Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

FileAnalysis: file handles now set from events.

Browse source 
Versus from synchronous function calls, which doesn't work well because
the function call can see a script-layer state that doesn't reflect
the state as it will be in terms of the event/network stream.
This commit is contained in:
Jon Siwek 2013-03-25 15:37:58 -05:00
parent 00a1de3593
commit 84a0c2fdac
21 changed files with 362 additions and 392 deletions
Download patch file Download diff file Expand all files Collapse all files

14
scripts/base/frameworks/file-analysis/main.bro
View file

@ -102,17 +102,21 @@ export {
## TODO: document ## TODO: document
global policy: hook(trig: Trigger, info: Info); global policy: hook(trig: Trigger, info: Info);
type HandleCallback: function(c: connection, is_orig: bool): string; const disable: table[AnalyzerTag] of bool = table() &redef;
const handle_callbacks: table[AnalyzerTag] of HandleCallback = {} &redef;
global get_handle: function(c: connection, is_orig: bool): string &redef;
# TODO: wrapper functions for BiFs ? # TODO: wrapper functions for BiFs ?
## Event that can be handled to access the Info record as it is sent on ## Event that can be handled to access the Info record as it is sent on
## to the logging framework. ## to the logging framework.
global log_file_analysis: event(rec: Info); global log_file_analysis: event(rec: Info);
## The salt concatenated to unique file handle strings generated by
## :bro:see:`FileAnalysis::handle_callbacks` before hashing them
## in to a file id (the *file_id* field of :bro:see:`FileAnalysis::Info`).
## Provided to help mitigate the possiblility of manipulating parts of
## network connections that factor in to the file handle in order to
## generate two handles that would hash to the same file id.
const salt = "I recommend changing this." &redef;
} }
event bro_init() &priority=5 event bro_init() &priority=5

28
scripts/base/init-bare.bro
View file

@ -3025,34 +3025,6 @@ export {
} }
module GLOBAL; module GLOBAL;
module FileAnalysis;
export {
## When the file analysis framework receives input regarding a file
## transferred over the network, and a unique handle string cannot
## be determined immediately from :bro:see:`FileAnalysis::handle_callbacks`,
## that input is buffered. This is the interval at which to automatically
## check back on any currently buffered inputs to see if a handle is
## available so that the input can be processed. Since any input
## triggers the check for all buffered inputs, this option only helps
## cases where the file analysis framework is getting little input.
const pending_file_drain_interval = 10 sec &redef;
## This is the interval at which to give up checking for a unique handle
## string for files transferred over the network that were initially
## buffered because no handle was available yet (e.g. when the necessary
## events to construct the handle may not have been flushed yet).
const pending_file_timeout = 10 sec &redef;
## The salt concatenated to unique file handle strings generated by
## :bro:see:`FileAnalysis::handle_callbacks` before hashing them
## in to a file id (the *file_id* field of :bro:see:`FileAnalysis::Info`).
## Provided to help mitigate the possiblility of manipulating parts of
## network connections that factor in to the file handle in order to
## generate two handles that would hash to the same file id.
const salt = "I recommend changing this." &redef;
}
module GLOBAL;
## Number of bytes per packet to capture from live interfaces. ## Number of bytes per packet to capture from live interfaces.
const snaplen = 8192 &redef; const snaplen = 8192 &redef;

26
scripts/base/protocols/ftp/file-analysis.bro
View file

@ -2,11 +2,29 @@
@load base/utils/conn-ids @load base/utils/conn-ids
@load base/frameworks/file-analysis/main @load base/frameworks/file-analysis/main
redef FileAnalysis::handle_callbacks += { module FTP;
[ANALYZER_FTP_DATA] = function(c: connection, is_orig: bool): string
export {
## Determines whether the default :bro:see:`get_file_handle` handler
## is used to return file handles to the file analysis framework.
## Redefine to true in order to provide a custom handler which overrides
## the default for FTP.
const disable_default_file_handle_provider: bool = F &redef;
## Default file handle provider for FTP.
function get_file_handle(c: connection, is_orig: bool): string
{ {
if ( is_orig ) return ""; if ( is_orig ) return "";
return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time, return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time,
id_string(c$id)); id_string(c$id));
}, }
}; }
module GLOBAL;
event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
{
if ( tag != ANALYZER_FTP_DATA ) return;
if ( FTP::disable_default_file_handle_provider ) return;
return_file_handle(FTP::get_file_handle(c, is_orig));
}

20
scripts/base/protocols/http/file-analysis.bro
View file

@ -5,6 +5,14 @@
module HTTP; module HTTP;
export {
## Determines whether the default :bro:see:`get_file_handle` handler
## is used to return file handles to the file analysis framework.
## Redefine to true in order to provide a custom handler which overrides
## the default HTTP.
const disable_default_file_handle_provider: bool = F &redef;
## Default file handle provider for HTTP.
function get_file_handle(c: connection, is_orig: bool): string function get_file_handle(c: connection, is_orig: bool): string
{ {
if ( ! c?$http ) return ""; if ( ! c?$http ) return "";
@ -16,7 +24,13 @@ function get_file_handle(c: connection, is_orig: bool): string
return fmt("%s %s %s %s %s", ANALYZER_HTTP, c$start_time, is_orig, return fmt("%s %s %s %s %s", ANALYZER_HTTP, c$start_time, is_orig,
c$http$trans_depth, id_string(c$id)); c$http$trans_depth, id_string(c$id));
} }
}
redef FileAnalysis::handle_callbacks += { module GLOBAL;
[ANALYZER_HTTP] = get_file_handle,
}; event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
{
if ( tag != ANALYZER_HTTP ) return;
if ( HTTP::disable_default_file_handle_provider ) return;
return_file_handle(HTTP::get_file_handle(c, is_orig));
}

26
scripts/base/protocols/irc/file-analysis.bro
View file

@ -2,11 +2,29 @@
@load base/utils/conn-ids @load base/utils/conn-ids
@load base/frameworks/file-analysis/main @load base/frameworks/file-analysis/main
redef FileAnalysis::handle_callbacks += { module IRC;
[ANALYZER_IRC_DATA] = function(c: connection, is_orig: bool): string
export {
## Determines whether the default :bro:see:`get_file_handle` handler
## is used to return file handles to the file analysis framework.
## Redefine to true in order to provide a custom handler which overrides
## the default for IRC.
const disable_default_file_handle_provider: bool = F &redef;
## Default file handle provider for IRC.
function get_file_handle(c: connection, is_orig: bool): string
{ {
if ( is_orig ) return ""; if ( is_orig ) return "";
return fmt("%s %s %s", ANALYZER_IRC_DATA, c$start_time, return fmt("%s %s %s", ANALYZER_IRC_DATA, c$start_time,
id_string(c$id)); id_string(c$id));
}, }
}; }
module GLOBAL;
event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
{
if ( tag != ANALYZER_IRC_DATA ) return;
if ( IRC::disable_default_file_handle_provider ) return;
return_file_handle(IRC::get_file_handle(c, is_orig));
}

24
scripts/base/protocols/smtp/file-analysis.bro
View file

@ -5,14 +5,28 @@
module SMTP; module SMTP;
export {
## Determines whether the default :bro:see:`get_file_handle` handler
## is used to return file handles to the file analysis framework.
## Redefine to true in order to provide a custom handler which overrides
## the default for SMTP.
const disable_default_file_handle_provider: bool = F &redef;
## Default file handle provider for SMTP.
function get_file_handle(c: connection, is_orig: bool): string function get_file_handle(c: connection, is_orig: bool): string
{ {
if ( ! c?$smtp ) return ""; if ( ! c?$smtp ) return "";
return fmt("%s %s %s %s", ANALYZER_SMTP, c$start_time, c$smtp$trans_depth, return fmt("%s %s %s %s", ANALYZER_SMTP, c$start_time,
c$smtp_state$mime_level); c$smtp$trans_depth, c$smtp_state$mime_level);
}
} }
redef FileAnalysis::handle_callbacks += { module GLOBAL;
[ANALYZER_SMTP] = get_file_handle,
}; event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
{
if ( tag != ANALYZER_SMTP ) return;
if ( SMTP::disable_default_file_handle_provider ) return;
return_file_handle(SMTP::get_file_handle(c, is_orig));
}

3
src/Event.cc
View file

@ -6,6 +6,7 @@
#include "Func.h" #include "Func.h"
#include "NetVar.h" #include "NetVar.h"
#include "Trigger.h" #include "Trigger.h"
#include "file_analysis/Manager.h"
EventMgr mgr; EventMgr mgr;
@ -124,6 +125,8 @@ void EventMgr::Drain()
// processing, we ensure that it's done at a regular basis by checking // processing, we ensure that it's done at a regular basis by checking
// them here. // them here.
Trigger::EvaluatePending(); Trigger::EvaluatePending();
file_mgr->EventDrainDone();
} }
void EventMgr::Describe(ODesc* d) const void EventMgr::Describe(ODesc* d) const

4
src/FileAnalyzer.cc
View file

@ -74,7 +74,7 @@ IRC_Data::IRC_Data(Connection* conn)
void IRC_Data::Done() void IRC_Data::Done()
{ {
File_Analyzer::Done(); File_Analyzer::Done();
file_mgr->EndOfFile(Conn()); file_mgr->EndOfFile(GetTag(), Conn());
} }
void IRC_Data::DeliverStream(int len, const u_char* data, bool orig) void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
@ -97,7 +97,7 @@ FTP_Data::FTP_Data(Connection* conn)
void FTP_Data::Done() void FTP_Data::Done()
{ {
File_Analyzer::Done(); File_Analyzer::Done();
file_mgr->EndOfFile(Conn()); file_mgr->EndOfFile(GetTag(), Conn());
} }
void FTP_Data::DeliverStream(int len, const u_char* data, bool orig) void FTP_Data::DeliverStream(int len, const u_char* data, bool orig)

10
src/HTTP.cc
View file

@ -565,7 +565,8 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 ) if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
// multipart/byteranges may span multiple connections // multipart/byteranges may span multiple connections
file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig); file_mgr->EndOfFile(MyHTTP_Analyzer()->GetTag(),
MyHTTP_Analyzer()->Conn(), is_orig);
if ( http_message_done ) if ( http_message_done )
{ {
@ -642,7 +643,8 @@ void HTTP_Message::EndEntity(MIME_Entity* entity)
if ( entity == top_level ) if ( entity == top_level )
Done(); Done();
else if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 ) else if ( is_orig || MyHTTP_Analyzer()->HTTP_ReplyCode() != 206 )
file_mgr->EndOfFile(MyHTTP_Analyzer()->Conn(), is_orig); file_mgr->EndOfFile(MyHTTP_Analyzer()->GetTag(),
MyHTTP_Analyzer()->Conn(), is_orig);
} }
void HTTP_Message::SubmitHeader(MIME_Header* h) void HTTP_Message::SubmitHeader(MIME_Header* h)
@ -901,11 +903,11 @@ void HTTP_Analyzer::Done()
unanswered_requests.pop(); unanswered_requests.pop();
} }
file_mgr->EndOfFile(Conn(), true); file_mgr->EndOfFile(GetTag(), Conn(), true);
/* TODO: this might be nice to have, but reply code is cleared by now. /* TODO: this might be nice to have, but reply code is cleared by now.
if ( HTTP_ReplyCode() != 206 ) if ( HTTP_ReplyCode() != 206 )
// multipart/byteranges may span multiple connections // multipart/byteranges may span multiple connections
file_mgr->EndOfFile(Conn(), false); file_mgr->EndOfFile(GetTag(), Conn(), false);
*/ */
} }

4
src/MIME.cc
View file

@ -1021,7 +1021,7 @@ void MIME_Mail::Done()
MIME_Message::Done(); MIME_Message::Done();
file_mgr->EndOfFile(analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetTag(), analyzer->Conn());
} }
MIME_Mail::~MIME_Mail() MIME_Mail::~MIME_Mail()
@ -1069,7 +1069,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
analyzer->ConnectionEvent(mime_end_entity, vl); analyzer->ConnectionEvent(mime_end_entity, vl);
} }
file_mgr->EndOfFile(analyzer->Conn()); file_mgr->EndOfFile(analyzer->GetTag(), analyzer->Conn());
} }
void MIME_Mail::SubmitHeader(MIME_Header* h) void MIME_Mail::SubmitHeader(MIME_Header* h)

17
src/bro.bif
View file

@ -17,6 +17,7 @@
#include "Reporter.h" #include "Reporter.h"
#include "IPAddr.h" #include "IPAddr.h"
#include "util.h" #include "util.h"
#include "file_analysis/Manager.h"
using namespace std; using namespace std;
@ -5537,6 +5538,22 @@ function match_signatures%(c: connection, pattern_type: int, s: string,
return new Val(1, TYPE_BOOL); return new Val(1, TYPE_BOOL);
%} %}
## For use within a :bro:see:`get_file_handle` handler to return a unique
## identifier to associate with some buffered input to the file analysis
## framework. The buffered data will then immediately be allowed to pass
## pass through the file analysis framework and execute any policy hooks
## that are available. If an empty string is returned, that signifies that
## the buffered data will be discarded with no further action taken on it.
##
## handle: A string that uniquely identifies a file.
##
## .. bro:see:: get_file_handle FileAnalysis::policy
function return_file_handle%(handle: string%): any
%{
file_mgr->ReceiveHandle(handle->CheckString());
return 0;
%}
# =========================================================================== # ===========================================================================
# #
# Deprecated Functions # Deprecated Functions

2
src/const.bif
View file

@ -24,6 +24,4 @@ const Tunnel::ip_tunnel_timeout: interval;
const Threading::heartbeat_interval: interval; const Threading::heartbeat_interval: interval;
const FileAnalysis::pending_file_drain_interval: interval;
const FileAnalysis::pending_file_timeout: interval;
const FileAnalysis::salt: string; const FileAnalysis::salt: string;

16
src/event.bif
View file

@ -6981,6 +6981,22 @@ event reporter_error%(t: time, msg: string, location: string%) &error_handler;
## recursively for each ``@load``. ## recursively for each ``@load``.
event bro_script_loaded%(path: string, level: count%); event bro_script_loaded%(path: string, level: count%);
## This event is handled to provide feedback to the file analysis framework
## about how to identify the logical "file" to which some data/input
## belongs. All incoming data to the framework is buffered, and depends
## on a handler for this event to return a string value that uniquely
## identifies a file. Among all handlers of this event, exactly one must
## call :bro:see:`return_file_handle`.
##
## tag: The analyzer which is carrying the file data.
##
## c: The connection which is carrying the file data.
##
## is_orig: The direction the file data is flowing over the connection.
##
## .. bro:see:: return_file_handle
event get_file_handle%(tag: count, c: connection, is_orig: bool%);
## Deprecated. Will be removed. ## Deprecated. Will be removed.
event stp_create_endp%(c: connection, e: int, is_orig: bool%); event stp_create_endp%(c: connection, e: int, is_orig: bool%);

250
src/file_analysis/Manager.cc
View file

@ -5,22 +5,14 @@
#include "Info.h" #include "Info.h"
#include "Action.h" #include "Action.h"
#include "Var.h" #include "Var.h"
#include "Event.h"
using namespace file_analysis; using namespace file_analysis;
void DrainTimer::Dispatch(double t, int is_expire) TableVal* Manager::disabled = 0;
{
using BifConst::FileAnalysis::pending_file_drain_interval;
DBG_LOG(DBG_FILE_ANALYSIS, "DrainTimer dispatched");
file_mgr->DrainPending();
if ( ! is_expire )
timer_mgr->Add(new DrainTimer(pending_file_drain_interval));
}
Manager::Manager() : is_draining(false) Manager::Manager()
{ {
using BifConst::FileAnalysis::pending_file_drain_interval;
timer_mgr->Add(new DrainTimer(pending_file_drain_interval));
} }
Manager::~Manager() Manager::~Manager()
@ -28,78 +20,8 @@ Manager::~Manager()
Terminate(); Terminate();
} }
string Manager::GetFileHandle(Analyzer* root, Connection* conn,
bool is_orig) const
{
static TableVal* table = 0;
if ( ! table )
table = internal_val("FileAnalysis::handle_callbacks")->AsTableVal();
if ( ! root ) return "";
Val* index = new Val(root->GetTag(), TYPE_COUNT);
const Val* callback = table->Lookup(index);
Unref(index);
if ( callback )
{
val_list vl(2);
vl.append(conn->BuildConnVal());
vl.append(new Val(is_orig, TYPE_BOOL));
Val* result = callback->AsFunc()->Call(&vl);
if ( result )
{
string rval = result->AsString()->CheckString();
Unref(result);
if ( ! rval.empty() ) return rval;
}
}
for ( analyzer_list::const_iterator it = root->GetChildren().begin();
it != root->GetChildren().end(); ++it )
{
string rval = GetFileHandle((*it), conn, is_orig);
if ( ! rval.empty() ) return rval;
}
return "";
}
string Manager::GetFileHandle(Connection* conn, bool is_orig) const
{
if ( ! conn ) return "";
return GetFileHandle(conn->GetRootAnalyzer(), conn, is_orig);
}
void Manager::DrainPending()
{
if ( is_draining ) return;
is_draining = true;
PendingList::iterator it = pending.begin();
while ( it != pending.end() )
{
if ( (*it)->Retry() || (*it)->IsStale() )
{
delete *it;
pending.erase(it++);
}
else
++it;
}
is_draining = false;
}
void Manager::Terminate() void Manager::Terminate()
{ {
DrainPending();
vector<FileID> keys; vector<FileID> keys;
for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it ) for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it )
keys.push_back(it->first); keys.push_back(it->first);
@ -107,24 +29,38 @@ void Manager::Terminate()
Timeout(keys[i], true); Timeout(keys[i], true);
} }
bool Manager::DataIn(const u_char* data, uint64 len, uint64 offset, void Manager::ReceiveHandle(const string& handle)
AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
{ {
DrainPending(); if ( pending.empty() )
reporter->InternalError("File analysis underflow");
string unique = GetFileHandle(conn, is_orig); PendingFile* pf = pending.front();
if ( ! handle.empty() )
if ( ! unique.empty() ) pf->Finish(handle);
{ delete pf;
DataIn(data, len, offset, GetInfo(unique, conn, tag)); pending.pop();
return true;
} }
if ( ! is_draining ) void Manager::EventDrainDone()
pending.push_back(new PendingDataInChunk(data, len, offset, tag, conn, {
is_orig)); if ( pending.empty() ) return;
return false; reporter->Error("Too few return_file_handle() calls, discarding pending"
" file analysis input.");
while ( ! pending.empty() )
{
delete pending.front();
pending.pop();
}
}
void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
{
if ( IsDisabled(tag) ) return;
if ( ! QueueHandleEvent(tag, conn, is_orig) ) return;
pending.push(new PendingDataInChunk(data, len, offset, tag, conn));
} }
void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
@ -136,8 +72,6 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
void Manager::DataIn(const u_char* data, uint64 len, uint64 offset, void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
Info* info) Info* info)
{ {
DrainPending();
if ( ! info ) return; if ( ! info ) return;
info->DataIn(data, len, offset); info->DataIn(data, len, offset);
@ -146,24 +80,12 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
RemoveFile(info->GetUnique()); RemoveFile(info->GetUnique());
} }
bool Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig) Connection* conn, bool is_orig)
{ {
DrainPending(); if ( IsDisabled(tag) ) return;
if ( ! QueueHandleEvent(tag, conn, is_orig) ) return;
string unique = GetFileHandle(conn, is_orig); pending.push(new PendingDataInStream(data, len, tag, conn));
if ( ! unique.empty() )
{
DataIn(data, len, GetInfo(unique, conn, tag));
return true;
}
if ( ! is_draining )
pending.push_back(new PendingDataInStream(data, len, tag, conn,
is_orig));
return false;
} }
void Manager::DataIn(const u_char* data, uint64 len, const string& unique) void Manager::DataIn(const u_char* data, uint64 len, const string& unique)
@ -173,8 +95,6 @@ void Manager::DataIn(const u_char* data, uint64 len, const string& unique)
void Manager::DataIn(const u_char* data, uint64 len, Info* info) void Manager::DataIn(const u_char* data, uint64 len, Info* info)
{ {
DrainPending();
if ( ! info ) return; if ( ! info ) return;
info->DataIn(data, len); info->DataIn(data, len);
@ -183,53 +103,30 @@ void Manager::DataIn(const u_char* data, uint64 len, Info* info)
RemoveFile(info->GetUnique()); RemoveFile(info->GetUnique());
} }
void Manager::EndOfFile(Connection* conn) void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn)
{ {
EndOfFile(conn, true); EndOfFile(tag, conn, true);
EndOfFile(conn, false); EndOfFile(tag, conn, false);
} }
bool Manager::EndOfFile(Connection* conn, bool is_orig) void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
{ {
DrainPending(); if ( IsDisabled(tag) ) return;
if ( ! QueueHandleEvent(tag, conn, is_orig) ) return;
string unique = GetFileHandle(conn, is_orig); pending.push(new PendingEOF(tag, conn));
if ( ! unique.empty() )
{
RemoveFile(unique);
return true;
}
if ( ! is_draining )
pending.push_back(new PendingEOF(conn, is_orig));
return false;
} }
void Manager::EndOfFile(const string& unique) void Manager::EndOfFile(const string& unique)
{ {
DrainPending();
RemoveFile(unique); RemoveFile(unique);
} }
bool Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig) Connection* conn, bool is_orig)
{ {
DrainPending(); if ( IsDisabled(tag) ) return;
if ( ! QueueHandleEvent(tag, conn, is_orig) ) return;
string unique = GetFileHandle(conn, is_orig); pending.push(new PendingGap(offset, len, tag, conn));
if ( ! unique.empty() )
{
Gap(offset, len, GetInfo(unique, conn, tag));
return true;
}
if ( ! is_draining )
pending.push_back(new PendingGap(offset, len, tag, conn, is_orig));
return false;
} }
void Manager::Gap(uint64 offset, uint64 len, const string& unique) void Manager::Gap(uint64 offset, uint64 len, const string& unique)
@ -239,30 +136,17 @@ void Manager::Gap(uint64 offset, uint64 len, const string& unique)
void Manager::Gap(uint64 offset, uint64 len, Info* info) void Manager::Gap(uint64 offset, uint64 len, Info* info)
{ {
DrainPending();
if ( ! info ) return; if ( ! info ) return;
info->Gap(offset, len); info->Gap(offset, len);
} }
bool Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
bool is_orig) bool is_orig)
{ {
DrainPending(); if ( IsDisabled(tag) ) return;
if ( ! QueueHandleEvent(tag, conn, is_orig) ) return;
string unique = GetFileHandle(conn, is_orig); pending.push(new PendingSize(size, tag, conn));
if ( ! unique.empty() )
{
SetSize(size, GetInfo(unique, conn, tag));
return true;
}
if ( ! is_draining )
pending.push_back(new PendingSize(size, tag, conn, is_orig));
return false;
} }
void Manager::SetSize(uint64 size, const string& unique) void Manager::SetSize(uint64 size, const string& unique)
@ -272,8 +156,6 @@ void Manager::SetSize(uint64 size, const string& unique)
void Manager::SetSize(uint64 size, Info* info) void Manager::SetSize(uint64 size, Info* info)
{ {
DrainPending();
if ( ! info ) return; if ( ! info ) return;
info->SetTotalBytes(size); info->SetTotalBytes(size);
@ -282,7 +164,6 @@ void Manager::SetSize(uint64 size, Info* info)
RemoveFile(info->GetUnique()); RemoveFile(info->GetUnique());
} }
void Manager::EvaluatePolicy(BifEnum::FileAnalysis::Trigger t, Info* info) void Manager::EvaluatePolicy(BifEnum::FileAnalysis::Trigger t, Info* info)
{ {
if ( IsIgnored(info->GetUnique()) ) return; if ( IsIgnored(info->GetUnique()) ) return;
@ -372,8 +253,6 @@ Info* Manager::Lookup(const FileID& file_id) const
void Manager::Timeout(const FileID& file_id, bool is_terminating) void Manager::Timeout(const FileID& file_id, bool is_terminating)
{ {
DrainPending();
Info* info = Lookup(file_id); Info* info = Lookup(file_id);
if ( ! info ) return; if ( ! info ) return;
@ -433,3 +312,34 @@ bool Manager::IsIgnored(const string& unique)
{ {
return ignored.find(unique) != ignored.end(); return ignored.find(unique) != ignored.end();
} }
bool Manager::IsDisabled(AnalyzerTag::Tag tag)
{
if ( ! disabled )
disabled = internal_const_val("FileAnalysis::disable")->AsTableVal();
Val* index = new Val(tag, TYPE_COUNT);
Val* yield = disabled->Lookup(index);
Unref(index);
if ( ! yield ) return false;
bool rval = yield->AsBool();
Unref(yield);
return rval;
}
bool Manager::QueueHandleEvent(AnalyzerTag::Tag tag, Connection* conn,
bool is_orig)
{
if ( ! get_file_handle ) return false;
val_list* vl = new val_list();
vl->append(new Val(tag, TYPE_COUNT));
vl->append(conn->BuildConnVal());
vl->append(new Val(is_orig, TYPE_BOOL));
mgr.QueueEvent(get_file_handle, vl);
return true;
}

68
src/file_analysis/Manager.h
View file

@ -4,7 +4,7 @@
#include <string> #include <string>
#include <map> #include <map>
#include <set> #include <set>
#include <list> #include <queue>
#include "Net.h" #include "Net.h"
#include "AnalyzerTags.h" #include "AnalyzerTags.h"
@ -20,15 +20,6 @@
namespace file_analysis { namespace file_analysis {
class DrainTimer : public Timer {
public:
DrainTimer(double interval)
: Timer(network_time + interval, TIMER_FILE_ANALYSIS_DRAIN) {}
void Dispatch(double t, int is_expire);
};
/** /**
* Main entry point for interacting with file analysis. * Main entry point for interacting with file analysis.
*/ */
@ -44,10 +35,23 @@ public:
*/ */
void Terminate(); void Terminate();
/**
* Associates a handle with the next element in the #pending queue, which
* will immediately push that element all the way through the file analysis
* framework, possibly evaluating any policy hooks.
*/
void ReceiveHandle(const string& handle);
/**
* Called when all events have been drained from the event queue.
* There should be no pending file input/data at this point.
*/
void EventDrainDone();
/** /**
* Pass in non-sequential file data. * Pass in non-sequential file data.
*/ */
bool DataIn(const u_char* data, uint64 len, uint64 offset, void DataIn(const u_char* data, uint64 len, uint64 offset,
AnalyzerTag::Tag tag, Connection* conn, bool is_orig); AnalyzerTag::Tag tag, Connection* conn, bool is_orig);
void DataIn(const u_char* data, uint64 len, uint64 offset, void DataIn(const u_char* data, uint64 len, uint64 offset,
const string& unique); const string& unique);
@ -57,7 +61,7 @@ public:
/** /**
* Pass in sequential file data. * Pass in sequential file data.
*/ */
bool DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag, void DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig); Connection* conn, bool is_orig);
void DataIn(const u_char* data, uint64 len, const string& unique); void DataIn(const u_char* data, uint64 len, const string& unique);
void DataIn(const u_char* data, uint64 len, Info* info); void DataIn(const u_char* data, uint64 len, Info* info);
@ -65,14 +69,14 @@ public:
/** /**
* Signal the end of file data. * Signal the end of file data.
*/ */
void EndOfFile(Connection* conn); void EndOfFile(AnalyzerTag::Tag tag, Connection* conn);
bool EndOfFile(Connection* conn, bool is_orig); void EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig);
void EndOfFile(const string& unique); void EndOfFile(const string& unique);
/** /**
* Signal a gap in the file data stream. * Signal a gap in the file data stream.
*/ */
bool Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn, void Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag, Connection* conn,
bool is_orig); bool is_orig);
void Gap(uint64 offset, uint64 len, const string& unique); void Gap(uint64 offset, uint64 len, const string& unique);
void Gap(uint64 offset, uint64 len, Info* info); void Gap(uint64 offset, uint64 len, Info* info);
@ -80,7 +84,7 @@ public:
/** /**
* Provide the expected number of bytes that comprise a file. * Provide the expected number of bytes that comprise a file.
*/ */
bool SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn, void SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
bool is_orig); bool is_orig);
void SetSize(uint64 size, const string& unique); void SetSize(uint64 size, const string& unique);
void SetSize(uint64 size, Info* info); void SetSize(uint64 size, Info* info);
@ -120,13 +124,12 @@ public:
protected: protected:
friend class InfoTimer; friend class InfoTimer;
friend class DrainTimer;
friend class PendingFile; friend class PendingFile;
typedef map<string, Info*> StrMap; typedef map<string, Info*> StrMap;
typedef set<string> StrSet; typedef set<string> StrSet;
typedef map<FileID, Info*> IDMap; typedef map<FileID, Info*> IDMap;
typedef list<PendingFile*> PendingList; typedef queue<PendingFile*> PendingQueue;
/** /**
* @return the Info object mapped to \a unique or a null pointer if analysis * @return the Info object mapped to \a unique or a null pointer if analysis
@ -138,18 +141,6 @@ protected:
Info* GetInfo(const string& unique, Connection* conn = 0, Info* GetInfo(const string& unique, Connection* conn = 0,
AnalyzerTag::Tag tag = AnalyzerTag::Error); AnalyzerTag::Tag tag = AnalyzerTag::Error);
/**
* @return a string which can uniquely identify the file being transported
* over the connection. A script-layer function is evaluated in
* order to determine the unique string. An empty string means
* a unique handle for the file couldn't be determined at the time
* time the function was evaluated (possibly because some events
* have not yet been drained from the queue).
*/
string GetFileHandle(Connection* conn, bool is_orig) const;
string GetFileHandle(Analyzer* root, Connection* conn,
bool is_orig) const;
/** /**
* @return the Info object mapped to \a file_id, or a null pointer if no * @return the Info object mapped to \a file_id, or a null pointer if no
* mapping exists. * mapping exists.
@ -174,18 +165,23 @@ protected:
bool IsIgnored(const string& unique); bool IsIgnored(const string& unique);
/** /**
* Attempts to forward the data from any pending file contents, i.e. * @return whether file analysis is disabled for the given analyzer.
* those for which a unique file handle string could not immediately
* be determined.
*/ */
void DrainPending(); static bool IsDisabled(AnalyzerTag::Tag tag);
/**
* Queues \c get_file_handle event in order to retrieve unique file handle.
* @return true if there is a handler for the event, else false.
*/
static bool QueueHandleEvent(AnalyzerTag::Tag tag, Connection* conn,
bool is_orig);
StrMap str_map; /**< Map unique strings to \c FileAnalysis::Info records. */ StrMap str_map; /**< Map unique strings to \c FileAnalysis::Info records. */
IDMap id_map; /**< Map file IDs to \c FileAnalysis::Info records. */ IDMap id_map; /**< Map file IDs to \c FileAnalysis::Info records. */
StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */ StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */
PendingList pending; /**< Files awaiting a unique handle. */ PendingQueue pending; /**< Files awaiting a unique handle. */
bool is_draining; static TableVal* disabled; /**< Table of disabled analyzers. */
}; };
} // namespace file_analysis } // namespace file_analysis

58
src/file_analysis/PendingFile.cc
View file

@ -20,10 +20,8 @@ static string conn_str(Connection* c)
return rval; return rval;
} }
PendingFile::PendingFile(Connection* arg_conn, bool arg_is_orig, PendingFile::PendingFile(Connection* arg_conn, AnalyzerTag::Tag arg_tag)
AnalyzerTag::Tag arg_tag) : conn(arg_conn), tag(arg_tag)
: conn(arg_conn), is_orig(arg_is_orig), creation_time(network_time),
tag(arg_tag)
{ {
Ref(conn); Ref(conn);
DBG_LOG(DBG_FILE_ANALYSIS, "New pending file: %s", conn_str(conn).c_str()); DBG_LOG(DBG_FILE_ANALYSIS, "New pending file: %s", conn_str(conn).c_str());
@ -36,31 +34,24 @@ PendingFile::~PendingFile()
conn_str(conn).c_str()); conn_str(conn).c_str());
} }
bool PendingFile::IsStale() const Info* PendingFile::GetInfo(const string& handle) const
{ {
using BifConst::FileAnalysis::pending_file_timeout; return file_mgr->GetInfo(handle, conn, tag);
if ( creation_time + pending_file_timeout < network_time )
{
DBG_LOG(DBG_FILE_ANALYSIS, "Stale pending file: %s",
conn_str(conn).c_str());
return true;
}
return false;
} }
PendingDataInChunk::PendingDataInChunk(const u_char* arg_data, uint64 arg_len, PendingDataInChunk::PendingDataInChunk(const u_char* arg_data, uint64 arg_len,
uint64 arg_offset, uint64 arg_offset,
AnalyzerTag::Tag arg_tag, AnalyzerTag::Tag arg_tag,
Connection* arg_conn, bool arg_is_orig) Connection* arg_conn)
: PendingFile(arg_conn, arg_is_orig, arg_tag), len(arg_len), : PendingFile(arg_conn, arg_tag), len(arg_len),
offset(arg_offset) offset(arg_offset)
{ {
copy_data(&data, arg_data, len); copy_data(&data, arg_data, len);
} }
bool PendingDataInChunk::Retry() const void PendingDataInChunk::Finish(const string& handle) const
{ {
return file_mgr->DataIn(data, len, offset, tag, conn, is_orig); file_mgr->DataIn(data, len, offset, GetInfo(handle));
} }
PendingDataInChunk::~PendingDataInChunk() PendingDataInChunk::~PendingDataInChunk()
@ -70,15 +61,15 @@ PendingDataInChunk::~PendingDataInChunk()
PendingDataInStream::PendingDataInStream(const u_char* arg_data, uint64 arg_len, PendingDataInStream::PendingDataInStream(const u_char* arg_data, uint64 arg_len,
AnalyzerTag::Tag arg_tag, AnalyzerTag::Tag arg_tag,
Connection* arg_conn, bool arg_is_orig) Connection* arg_conn)
: PendingFile(arg_conn, arg_is_orig, arg_tag), len(arg_len) : PendingFile(arg_conn, arg_tag), len(arg_len)
{ {
copy_data(&data, arg_data, len); copy_data(&data, arg_data, len);
} }
bool PendingDataInStream::Retry() const void PendingDataInStream::Finish(const string& handle) const
{ {
return file_mgr->DataIn(data, len, tag, conn, is_orig); file_mgr->DataIn(data, len, GetInfo(handle));
} }
PendingDataInStream::~PendingDataInStream() PendingDataInStream::~PendingDataInStream()
@ -87,35 +78,34 @@ PendingDataInStream::~PendingDataInStream()
} }
PendingGap::PendingGap(uint64 arg_offset, uint64 arg_len, PendingGap::PendingGap(uint64 arg_offset, uint64 arg_len,
AnalyzerTag::Tag arg_tag, Connection* arg_conn, AnalyzerTag::Tag arg_tag, Connection* arg_conn)
bool arg_is_orig) : PendingFile(arg_conn, arg_tag), offset(arg_offset),
: PendingFile(arg_conn, arg_is_orig, arg_tag), offset(arg_offset),
len(arg_len) len(arg_len)
{ {
} }
bool PendingGap::Retry() const void PendingGap::Finish(const string& handle) const
{ {
return file_mgr->Gap(offset, len, tag, conn, is_orig); file_mgr->Gap(offset, len, GetInfo(handle));
} }
PendingEOF::PendingEOF(Connection* arg_conn, bool arg_is_orig) PendingEOF::PendingEOF(AnalyzerTag::Tag arg_tag, Connection* arg_conn)
: PendingFile(arg_conn, arg_is_orig) : PendingFile(arg_conn, arg_tag)
{ {
} }
bool PendingEOF::Retry() const void PendingEOF::Finish(const string& handle) const
{ {
return file_mgr->EndOfFile(conn, is_orig); file_mgr->EndOfFile(handle);
} }
PendingSize::PendingSize(uint64 arg_size, AnalyzerTag::Tag arg_tag, PendingSize::PendingSize(uint64 arg_size, AnalyzerTag::Tag arg_tag,
Connection* arg_conn, bool arg_is_orig) Connection* arg_conn)
: PendingFile(arg_conn, arg_is_orig, arg_tag), size(arg_size) : PendingFile(arg_conn, arg_tag), size(arg_size)
{ {
} }
bool PendingSize::Retry() const void PendingSize::Finish(const string& handle) const
{ {
return file_mgr->SetSize(size, tag, conn, is_orig); file_mgr->SetSize(size, GetInfo(handle));
} }

38
src/file_analysis/PendingFile.h
View file

@ -3,6 +3,7 @@
#include "AnalyzerTags.h" #include "AnalyzerTags.h"
#include "Conn.h" #include "Conn.h"
#include "Info.h"
namespace file_analysis { namespace file_analysis {
@ -11,18 +12,16 @@ public:
virtual ~PendingFile(); virtual ~PendingFile();
virtual bool Retry() const = 0; virtual void Finish(const string& handle) const = 0;
bool IsStale() const;
protected: protected:
PendingFile(Connection* arg_conn, bool arg_is_orig, PendingFile(Connection* arg_conn,
AnalyzerTag::Tag arg_tag = AnalyzerTag::Error); AnalyzerTag::Tag arg_tag = AnalyzerTag::Error);
Info* GetInfo(const string& handle) const;
Connection* conn; Connection* conn;
bool is_orig;
double creation_time;
AnalyzerTag::Tag tag; AnalyzerTag::Tag tag;
}; };
@ -30,12 +29,12 @@ class PendingDataInChunk : public PendingFile {
public: public:
PendingDataInChunk(const u_char* arg_data, uint64 arg_len, PendingDataInChunk(const u_char* arg_data, uint64 arg_len,
uint64 arg_offset, AnalyzerTag::Tag tag, uint64 arg_offset, AnalyzerTag::Tag arg_tag,
Connection* arg_conn, bool arg_is_orig); Connection* arg_conn);
virtual ~PendingDataInChunk(); virtual ~PendingDataInChunk();
virtual bool Retry() const; virtual void Finish(const string& handle) const;
protected: protected:
@ -48,12 +47,11 @@ class PendingDataInStream : public PendingFile {
public: public:
PendingDataInStream(const u_char* arg_data, uint64 arg_len, PendingDataInStream(const u_char* arg_data, uint64 arg_len,
AnalyzerTag::Tag tag, Connection* arg_conn, AnalyzerTag::Tag arg_tag, Connection* arg_conn);
bool arg_is_orig);
virtual ~PendingDataInStream(); virtual ~PendingDataInStream();
virtual bool Retry() const; virtual void Finish(const string& handle) const;
protected: protected:
@ -64,10 +62,10 @@ protected:
class PendingGap : public PendingFile { class PendingGap : public PendingFile {
public: public:
PendingGap(uint64 arg_offset, uint64 arg_len, AnalyzerTag::Tag tag, PendingGap(uint64 arg_offset, uint64 arg_len, AnalyzerTag::Tag arg_tag,
Connection* arg_conn, bool arg_is_orig); Connection* arg_conn);
virtual bool Retry() const; virtual void Finish(const string& handle) const;
protected: protected:
@ -78,18 +76,18 @@ protected:
class PendingEOF : public PendingFile { class PendingEOF : public PendingFile {
public: public:
PendingEOF(Connection* arg_conn, bool arg_is_orig); PendingEOF(AnalyzerTag::Tag arg_tag, Connection* arg_conn);
virtual bool Retry() const; virtual void Finish(const string& handle) const;
}; };
class PendingSize : public PendingFile { class PendingSize : public PendingFile {
public: public:
PendingSize(uint64 arg_size, AnalyzerTag::Tag tag, Connection* arg_conn, PendingSize(uint64 arg_size, AnalyzerTag::Tag arg_tag,
bool arg_is_orig); Connection* arg_conn);
virtual bool Retry() const; virtual void Finish(const string& handle) const;
protected: protected:

4
testing/btest/Baseline/core.when-interpreter-exceptions/bro..stdout
View file

@ -1,6 +1,6 @@
timeout
timeout g(), T
timeout g(), F timeout g(), F
timeout g(), T
timeout
g() done, no exception, T g() done, no exception, T
localhost resolved localhost resolved
localhost resolved from f(), T localhost resolved from f(), T

6
testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path file_analysis #path file_analysis
#open 2013-03-22-20-24-04 #open 2013-03-25-19-46-10
#fields file_id parent_file_id source last_active seen_bytes total_bytes missing_bytes overflow_bytes timeout_interval bof_buffer_size file_type mime_type conn_uids actions_taken extracted_files md5 sha1 sha256 #fields file_id parent_file_id source last_active seen_bytes total_bytes missing_bytes overflow_bytes timeout_interval bof_buffer_size file_type mime_type conn_uids actions_taken extracted_files md5 sha1 sha256
#types string string string time count count count count interval count string string table[string] table[enum] table[string] string string string #types string string string time count count count count interval count string string table[string] table[enum] table[string] string string string
Cx92a0ym5R8 - HTTP 1362692527.009775 4705 4705 0 0 120.000000 1024 set set UWkUyAuUGXf FileAnalysis::ACTION_SHA1,FileAnalysis::ACTION_EXTRACT,FileAnalysis::ACTION_DATA_EVENT,FileAnalysis::ACTION_MD5,FileAnalysis::ACTION_SHA256 Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18 Cx92a0ym5R8 - HTTP 1362692527.009775 4705 4705 0 0 120.000000 1024 set set UWkUyAuUGXf FileAnalysis::ACTION_SHA1,FileAnalysis::ACTION_DATA_EVENT,FileAnalysis::ACTION_EXTRACT,FileAnalysis::ACTION_MD5,FileAnalysis::ACTION_SHA256 Cx92a0ym5R8-file 397168fd09991a0e712254df7bc639ac 1dd7ac0398df6cbc0696445a91ec681facf4dc47 4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
#close 2013-03-22-20-24-04 #close 2013-03-25-19-46-10

4
testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
View file

@ -1,5 +1,5 @@
FileAnalysis::TRIGGER_NEW FileAnalysis::TRIGGER_NEW
9VCisPgrqVj, 0, 0 cwR7l6Zctxb, 0, 0
FileAnalysis::TRIGGER_BOF FileAnalysis::TRIGGER_BOF
FileAnalysis::TRIGGER_BOF_BUFFER FileAnalysis::TRIGGER_BOF_BUFFER
Hello^M^J^M^J ^M Hello^M^J^M^J ^M
@ -7,7 +7,7 @@ FileAnalysis::TRIGGER_TYPE
file type is set file type is set
mime type is set mime type is set
FileAnalysis::TRIGGER_EOF FileAnalysis::TRIGGER_EOF
9VCisPgrqVj, 79, 0 cwR7l6Zctxb, 79, 0
[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp] [orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]
source: SMTP source: SMTP
SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13 SHA1: b7e497be8a9f5e2c4b6980fceb015360f98f4a13

98
testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log
View file

@ -3,56 +3,56 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path http #path http
#open 2012-12-07-04-43-19 #open 2013-03-25-20-20-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file #types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string string
1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328870.191989 UWkUyAuUGXf 128.2.6.136 46562 173.194.75.103 80 1 OPTIONS www.google.com * - - 0 962 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328874.237327 arKYeMETxOg 128.2.6.136 46563 173.194.75.103 80 1 OPTIONS www.google.com HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328874.299063 k6kgXLOoSKl 128.2.6.136 46564 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328874.342591 nQcgTWjvg4c 128.2.6.136 46565 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html - - 1354328874.364020 j4u32Pc5bif 128.2.6.136 46566 173.194.75.103 80 1 GET www.google.com / - - 0 43911 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html - - 1354328878.470424 TEfuqmmG4bh 128.2.6.136 46567 173.194.75.103 80 1 GET www.google.com / - - 0 43983 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html - - 1354328882.575456 FrJExwHcSal 128.2.6.136 46568 173.194.75.103 80 1 GET www.google.com /HTTP/1.1 - - 0 1207 403 Forbidden - - - (empty) - - - text/html; charset=us-ascii - -
1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328882.928027 5OKnoww6xl4 128.2.6.136 46569 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328882.968948 3PKsZ2Uye21 128.2.6.136 46570 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html - - 1354328882.990373 VW0XPVINV8a 128.2.6.136 46571 173.194.75.103 80 1 GET www.google.com / - - 0 43913 200 OK - - - (empty) - - - text/html; charset=us-ascii - -
1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328887.114613 fRFu0wcOle6 128.2.6.136 46572 173.194.75.103 80 0 - - - - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328891.161077 qSsw6ESzHV4 128.2.6.136 46573 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328891.204740 iE6yhOq3SF 128.2.6.136 46574 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328891.245592 GSxOnSLghOa 128.2.6.136 46575 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328891.287655 qCaWGmzFtM5 128.2.6.136 46576 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328891.309065 70MGiRM1Qf4 128.2.6.136 46577 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328895.355012 h5DsfNtYzi1 128.2.6.136 46578 173.194.75.103 80 1 CCM_POST www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328895.416133 P654jzLoe3a 128.2.6.136 46579 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328895.459490 Tw8jXtpTGu6 128.2.6.136 46580 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328895.480865 c4Zw9TmAE05 128.2.6.136 46581 173.194.75.103 80 1 CCM_POST www.google.com / - - 0 963 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328899.526682 EAr0uf4mhq 128.2.6.136 46582 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328903.572533 GvmoxJFXdTa 128.2.6.136 46583 173.194.75.103 80 1 CONNECT www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328903.634196 0Q4FH8sESw5 128.2.6.136 46584 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328903.676395 slFea8xwSmb 128.2.6.136 46585 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328903.697693 UfGkYA2HI2g 128.2.6.136 46586 173.194.75.103 80 1 CONNECT www.google.com / - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328907.743696 i2rO3KD1Syg 128.2.6.136 46587 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328911.790590 2cx26uAvUPl 128.2.6.136 46588 173.194.75.103 80 1 TRACE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328911.853464 BWaU4aSuwkc 128.2.6.136 46589 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328911.897044 10XodEwRycf 128.2.6.136 46590 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328911.918511 zno26fFZkrh 128.2.6.136 46591 173.194.75.103 80 1 TRACE www.google.com / - - 0 960 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328915.964678 v5rgkJBig5l 128.2.6.136 46592 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328920.010458 eWZCH7OONC1 128.2.6.136 46593 173.194.75.103 80 1 DELETE www.google.com /HTTP/1.1 - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328920.072101 0Pwk3ntf8O3 128.2.6.136 46594 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328920.114526 0HKorjr8Zp7 128.2.6.136 46595 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html - - 1354328920.136714 yC2d6kVg709 128.2.6.136 46596 173.194.75.103 80 1 DELETE www.google.com / - - 0 961 405 Method Not Allowed - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - 1354328924.183211 VcgagLjnO92 128.2.6.136 46597 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - 1354328924.224567 bdRoHfaPBo3 128.2.6.136 46598 173.194.75.103 80 1 PUT www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328924.287402 zHqb7t7kv28 128.2.6.136 46599 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328924.328257 rrZWoMUQpv8 128.2.6.136 46600 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - 1354328924.350343 xNYSS2hJkle 128.2.6.136 46601 173.194.75.103 80 1 PUT www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html - - 1354328924.391728 vMVjlplKKbd 128.2.6.136 46602 173.194.75.103 80 1 POST www.google.com / - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html - - 1354328924.433150 3omNawSNrxj 128.2.6.136 46603 173.194.75.103 80 1 POST www.google.com /HTTP/1.1 - - 0 934 411 Length Required - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328924.496732 Rv8AJVfi9Zi 128.2.6.136 46604 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328924.537671 wEyF3OvvcQe 128.2.6.136 46605 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - 1354328924.559704 E490YZTUozc 128.2.6.136 46606 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - -
1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - - 1354328928.625437 YIeWJmXWNWj 128.2.6.136 46607 173.194.75.103 80 1 HEAD www.google.com / - - 0 0 200 OK - - - (empty) - - - - - -
1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - - 1354328932.692706 ydiZblvsYri 128.2.6.136 46608 173.194.75.103 80 1 HEAD www.google.com /HTTP/1.1 - - 0 0 400 Bad Request - - - (empty) - - - - - -
1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328932.754657 HFYOnBqSE5e 128.2.6.136 46609 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html - - 1354328932.796568 JcUvhfWUMgd 128.2.6.136 46610 173.194.75.103 80 0 - - - - - 0 925 400 Bad Request - - - (empty) - - - text/html; charset=utf-8 - -
#close 2012-12-07-04-43-19 #close 2013-03-25-20-20-22