Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

FileAnalysis: decentralize unique file handle generator callbacks.

Browse source 
The framework now cycles through callbacks based on a table indexed
by analyzer tags, or the special case of service strings if a given
analyzer is overloaded for multiple protocols (FTP/IRC data).  This
lets each protocol script bundle implement the callback locally and
reduces the FAF's external dependencies.
This commit is contained in:
Jon Siwek 2013-03-13 10:48:26 -05:00
parent bb3228e8f6
commit 878dfff2f2
10 changed files with 108 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/protocols/ftp/__load__.bro
View file

@ -1,4 +1,5 @@
@load ./utils-commands
@load ./main
@load ./file-analysis
@load ./file-extract
@load ./gridftp

10
scripts/base/protocols/ftp/file-analysis.bro Normal file
View file

@ -0,0 +1,10 @@
@load ./main
@load base/utils/conn-ids
@load base/frameworks/file-analysis/main
redef FileAnalysis::service_handle_callbacks += {
["ftp-data"] = function(c: connection, is_orig: bool): string
{
return fmt("%s ftp-data: %s", c$start_time, id_string(c$id));
},
};

1
scripts/base/protocols/http/__load__.bro
View file

@ -1,5 +1,6 @@
@load ./main
@load ./utils
@load ./file-analysis
@load ./file-ident
@load ./file-hash
@load ./file-extract

21
scripts/base/protocols/http/file-analysis.bro Normal file
View file

@ -0,0 +1,21 @@
@load ./main
@load ./utils
@load base/utils/conn-ids
@load base/frameworks/file-analysis/main
module HTTP;
function get_file_handle(c: connection, is_orig: bool): string
{
if ( ! c?$http ) return "";
if ( c$http$range_request )
return fmt("%s http(%s): %s: %s", c$start_time, is_orig,
c$id$orig_h, build_url(c$http));
return fmt("%s http(%s, %s): %s", c$start_time, is_orig,
c$http$trans_depth, id_string(c$id));
}
redef FileAnalysis::handle_callbacks += {
[ANALYZER_HTTP] = get_file_handle,
};

3
scripts/base/protocols/irc/__load__.bro
View file

@ -1,2 +1,3 @@
@load ./main
@load ./dcc-send
@load ./dcc-send
@load ./file-analysis

10
scripts/base/protocols/irc/file-analysis.bro Normal file
View file

@ -0,0 +1,10 @@
@load ./dcc-send.bro
@load base/utils/conn-ids
@load base/frameworks/file-analysis/main
redef FileAnalysis::service_handle_callbacks += {
["irc-dcc-data"] = function(c: connection, is_orig: bool): string
{
return fmt("%s irc-dcc-data: %s", c$start_time, id_string(c$id));
},
};