mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 23:58:20 +00:00
Add an is_orig parameter to file_over_new_connection event.
This commit is contained in:
Jon Siwek
parent
efe878f3de
commit
73155c321b
12 changed files with 21 additions and 17 deletions
|
|
@ -293,7 +293,7 @@ event file_new(f: fa_file) &priority=10
|
|||
set_info(f);
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=10
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=10
|
||||
{
|
||||
set_info(f);
|
||||
add f$info$conn_uids[c$uid];
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ event bro_init() &priority=5
|
|||
}
|
||||
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -53,7 +53,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
|||
}
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( f$source == "HTTP" && c$http?$entity )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ event bro_init() &priority=5
|
|||
Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle);
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( c?$http )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ event bro_init() &priority=5
|
|||
Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, IRC::get_file_handle);
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ event mime_begin_entity(c: connection) &priority=10
|
|||
++c$smtp_state$mime_depth;
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( f$source != "SMTP" )
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ event bro_init() &priority=5
|
|||
Files::register_protocol(Analyzer::ANALYZER_SMTP, SMTP::get_file_handle);
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( c?$smtp )
|
||||
c$smtp$fuids[|c$smtp$fuids|] = f$id;
|
||||
|
|
|
|||
|
|
@ -911,8 +911,10 @@ event file_new%(f: fa_file%);
|
|||
##
|
||||
## c: The new connection over which the file is seen being transferred.
|
||||
##
|
||||
## is_orig: true if the originator of *c* is the one sending the file.
|
||||
##
|
||||
## .. bro:see:: file_new file_timeout file_gap file_state_remove
|
||||
event file_over_new_connection%(f: fa_file, c: connection%);
|
||||
event file_over_new_connection%(f: fa_file, c: connection, is_orig: bool%);
|
||||
|
||||
## Indicates that file analysis has timed out because no activity was seen
|
||||
## for the file in a while.
|
||||
|
|
|
|||
|
|
@ -90,7 +90,7 @@ File::File(const string& file_id, Connection* conn, analyzer::Tag tag,
|
|||
// add source, connection, is_orig fields
|
||||
SetSource(analyzer_mgr->GetAnalyzerName(tag));
|
||||
val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
|
||||
UpdateConnectionFields(conn);
|
||||
UpdateConnectionFields(conn, is_orig);
|
||||
}
|
||||
|
||||
UpdateLastActivityTime();
|
||||
|
|
@ -113,7 +113,7 @@ double File::GetLastActivityTime() const
|
|||
return val->Lookup(last_active_idx)->AsTime();
|
||||
}
|
||||
|
||||
void File::UpdateConnectionFields(Connection* conn)
|
||||
void File::UpdateConnectionFields(Connection* conn, bool is_orig)
|
||||
{
|
||||
if ( ! conn )
|
||||
return;
|
||||
|
|
@ -137,6 +137,7 @@ void File::UpdateConnectionFields(Connection* conn)
|
|||
val_list* vl = new val_list();
|
||||
vl->append(val->Ref());
|
||||
vl->append(conn_val->Ref());
|
||||
vl->append(new Val(is_orig, TYPE_BOOL));
|
||||
|
||||
if ( did_file_new_event )
|
||||
FileEvent(file_over_new_connection, vl);
|
||||
|
|
|
|||
|
|
@ -173,8 +173,9 @@ protected:
|
|||
* Updates the "conn_ids" and "conn_uids" fields in #val record with the
|
||||
* \c conn_id and UID taken from \a conn.
|
||||
* @param conn the connection over which a part of the file has been seen.
|
||||
* @param is_orig true if the connection originator is sending the file.
|
||||
*/
|
||||
void UpdateConnectionFields(Connection* conn);
|
||||
void UpdateConnectionFields(Connection* conn, bool is_orig);
|
||||
|
||||
/**
|
||||
* Increment a byte count field of #val record by \a size.
|
||||
|
|
|
|||
|
|
@ -250,7 +250,7 @@ File* Manager::GetFile(const string& file_id, Connection* conn,
|
|||
rval->UpdateLastActivityTime();
|
||||
|
||||
if ( update_conn )
|
||||
rval->UpdateConnectionFields(conn);
|
||||
rval->UpdateConnectionFields(conn, is_orig);
|
||||
}
|
||||
|
||||
return rval;
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ event file_new(f: fa_file)
|
|||
}
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection)
|
||||
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
|
||||
{
|
||||
print "FILE_OVER_NEW_CONNECTION";
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue