Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

FileAnalysis: decentralize unique file handle generator callbacks.

Browse source 
The framework now cycles through callbacks based on a table indexed
by analyzer tags, or the special case of service strings if a given
analyzer is overloaded for multiple protocols (FTP/IRC data).  This
lets each protocol script bundle implement the callback locally and
reduces the FAF's external dependencies.
This commit is contained in:
Jon Siwek 2013-03-13 10:48:26 -05:00
parent bb3228e8f6
commit 878dfff2f2
10 changed files with 108 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

49
scripts/base/frameworks/file-analysis/main.bro
View file

@ -5,11 +5,6 @@
# TODO: do logging here? # TODO: do logging here?
@load base/frameworks/logging @load base/frameworks/logging
# dependendies for file handle determination
@load base/protocols/http/main
@load base/protocols/http/utils
@load base/protocols/ftp/main
module FileAnalysis; module FileAnalysis;
export { export {
@ -110,38 +105,32 @@ export {
## TODO: document ## TODO: document
global policy: hook(trig: Trigger, info: Info); global policy: hook(trig: Trigger, info: Info);
type HandleCallback: function(c: connection, is_orig: bool): string;
const handle_callbacks: table[AnalyzerTag] of HandleCallback = {} &redef;
const service_handle_callbacks: table[string] of HandleCallback = {} &redef;
global get_handle: function(c: connection, is_orig: bool): string &redef; global get_handle: function(c: connection, is_orig: bool): string &redef;
# TODO: wrapper functions for BiFs ? # TODO: wrapper functions for BiFs ?
} }
function conn_str(c: connection): string function get_file_handle_by_service(c: connection, is_orig: bool): string
{ {
return fmt("%s:%s -> %s:%s", c$id$orig_h, c$id$orig_p, local handle: string = "";
c$id$resp_h, c$id$resp_p);
}
function get_handle(c: connection, is_orig: bool): string for ( serv in c$service )
{
local rval: string = "";
local cid: conn_id = c$id;
if ( "ftp-data" in c$service )
rval = fmt("%s ftp-data: %s", c$start_time, conn_str(c));
if ( "irc-dcc-data" in c$service )
rval = fmt("%s irc-dcc-data: %s", c$start_time, conn_str(c));
else if ( c?$http )
{ {
if ( c$http$range_request ) if ( serv in service_handle_callbacks )
rval = fmt("%s http(%s): %s: %s", c$start_time, is_orig, {
c$id$orig_h, HTTP::build_url(c$http)); handle = service_handle_callbacks[serv](c, is_orig);
else if ( handle != "" ) return handle;
rval = fmt("%s http(%s, %s): %s", c$start_time, is_orig, }
c$http$trans_depth, conn_str(c));
} }
return handle;
#print fmt("file handle: %s", rval);
return rval;
} }
redef FileAnalysis::handle_callbacks += {
[ANALYZER_FILE] = get_file_handle_by_service,
};

1
scripts/base/protocols/ftp/__load__.bro
View file

@ -1,4 +1,5 @@
@load ./utils-commands @load ./utils-commands
@load ./main @load ./main
@load ./file-analysis
@load ./file-extract @load ./file-extract
@load ./gridftp @load ./gridftp

10
scripts/base/protocols/ftp/file-analysis.bro Normal file
View file

@ -0,0 +1,10 @@
@load ./main
@load base/utils/conn-ids
@load base/frameworks/file-analysis/main
redef FileAnalysis::service_handle_callbacks += {
["ftp-data"] = function(c: connection, is_orig: bool): string
{
return fmt("%s ftp-data: %s", c$start_time, id_string(c$id));
},
};

1
scripts/base/protocols/http/__load__.bro
View file

@ -1,5 +1,6 @@
@load ./main @load ./main
@load ./utils @load ./utils
@load ./file-analysis
@load ./file-ident @load ./file-ident
@load ./file-hash @load ./file-hash
@load ./file-extract @load ./file-extract

21
scripts/base/protocols/http/file-analysis.bro Normal file
View file

@ -0,0 +1,21 @@
@load ./main
@load ./utils
@load base/utils/conn-ids
@load base/frameworks/file-analysis/main
module HTTP;
function get_file_handle(c: connection, is_orig: bool): string
{
if ( ! c?$http ) return "";
if ( c$http$range_request )
return fmt("%s http(%s): %s: %s", c$start_time, is_orig,
c$id$orig_h, build_url(c$http));
return fmt("%s http(%s, %s): %s", c$start_time, is_orig,
c$http$trans_depth, id_string(c$id));
}
redef FileAnalysis::handle_callbacks += {
[ANALYZER_HTTP] = get_file_handle,
};

3
scripts/base/protocols/irc/__load__.bro
View file

@ -1,2 +1,3 @@
@load ./main @load ./main
@load ./dcc-send @load ./dcc-send
@load ./file-analysis

10
scripts/base/protocols/irc/file-analysis.bro Normal file
View file

@ -0,0 +1,10 @@
@load ./dcc-send.bro
@load base/utils/conn-ids
@load base/frameworks/file-analysis/main
redef FileAnalysis::service_handle_callbacks += {
["irc-dcc-data"] = function(c: connection, is_orig: bool): string
{
return fmt("%s irc-dcc-data: %s", c$start_time, id_string(c$id));
},
};

2
src/FileAnalyzer.h
View file

@ -34,8 +34,6 @@ protected:
static magic_t magic; static magic_t magic;
static magic_t magic_mime; static magic_t magic_mime;
string unique_file;
}; };
#endif #endif

53
src/file_analysis/Manager.cc
View file

@ -4,6 +4,7 @@
#include "Manager.h" #include "Manager.h"
#include "Info.h" #include "Info.h"
#include "Action.h" #include "Action.h"
#include "Var.h"
using namespace file_analysis; using namespace file_analysis;
@ -16,22 +17,48 @@ Manager::~Manager()
Terminate(); Terminate();
} }
string Manager::GetFileHandle(Connection* conn, bool is_orig) string Manager::GetFileHandle(Analyzer* root, Connection* conn,
bool is_orig) const
{
static TableVal* table = 0;
if ( ! table )
table = internal_val("FileAnalysis::handle_callbacks")->AsTableVal();
if ( ! root ) return "";
Val* index = new Val(root->GetTag(), TYPE_COUNT);
const Val* callback = table->Lookup(index);
Unref(index);
if ( callback )
{
val_list vl(2);
vl.append(conn->BuildConnVal());
vl.append(new Val(is_orig, TYPE_BOOL));
Val* result = callback->AsFunc()->Call(&vl);
string rval = result->AsString()->CheckString();
Unref(result);
if ( ! rval.empty() ) return rval;
}
for ( analyzer_list::const_iterator it = root->GetChildren().begin();
it != root->GetChildren().end(); ++it )
{
string rval = GetFileHandle((*it), conn, is_orig);
if ( ! rval.empty() ) return rval;
}
return "";
}
string Manager::GetFileHandle(Connection* conn, bool is_orig) const
{ {
if ( ! conn ) return ""; if ( ! conn ) return "";
const ID* id = global_scope()->Lookup("FileAnalysis::get_handle"); return GetFileHandle(conn->GetRootAnalyzer(), conn, is_orig);
assert(id);
const Func* func = id->ID_Val()->AsFunc();
val_list vl(2);
vl.append(conn->BuildConnVal());
vl.append(new Val(is_orig, TYPE_BOOL));
Val* result = func->Call(&vl);
string rval = result->AsString()->CheckString();
Unref(result);
return rval;
} }
void Manager::DrainPending() void Manager::DrainPending()

5
src/file_analysis/Manager.h
View file

@ -9,6 +9,7 @@
#include "Net.h" #include "Net.h"
#include "Conn.h" #include "Conn.h"
#include "Val.h" #include "Val.h"
#include "Analyzer.h"
#include "Info.h" #include "Info.h"
#include "InfoTimer.h" #include "InfoTimer.h"
@ -141,7 +142,9 @@ protected:
* time the function was evaluated (possibly because some events * time the function was evaluated (possibly because some events
* have not yet been drained from the queue). * have not yet been drained from the queue).
*/ */
string GetFileHandle(Connection* conn, bool is_orig); string GetFileHandle(Connection* conn, bool is_orig) const;
string GetFileHandle(Analyzer* root, Connection* conn,
bool is_orig) const;
/** /**
* @return the Info object mapped to \a file_id, or a null pointer if no * @return the Info object mapped to \a file_id, or a null pointer if no