diff --git a/scripts/base/frameworks/file-analysis/main.bro b/scripts/base/frameworks/file-analysis/main.bro index 3b21ae556f..d4ddde1d23 100644 --- a/scripts/base/frameworks/file-analysis/main.bro +++ b/scripts/base/frameworks/file-analysis/main.bro @@ -102,17 +102,21 @@ export { ## TODO: document global policy: hook(trig: Trigger, info: Info); - type HandleCallback: function(c: connection, is_orig: bool): string; - - const handle_callbacks: table[AnalyzerTag] of HandleCallback = {} &redef; - - global get_handle: function(c: connection, is_orig: bool): string &redef; + const disable: table[AnalyzerTag] of bool = table() &redef; # TODO: wrapper functions for BiFs ? ## Event that can be handled to access the Info record as it is sent on ## to the logging framework. global log_file_analysis: event(rec: Info); + + ## The salt concatenated to unique file handle strings generated by + ## :bro:see:`FileAnalysis::handle_callbacks` before hashing them + ## in to a file id (the *file_id* field of :bro:see:`FileAnalysis::Info`). + ## Provided to help mitigate the possiblility of manipulating parts of + ## network connections that factor in to the file handle in order to + ## generate two handles that would hash to the same file id. + const salt = "I recommend changing this." &redef; } event bro_init() &priority=5 diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 49fcd94d2a..798eb387b3 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3025,34 +3025,6 @@ export { } module GLOBAL; -module FileAnalysis; -export { - ## When the file analysis framework receives input regarding a file - ## transferred over the network, and a unique handle string cannot - ## be determined immediately from :bro:see:`FileAnalysis::handle_callbacks`, - ## that input is buffered. This is the interval at which to automatically - ## check back on any currently buffered inputs to see if a handle is - ## available so that the input can be processed. Since any input - ## triggers the check for all buffered inputs, this option only helps - ## cases where the file analysis framework is getting little input. - const pending_file_drain_interval = 10 sec &redef; - - ## This is the interval at which to give up checking for a unique handle - ## string for files transferred over the network that were initially - ## buffered because no handle was available yet (e.g. when the necessary - ## events to construct the handle may not have been flushed yet). - const pending_file_timeout = 10 sec &redef; - - ## The salt concatenated to unique file handle strings generated by - ## :bro:see:`FileAnalysis::handle_callbacks` before hashing them - ## in to a file id (the *file_id* field of :bro:see:`FileAnalysis::Info`). - ## Provided to help mitigate the possiblility of manipulating parts of - ## network connections that factor in to the file handle in order to - ## generate two handles that would hash to the same file id. - const salt = "I recommend changing this." &redef; -} -module GLOBAL; - ## Number of bytes per packet to capture from live interfaces. const snaplen = 8192 &redef; diff --git a/scripts/base/protocols/ftp/file-analysis.bro b/scripts/base/protocols/ftp/file-analysis.bro index 016c09838c..9a435cb8ec 100644 --- a/scripts/base/protocols/ftp/file-analysis.bro +++ b/scripts/base/protocols/ftp/file-analysis.bro @@ -2,11 +2,29 @@ @load base/utils/conn-ids @load base/frameworks/file-analysis/main -redef FileAnalysis::handle_callbacks += { - [ANALYZER_FTP_DATA] = function(c: connection, is_orig: bool): string +module FTP; + +export { + ## Determines whether the default :bro:see:`get_file_handle` handler + ## is used to return file handles to the file analysis framework. + ## Redefine to true in order to provide a custom handler which overrides + ## the default for FTP. + const disable_default_file_handle_provider: bool = F &redef; + + ## Default file handle provider for FTP. + function get_file_handle(c: connection, is_orig: bool): string { if ( is_orig ) return ""; return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time, id_string(c$id)); - }, -}; + } +} + +module GLOBAL; + +event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) + { + if ( tag != ANALYZER_FTP_DATA ) return; + if ( FTP::disable_default_file_handle_provider ) return; + return_file_handle(FTP::get_file_handle(c, is_orig)); + } diff --git a/scripts/base/protocols/http/file-analysis.bro b/scripts/base/protocols/http/file-analysis.bro index 5b0ac79444..b20e561dfc 100644 --- a/scripts/base/protocols/http/file-analysis.bro +++ b/scripts/base/protocols/http/file-analysis.bro @@ -5,18 +5,32 @@ module HTTP; -function get_file_handle(c: connection, is_orig: bool): string +export { + ## Determines whether the default :bro:see:`get_file_handle` handler + ## is used to return file handles to the file analysis framework. + ## Redefine to true in order to provide a custom handler which overrides + ## the default HTTP. + const disable_default_file_handle_provider: bool = F &redef; + + ## Default file handle provider for HTTP. + function get_file_handle(c: connection, is_orig: bool): string + { + if ( ! c?$http ) return ""; + + if ( c$http$range_request ) + return fmt("%s %s %s %s", ANALYZER_HTTP, is_orig, c$id$orig_h, + build_url(c$http)); + + return fmt("%s %s %s %s %s", ANALYZER_HTTP, c$start_time, is_orig, + c$http$trans_depth, id_string(c$id)); + } +} + +module GLOBAL; + +event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) { - if ( ! c?$http ) return ""; - - if ( c$http$range_request ) - return fmt("%s %s %s %s", ANALYZER_HTTP, is_orig, c$id$orig_h, - build_url(c$http)); - - return fmt("%s %s %s %s %s", ANALYZER_HTTP, c$start_time, is_orig, - c$http$trans_depth, id_string(c$id)); + if ( tag != ANALYZER_HTTP ) return; + if ( HTTP::disable_default_file_handle_provider ) return; + return_file_handle(HTTP::get_file_handle(c, is_orig)); } - -redef FileAnalysis::handle_callbacks += { - [ANALYZER_HTTP] = get_file_handle, -}; diff --git a/scripts/base/protocols/irc/file-analysis.bro b/scripts/base/protocols/irc/file-analysis.bro index 471477bbb1..f405585b32 100644 --- a/scripts/base/protocols/irc/file-analysis.bro +++ b/scripts/base/protocols/irc/file-analysis.bro @@ -2,11 +2,29 @@ @load base/utils/conn-ids @load base/frameworks/file-analysis/main -redef FileAnalysis::handle_callbacks += { - [ANALYZER_IRC_DATA] = function(c: connection, is_orig: bool): string +module IRC; + +export { + ## Determines whether the default :bro:see:`get_file_handle` handler + ## is used to return file handles to the file analysis framework. + ## Redefine to true in order to provide a custom handler which overrides + ## the default for IRC. + const disable_default_file_handle_provider: bool = F &redef; + + ## Default file handle provider for IRC. + function get_file_handle(c: connection, is_orig: bool): string { if ( is_orig ) return ""; return fmt("%s %s %s", ANALYZER_IRC_DATA, c$start_time, id_string(c$id)); - }, -}; + } +} + +module GLOBAL; + +event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) + { + if ( tag != ANALYZER_IRC_DATA ) return; + if ( IRC::disable_default_file_handle_provider ) return; + return_file_handle(IRC::get_file_handle(c, is_orig)); + } diff --git a/scripts/base/protocols/smtp/file-analysis.bro b/scripts/base/protocols/smtp/file-analysis.bro index 1586b3086f..cbc33aa375 100644 --- a/scripts/base/protocols/smtp/file-analysis.bro +++ b/scripts/base/protocols/smtp/file-analysis.bro @@ -5,14 +5,28 @@ module SMTP; -function get_file_handle(c: connection, is_orig: bool): string +export { + ## Determines whether the default :bro:see:`get_file_handle` handler + ## is used to return file handles to the file analysis framework. + ## Redefine to true in order to provide a custom handler which overrides + ## the default for SMTP. + const disable_default_file_handle_provider: bool = F &redef; + + ## Default file handle provider for SMTP. + function get_file_handle(c: connection, is_orig: bool): string + { + if ( ! c?$smtp ) return ""; + + return fmt("%s %s %s %s", ANALYZER_SMTP, c$start_time, + c$smtp$trans_depth, c$smtp_state$mime_level); + } +} + +module GLOBAL; + +event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool) { - if ( ! c?$smtp ) return ""; - - return fmt("%s %s %s %s", ANALYZER_SMTP, c$start_time, c$smtp$trans_depth, - c$smtp_state$mime_level); + if ( tag != ANALYZER_SMTP ) return; + if ( SMTP::disable_default_file_handle_provider ) return; + return_file_handle(SMTP::get_file_handle(c, is_orig)); } - -redef FileAnalysis::handle_callbacks += { - [ANALYZER_SMTP] = get_file_handle, -}; diff --git a/src/Event.cc b/src/Event.cc index 97f29000d6..9250b61e76 100644 --- a/src/Event.cc +++ b/src/Event.cc @@ -6,6 +6,7 @@ #include "Func.h" #include "NetVar.h" #include "Trigger.h" +#include "file_analysis/Manager.h" EventMgr mgr; @@ -124,6 +125,8 @@ void EventMgr::Drain() // processing, we ensure that it's done at a regular basis by checking // them here. Trigger::EvaluatePending(); + + file_mgr->EventDrainDone(); } void EventMgr::Describe(ODesc* d) const diff --git a/src/FileAnalyzer.cc b/src/FileAnalyzer.cc index 5ea98460bb..508ae23335 100644 --- a/src/FileAnalyzer.cc +++ b/src/FileAnalyzer.cc @@ -74,7 +74,7 @@ IRC_Data::IRC_Data(Connection* conn) void IRC_Data::Done() { File_Analyzer::Done(); - file_mgr->EndOfFile(Conn()); + file_mgr->EndOfFile(GetTag(), Conn()); } void IRC_Data::DeliverStream(int len, const u_char* data, bool orig) @@ -97,7 +97,7 @@ FTP_Data::FTP_Data(Connection* conn) void FTP_Data::Done() { File_Analyzer::Done(); - file_mgr->EndOfFile(Conn()); + file_mgr->EndOfFile(GetTag(), Conn()); } void FTP_Data::DeliverStream(int len, const u_char* data, bool orig) diff --git a/src/HTTP.cc b/src/HTTP.cc index 5ce2dfa114..3ae17714d6 100644 --- a/src/HTTP.cc +++ b/src/HTTP.cc @@ -565,7 +565,8 @@ void HTTP_Message::Done(const int interrupted, const char* detail) if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 ) // multipart/byteranges may span multiple connections - file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig); + file_mgr->EndOfFile(MyHTTP_Analyzer()->GetTag(), + MyHTTP_Analyzer()->Conn(), is_orig); if ( http_message_done ) { @@ -642,7 +643,8 @@ void HTTP_Message::EndEntity(MIME_Entity* entity) if ( entity == top_level ) Done(); else if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 ) - file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig); + file_mgr->EndOfFile(MyHTTP_Analyzer()->GetTag(), + MyHTTP_Analyzer()->Conn(), is_orig); } void HTTP_Message::SubmitHeader(MIME_Header* h) @@ -901,11 +903,11 @@ void HTTP_Analyzer::Done() unanswered_requests.pop(); } - file_mgr->EndOfFile(Conn(), true); + file_mgr->EndOfFile(GetTag(), Conn(), true); /* TODO: this might be nice to have, but reply code is cleared by now. if ( HTTP_ReplyCode() != 206 ) // multipart/byteranges may span multiple connections - file_mgr->EndOfFile(Conn(), false); + file_mgr->EndOfFile(GetTag(), Conn(), false); */ } diff --git a/src/MIME.cc b/src/MIME.cc index b1d52a3970..b6ffdf96c2 100644 --- a/src/MIME.cc +++ b/src/MIME.cc @@ -1021,7 +1021,7 @@ void MIME_Mail::Done() MIME_Message::Done(); - file_mgr->EndOfFile(analyzer->Conn()); + file_mgr->EndOfFile(analyzer->GetTag(), analyzer->Conn()); } MIME_Mail::~MIME_Mail() @@ -1069,7 +1069,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */) analyzer->ConnectionEvent(mime_end_entity, vl); } - file_mgr->EndOfFile(analyzer->Conn()); + file_mgr->EndOfFile(analyzer->GetTag(), analyzer->Conn()); } void MIME_Mail::SubmitHeader(MIME_Header* h) diff --git a/src/bro.bif b/src/bro.bif index ac54da0e75..34ea9642a3 100644 --- a/src/bro.bif +++ b/src/bro.bif @@ -17,6 +17,7 @@ #include "Reporter.h" #include "IPAddr.h" #include "util.h" +#include "file_analysis/Manager.h" using namespace std; @@ -5537,6 +5538,22 @@ function match_signatures%(c: connection, pattern_type: int, s: string, return new Val(1, TYPE_BOOL); %} +## For use within a :bro:see:`get_file_handle` handler to return a unique +## identifier to associate with some buffered input to the file analysis +## framework. The buffered data will then immediately be allowed to pass +## pass through the file analysis framework and execute any policy hooks +## that are available. If an empty string is returned, that signifies that +## the buffered data will be discarded with no further action taken on it. +## +## handle: A string that uniquely identifies a file. +## +## .. bro:see:: get_file_handle FileAnalysis::policy +function return_file_handle%(handle: string%): any + %{ + file_mgr->ReceiveHandle(handle->CheckString()); + return 0; + %} + # =========================================================================== # # Deprecated Functions diff --git a/src/const.bif b/src/const.bif index 7fdb444c2c..31e6ccee1a 100644 --- a/src/const.bif +++ b/src/const.bif @@ -24,6 +24,4 @@ const Tunnel::ip_tunnel_timeout: interval; const Threading::heartbeat_interval: interval; -const FileAnalysis::pending_file_drain_interval: interval; -const FileAnalysis::pending_file_timeout: interval; const FileAnalysis::salt: string; diff --git a/src/event.bif b/src/event.bif index 393021024a..aadaf31454 100644 --- a/src/event.bif +++ b/src/event.bif @@ -6981,6 +6981,22 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler; ## recursively for each ``@load``. event bro_script_loaded%(path: string, level: count%); +## This event is handled to provide feedback to the file analysis framework +## about how to identify the logical "file" to which some data/input +## belongs. All incoming data to the framework is buffered, and depends +## on a handler for this event to return a string value that uniquely +## identifies a file. Among all handlers of this event, exactly one must +## call :bro:see:`return_file_handle`. +## +## tag: The analyzer which is carrying the file data. +## +## c: The connection which is carrying the file data. +## +## is_orig: The direction the file data is flowing over the connection. +## +## .. bro:see:: return_file_handle +event get_file_handle%(tag: count, c: connection, is_orig: bool%); + ## Deprecated. Will be removed. event stp_create_endp%(c: connection, e: int, is_orig: bool%); diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc index 3f354dd148..bad46b8fd9 100644 --- a/src/file_analysis/Manager.cc +++ b/src/file_analysis/Manager.cc @@ -5,22 +5,14 @@ #include "Info.h" #include "Action.h" #include "Var.h" +#include "Event.h" using namespace file_analysis; -void DrainTimer::Dispatch(double t, int is_expire) - { - using BifConst::FileAnalysis::pending_file_drain_interval; - DBG_LOG(DBG_FILE_ANALYSIS, "DrainTimer dispatched"); - file_mgr->DrainPending(); - if ( ! is_expire ) - timer_mgr->Add(new DrainTimer(pending_file_drain_interval)); - } +TableVal* Manager::disabled = 0; -Manager::Manager() : is_draining(false) +Manager::Manager() { - using BifConst::FileAnalysis::pending_file_drain_interval; - timer_mgr->Add(new DrainTimer(pending_file_drain_interval)); } Manager::~Manager() @@ -28,78 +20,8 @@ Manager::~Manager() Terminate(); } -string Manager::GetFileHandle(Analyzer* root, Connection* conn, - bool is_orig) const - { - static TableVal* table = 0; - - if ( ! table ) - table = internal_val("FileAnalysis::handle_callbacks")->AsTableVal(); - - if ( ! root ) return ""; - - Val* index = new Val(root->GetTag(), TYPE_COUNT); - const Val* callback = table->Lookup(index); - Unref(index); - - if ( callback ) - { - val_list vl(2); - vl.append(conn->BuildConnVal()); - vl.append(new Val(is_orig, TYPE_BOOL)); - - Val* result = callback->AsFunc()->Call(&vl); - - if ( result ) - { - string rval = result->AsString()->CheckString(); - Unref(result); - if ( ! rval.empty() ) return rval; - } - } - - for ( analyzer_list::const_iterator it = root->GetChildren().begin(); - it != root->GetChildren().end(); ++it ) - { - string rval = GetFileHandle((*it), conn, is_orig); - if ( ! rval.empty() ) return rval; - } - - return ""; - } - -string Manager::GetFileHandle(Connection* conn, bool is_orig) const - { - if ( ! conn ) return ""; - - return GetFileHandle(conn->GetRootAnalyzer(), conn, is_orig); - } - -void Manager::DrainPending() - { - if ( is_draining ) return; - - is_draining = true; - PendingList::iterator it = pending.begin(); - - while ( it != pending.end() ) - { - if ( (*it)->Retry() || (*it)->IsStale() ) - { - delete *it; - pending.erase(it++); - } - else - ++it; - } - - is_draining = false; - } - void Manager::Terminate() { - DrainPending(); - vector keys; for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it ) keys.push_back(it->first); @@ -107,24 +29,38 @@ void Manager::Terminate() Timeout(keys[i], true); } -bool Manager::DataIn(const u_char* data, uint64 len, uint64 offset, +void Manager::ReceiveHandle(const string& handle) + { + if ( pending.empty() ) + reporter->InternalError("File analysis underflow"); + + PendingFile* pf = pending.front(); + if ( ! handle.empty() ) + pf->Finish(handle); + delete pf; + pending.pop(); + } + +void Manager::EventDrainDone() + { + if ( pending.empty() ) return; + + reporter->Error("Too few return_file_handle() calls, discarding pending" + " file analysis input."); + + while ( ! pending.empty() ) + { + delete pending.front(); + pending.pop(); + } + } + +void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - DrainPending(); - - string unique = GetFileHandle(conn, is_orig); - - if ( ! unique.empty() ) - { - DataIn(data, len, offset, GetInfo(unique, conn, tag)); - return true; - } - - if ( ! is_draining ) - pending.push_back(new PendingDataInChunk(data, len, offset, tag, conn, - is_orig)); - - return false; + if ( IsDisabled(tag) ) return; + if ( ! QueueHandleEvent(tag, conn, is_orig) ) return; + pending.push(new PendingDataInChunk(data, len, offset, tag, conn)); } void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, @@ -136,8 +72,6 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, Info* info) { - DrainPending(); - if ( ! info ) return; info->DataIn(data, len, offset); @@ -146,24 +80,12 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, RemoveFile(info->GetUnique()); } -bool Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, +void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - DrainPending(); - - string unique = GetFileHandle(conn, is_orig); - - if ( ! unique.empty() ) - { - DataIn(data, len, GetInfo(unique, conn, tag)); - return true; - } - - if ( ! is_draining ) - pending.push_back(new PendingDataInStream(data, len, tag, conn, - is_orig)); - - return false; + if ( IsDisabled(tag) ) return; + if ( ! QueueHandleEvent(tag, conn, is_orig) ) return; + pending.push(new PendingDataInStream(data, len, tag, conn)); } void Manager::DataIn(const u_char* data, uint64 len, const string& unique) @@ -173,8 +95,6 @@ void Manager::DataIn(const u_char* data, uint64 len, const string& unique) void Manager::DataIn(const u_char* data, uint64 len, Info* info) { - DrainPending(); - if ( ! info ) return; info->DataIn(data, len); @@ -183,53 +103,30 @@ void Manager::DataIn(const u_char* data, uint64 len, Info* info) RemoveFile(info->GetUnique()); } -void Manager::EndOfFile(Connection* conn) +void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn) { - EndOfFile(conn, true); - EndOfFile(conn, false); + EndOfFile(tag, conn, true); + EndOfFile(tag, conn, false); } -bool Manager::EndOfFile(Connection* conn, bool is_orig) +void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - DrainPending(); - - string unique = GetFileHandle(conn, is_orig); - - if ( ! unique.empty() ) - { - RemoveFile(unique); - return true; - } - - if ( ! is_draining ) - pending.push_back(new PendingEOF(conn, is_orig)); - - return false; + if ( IsDisabled(tag) ) return; + if ( ! QueueHandleEvent(tag, conn, is_orig) ) return; + pending.push(new PendingEOF(tag, conn)); } void Manager::EndOfFile(const string& unique) { - DrainPending(); RemoveFile(unique); } -bool Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, +void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - DrainPending(); - - string unique = GetFileHandle(conn, is_orig); - - if ( ! unique.empty() ) - { - Gap(offset, len, GetInfo(unique, conn, tag)); - return true; - } - - if ( ! is_draining ) - pending.push_back(new PendingGap(offset, len, tag, conn, is_orig)); - - return false; + if ( IsDisabled(tag) ) return; + if ( ! QueueHandleEvent(tag, conn, is_orig) ) return; + pending.push(new PendingGap(offset, len, tag, conn)); } void Manager::Gap(uint64 offset, uint64 len, const string& unique) @@ -239,30 +136,17 @@ void Manager::Gap(uint64 offset, uint64 len, const string& unique) void Manager::Gap(uint64 offset, uint64 len, Info* info) { - DrainPending(); - if ( ! info ) return; info->Gap(offset, len); } -bool Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, +void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, bool is_orig) { - DrainPending(); - - string unique = GetFileHandle(conn, is_orig); - - if ( ! unique.empty() ) - { - SetSize(size, GetInfo(unique, conn, tag)); - return true; - } - - if ( ! is_draining ) - pending.push_back(new PendingSize(size, tag, conn, is_orig)); - - return false; + if ( IsDisabled(tag) ) return; + if ( ! QueueHandleEvent(tag, conn, is_orig) ) return; + pending.push(new PendingSize(size, tag, conn)); } void Manager::SetSize(uint64 size, const string& unique) @@ -272,8 +156,6 @@ void Manager::SetSize(uint64 size, const string& unique) void Manager::SetSize(uint64 size, Info* info) { - DrainPending(); - if ( ! info ) return; info->SetTotalBytes(size); @@ -282,7 +164,6 @@ void Manager::SetSize(uint64 size, Info* info) RemoveFile(info->GetUnique()); } - void Manager::EvaluatePolicy(BifEnum::FileAnalysis::Trigger t, Info* info) { if ( IsIgnored(info->GetUnique()) ) return; @@ -372,8 +253,6 @@ Info* Manager::Lookup(const FileID& file_id) const void Manager::Timeout(const FileID& file_id, bool is_terminating) { - DrainPending(); - Info* info = Lookup(file_id); if ( ! info ) return; @@ -433,3 +312,34 @@ bool Manager::IsIgnored(const string& unique) { return ignored.find(unique) != ignored.end(); } + +bool Manager::IsDisabled(AnalyzerTag::Tag tag) + { + if ( ! disabled ) + disabled = internal_const_val("FileAnalysis::disable")->AsTableVal(); + + Val* index = new Val(tag, TYPE_COUNT); + Val* yield = disabled->Lookup(index); + Unref(index); + + if ( ! yield ) return false; + + bool rval = yield->AsBool(); + Unref(yield); + + return rval; + } + +bool Manager::QueueHandleEvent(AnalyzerTag::Tag tag, Connection* conn, + bool is_orig) + { + if ( ! get_file_handle ) return false; + + val_list* vl = new val_list(); + vl->append(new Val(tag, TYPE_COUNT)); + vl->append(conn->BuildConnVal()); + vl->append(new Val(is_orig, TYPE_BOOL)); + + mgr.QueueEvent(get_file_handle, vl); + return true; + } diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h index 5c4c4ce1d7..930297e3d2 100644 --- a/src/file_analysis/Manager.h +++ b/src/file_analysis/Manager.h @@ -4,7 +4,7 @@ #include #include #include -#include +#include #include "Net.h" #include "AnalyzerTags.h" @@ -20,15 +20,6 @@ namespace file_analysis { -class DrainTimer : public Timer { -public: - - DrainTimer(double interval) - : Timer(network_time + interval, TIMER_FILE_ANALYSIS_DRAIN) {} - - void Dispatch(double t, int is_expire); -}; - /** * Main entry point for interacting with file analysis. */ @@ -44,10 +35,23 @@ public: */ void Terminate(); + /** + * Associates a handle with the next element in the #pending queue, which + * will immediately push that element all the way through the file analysis + * framework, possibly evaluating any policy hooks. + */ + void ReceiveHandle(const string& handle); + + /** + * Called when all events have been drained from the event queue. + * There should be no pending file input/data at this point. + */ + void EventDrainDone(); + /** * Pass in non-sequential file data. */ - bool DataIn(const u_char* data, uint64 len, uint64 offset, + void DataIn(const u_char* data, uint64 len, uint64 offset, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); void DataIn(const u_char* data, uint64 len, uint64 offset, const string& unique); @@ -57,7 +61,7 @@ public: /** * Pass in sequential file data. */ - bool DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, + void DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); void DataIn(const u_char* data, uint64 len, const string& unique); void DataIn(const u_char* data, uint64 len, Info* info); @@ -65,14 +69,14 @@ public: /** * Signal the end of file data. */ - void EndOfFile(Connection* conn); - bool EndOfFile(Connection* conn, bool is_orig); + void EndOfFile(AnalyzerTag::Tag tag, Connection* conn); + void EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig); void EndOfFile(const string& unique); /** * Signal a gap in the file data stream. */ - bool Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, + void Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); void Gap(uint64 offset, uint64 len, const string& unique); void Gap(uint64 offset, uint64 len, Info* info); @@ -80,7 +84,7 @@ public: /** * Provide the expected number of bytes that comprise a file. */ - bool SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, + void SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, bool is_orig); void SetSize(uint64 size, const string& unique); void SetSize(uint64 size, Info* info); @@ -120,13 +124,12 @@ public: protected: friend class InfoTimer; - friend class DrainTimer; friend class PendingFile; typedef map StrMap; typedef set StrSet; typedef map IDMap; - typedef list PendingList; + typedef queue PendingQueue; /** * @return the Info object mapped to \a unique or a null pointer if analysis @@ -138,18 +141,6 @@ protected: Info* GetInfo(const string& unique, Connection* conn = 0, AnalyzerTag::Tag tag = AnalyzerTag::Error); - /** - * @return a string which can uniquely identify the file being transported - * over the connection. A script-layer function is evaluated in - * order to determine the unique string. An empty string means - * a unique handle for the file couldn't be determined at the time - * time the function was evaluated (possibly because some events - * have not yet been drained from the queue). - */ - string GetFileHandle(Connection* conn, bool is_orig) const; - string GetFileHandle(Analyzer* root, Connection* conn, - bool is_orig) const; - /** * @return the Info object mapped to \a file_id, or a null pointer if no * mapping exists. @@ -174,18 +165,23 @@ protected: bool IsIgnored(const string& unique); /** - * Attempts to forward the data from any pending file contents, i.e. - * those for which a unique file handle string could not immediately - * be determined. + * @return whether file analysis is disabled for the given analyzer. */ - void DrainPending(); + static bool IsDisabled(AnalyzerTag::Tag tag); + + /** + * Queues \c get_file_handle event in order to retrieve unique file handle. + * @return true if there is a handler for the event, else false. + */ + static bool QueueHandleEvent(AnalyzerTag::Tag tag, Connection* conn, + bool is_orig); StrMap str_map; /**< Map unique strings to \c FileAnalysis::Info records. */ IDMap id_map; /**< Map file IDs to \c FileAnalysis::Info records. */ StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */ - PendingList pending; /**< Files awaiting a unique handle. */ + PendingQueue pending; /**< Files awaiting a unique handle. */ - bool is_draining; + static TableVal* disabled; /**< Table of disabled analyzers. */ }; } // namespace file_analysis diff --git a/src/file_analysis/PendingFile.cc b/src/file_analysis/PendingFile.cc index d148953294..6d8f2d6e45 100644 --- a/src/file_analysis/PendingFile.cc +++ b/src/file_analysis/PendingFile.cc @@ -20,10 +20,8 @@ static string conn_str(Connection* c) return rval; } -PendingFile::PendingFile(Connection* arg_conn, bool arg_is_orig, - AnalyzerTag::Tag arg_tag) - : conn(arg_conn), is_orig(arg_is_orig), creation_time(network_time), - tag(arg_tag) +PendingFile::PendingFile(Connection* arg_conn, AnalyzerTag::Tag arg_tag) + : conn(arg_conn), tag(arg_tag) { Ref(conn); DBG_LOG(DBG_FILE_ANALYSIS, "New pending file: %s", conn_str(conn).c_str()); @@ -36,31 +34,24 @@ PendingFile::~PendingFile() conn_str(conn).c_str()); } -bool PendingFile::IsStale() const +Info* PendingFile::GetInfo(const string& handle) const { - using BifConst::FileAnalysis::pending_file_timeout; - if ( creation_time + pending_file_timeout < network_time ) - { - DBG_LOG(DBG_FILE_ANALYSIS, "Stale pending file: %s", - conn_str(conn).c_str()); - return true; - } - return false; + return file_mgr->GetInfo(handle, conn, tag); } PendingDataInChunk::PendingDataInChunk(const u_char* arg_data, uint64 arg_len, uint64 arg_offset, AnalyzerTag::Tag arg_tag, - Connection* arg_conn, bool arg_is_orig) - : PendingFile(arg_conn, arg_is_orig, arg_tag), len(arg_len), + Connection* arg_conn) + : PendingFile(arg_conn, arg_tag), len(arg_len), offset(arg_offset) { copy_data(&data, arg_data, len); } -bool PendingDataInChunk::Retry() const +void PendingDataInChunk::Finish(const string& handle) const { - return file_mgr->DataIn(data, len, offset, tag, conn, is_orig); + file_mgr->DataIn(data, len, offset, GetInfo(handle)); } PendingDataInChunk::~PendingDataInChunk() @@ -70,15 +61,15 @@ PendingDataInChunk::~PendingDataInChunk() PendingDataInStream::PendingDataInStream(const u_char* arg_data, uint64 arg_len, AnalyzerTag::Tag arg_tag, - Connection* arg_conn, bool arg_is_orig) - : PendingFile(arg_conn, arg_is_orig, arg_tag), len(arg_len) + Connection* arg_conn) + : PendingFile(arg_conn, arg_tag), len(arg_len) { copy_data(&data, arg_data, len); } -bool PendingDataInStream::Retry() const +void PendingDataInStream::Finish(const string& handle) const { - return file_mgr->DataIn(data, len, tag, conn, is_orig); + file_mgr->DataIn(data, len, GetInfo(handle)); } PendingDataInStream::~PendingDataInStream() @@ -87,35 +78,34 @@ PendingDataInStream::~PendingDataInStream() } PendingGap::PendingGap(uint64 arg_offset, uint64 arg_len, - AnalyzerTag::Tag arg_tag, Connection* arg_conn, - bool arg_is_orig) - : PendingFile(arg_conn, arg_is_orig, arg_tag), offset(arg_offset), + AnalyzerTag::Tag arg_tag, Connection* arg_conn) + : PendingFile(arg_conn, arg_tag), offset(arg_offset), len(arg_len) { } -bool PendingGap::Retry() const +void PendingGap::Finish(const string& handle) const { - return file_mgr->Gap(offset, len, tag, conn, is_orig); + file_mgr->Gap(offset, len, GetInfo(handle)); } -PendingEOF::PendingEOF(Connection* arg_conn, bool arg_is_orig) - : PendingFile(arg_conn, arg_is_orig) +PendingEOF::PendingEOF(AnalyzerTag::Tag arg_tag, Connection* arg_conn) + : PendingFile(arg_conn, arg_tag) { } -bool PendingEOF::Retry() const +void PendingEOF::Finish(const string& handle) const { - return file_mgr->EndOfFile(conn, is_orig); + file_mgr->EndOfFile(handle); } PendingSize::PendingSize(uint64 arg_size, AnalyzerTag::Tag arg_tag, - Connection* arg_conn, bool arg_is_orig) - : PendingFile(arg_conn, arg_is_orig, arg_tag), size(arg_size) + Connection* arg_conn) + : PendingFile(arg_conn, arg_tag), size(arg_size) { } -bool PendingSize::Retry() const +void PendingSize::Finish(const string& handle) const { - return file_mgr->SetSize(size, tag, conn, is_orig); + file_mgr->SetSize(size, GetInfo(handle)); } diff --git a/src/file_analysis/PendingFile.h b/src/file_analysis/PendingFile.h index 34d46fe7e9..58b842d969 100644 --- a/src/file_analysis/PendingFile.h +++ b/src/file_analysis/PendingFile.h @@ -3,6 +3,7 @@ #include "AnalyzerTags.h" #include "Conn.h" +#include "Info.h" namespace file_analysis { @@ -11,18 +12,16 @@ public: virtual ~PendingFile(); - virtual bool Retry() const = 0; - - bool IsStale() const; + virtual void Finish(const string& handle) const = 0; protected: - PendingFile(Connection* arg_conn, bool arg_is_orig, + PendingFile(Connection* arg_conn, AnalyzerTag::Tag arg_tag = AnalyzerTag::Error); + Info* GetInfo(const string& handle) const; + Connection* conn; - bool is_orig; - double creation_time; AnalyzerTag::Tag tag; }; @@ -30,12 +29,12 @@ class PendingDataInChunk : public PendingFile { public: PendingDataInChunk(const u_char* arg_data, uint64 arg_len, - uint64 arg_offset, AnalyzerTag::Tag tag, - Connection* arg_conn, bool arg_is_orig); + uint64 arg_offset, AnalyzerTag::Tag arg_tag, + Connection* arg_conn); virtual ~PendingDataInChunk(); - virtual bool Retry() const; + virtual void Finish(const string& handle) const; protected: @@ -48,12 +47,11 @@ class PendingDataInStream : public PendingFile { public: PendingDataInStream(const u_char* arg_data, uint64 arg_len, - AnalyzerTag::Tag tag, Connection* arg_conn, - bool arg_is_orig); + AnalyzerTag::Tag arg_tag, Connection* arg_conn); virtual ~PendingDataInStream(); - virtual bool Retry() const; + virtual void Finish(const string& handle) const; protected: @@ -64,10 +62,10 @@ protected: class PendingGap : public PendingFile { public: - PendingGap(uint64 arg_offset, uint64 arg_len, AnalyzerTag::Tag tag, - Connection* arg_conn, bool arg_is_orig); + PendingGap(uint64 arg_offset, uint64 arg_len, AnalyzerTag::Tag arg_tag, + Connection* arg_conn); - virtual bool Retry() const; + virtual void Finish(const string& handle) const; protected: @@ -78,18 +76,18 @@ protected: class PendingEOF : public PendingFile { public: - PendingEOF(Connection* arg_conn, bool arg_is_orig); + PendingEOF(AnalyzerTag::Tag arg_tag, Connection* arg_conn); - virtual bool Retry() const; + virtual void Finish(const string& handle) const; }; class PendingSize : public PendingFile { public: - PendingSize(uint64 arg_size, AnalyzerTag::Tag tag, Connection* arg_conn, - bool arg_is_orig); + PendingSize(uint64 arg_size, AnalyzerTag::Tag arg_tag, + Connection* arg_conn); - virtual bool Retry() const; + virtual void Finish(const string& handle) const; protected: diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout index 792954f9a0..49eafc365f 100644 --- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout +++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout @@ -1,6 +1,6 @@ -timeout -timeout g(), T timeout g(), F +timeout g(), T +timeout g() done, no exception, T localhost resolved localhost resolved from f(), T diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log index f52d73e1a8..f2b116980a 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path file_analysis -#open 2013-03-22-20-24-04 +#open 2013-03-25-19-46-10 #fields file_id parent_file_id source last_active seen_bytes total_bytes missing_bytes overflow_bytes timeout_interval bof_buffer_size file_type mime_type conn_uids actions_taken extracted_files md5 sha1 sha256 #types string string string time count count count count interval count string string table[string] table[enum] table[string] string string string -Cx92a0ym5R8 - HTTP 1362692527.009775 4705 4705 0 0 120.000000 1024 set set UWkUyAuUGXf FileAnalysis::ACTION_SHA1,FileAnalysis::ACTION_EXTRACT,FileAnalysis::ACTION_DATA_EVENT,FileAnalysis::ACTION_MD5,FileAnalysis::ACTION_SHA256 Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 -#close 2013-03-22-20-24-04 +Cx92a0ym5R8 - HTTP 1362692527.009775 4705 4705 0 0 120.000000 1024 set set UWkUyAuUGXf FileAnalysis::ACTION_SHA1,FileAnalysis::ACTION_DATA_EVENT,FileAnalysis::ACTION_EXTRACT,FileAnalysis::ACTION_MD5,FileAnalysis::ACTION_SHA256 Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 +#close 2013-03-25-19-46-10 diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out index fa08f6dc18..70dc926ff5 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out +++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out @@ -1,5 +1,5 @@ FileAnalysis::TRIGGER_NEW -9VCisPgrqVj, 0, 0 +cwR7l6Zctxb, 0, 0 FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF_BUFFER Hello^M^J^M^J ^M @@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE file type is set mime type is set FileAnalysis::TRIGGER_EOF -9VCisPgrqVj, 79, 0 +cwR7l6Zctxb, 79, 0 [orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp] source: SMTP SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13 diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log index ac84e5ae7a..bdc29bd6b9 100644 --- a/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log +++ b/testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log @@ -3,56 +3,56 @@ #empty_field (empty) #unset_field - #path http -#open 2012-12-07-04-43-19 +#open 2013-03-25-20-20-22 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file -#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file -1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - - -1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - - -1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - - -1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - - -1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - -1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - -1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - +#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string +1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html; charset=us-ascii - - +1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html; charset=us-ascii - - +1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html; charset=us-ascii - - +1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html; charset=us-ascii - - +1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - 1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - 1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - 1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - - -1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - -#close 2012-12-07-04-43-19 +1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - - +#close 2013-03-25-20-20-22