdateLastActivityTime();
if ( update_conn ) if ( update_conn )
rval->UpdateConnectionFields(conn); rval->UpdateConnectionFields(conn, is_orig);
} }
return rval; return rval;

2
testing/scripts/file-analysis-test.bro
View file

@ -66,7 +66,7 @@ event file_new(f: fa_file)
} }
} }
event file_over_new_connection(f: fa_file, c: connection) event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{ {
print "FILE_OVER_NEW_CONNECTION"; print "FILE_OVER_NEW_CONNECTION";
} }