Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 08:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/master' into topic/seth/file-analysis-exe-analyzer

Browse source 
Conflicts:
	src/types.bif
This commit is contained in:
Seth Hall 2013-05-15 21:35:28 -04:00
commit 98f6be4d7c
174 changed files with 150707 additions and 1703 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/file_analysis/Analyzer.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_ANALYZER_H
#define FILE_ANALYSIS_ANALYZER_H
@ -15,7 +17,6 @@ class File;
*/
class Analyzer {
public:
virtual ~Analyzer()
{
DBG_LOG(DBG_FILE_ANALYSIS, "Destroy file analyzer %d", tag);
@ -83,13 +84,13 @@ public:
}
protected:
Analyzer(RecordVal* arg_args, File* arg_file)
: tag(file_analysis::Analyzer::ArgsTag(arg_args)),
args(arg_args->Ref()->AsRecordVal()),
file(arg_file)
{}
private:
FA_Tag tag;
RecordVal* args;
File* file;

9
src/file_analysis/AnalyzerSet.cc
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "AnalyzerSet.h"
#include "File.h"
#include "Analyzer.h"
@ -41,6 +43,7 @@ AnalyzerSet::~AnalyzerSet()
delete mod;
mod_queue.pop();
}
delete analyzer_hash;
}
@ -110,6 +113,7 @@ bool AnalyzerSet::Remove(FA_Tag tag, HashKey* key)
{
file_analysis::Analyzer* a =
(file_analysis::Analyzer*) analyzer_map.Remove(key);
delete key;
if ( ! a )
@ -121,6 +125,7 @@ bool AnalyzerSet::Remove(FA_Tag tag, HashKey* key)
DBG_LOG(DBG_FILE_ANALYSIS, "Remove analyzer %d for file id %s", a->Tag(),
file->GetID().c_str());
delete a;
return true;
}
@ -145,6 +150,7 @@ HashKey* AnalyzerSet::GetKey(const RecordVal* args) const
HashKey* key = analyzer_hash->ComputeHash(args, 1);
if ( ! key )
reporter->InternalError("AnalyzerArgs type mismatch");
return key;
}
@ -174,7 +180,8 @@ void AnalyzerSet::Insert(file_analysis::Analyzer* a, HashKey* key)
void AnalyzerSet::DrainModifications()
{
if ( mod_queue.empty() ) return;
if ( mod_queue.empty() )
return;
DBG_LOG(DBG_FILE_ANALYSIS, "Start analyzer mod queue flush of file id %s",
file->GetID().c_str());

5
src/file_analysis/AnalyzerSet.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_ANALYZERSET_H
#define FILE_ANALYSIS_ANALYZERSET_H
@ -20,7 +22,6 @@ declare(PDict,Analyzer);
*/
class AnalyzerSet {
public:
AnalyzerSet(File* arg_file);
~AnalyzerSet();
@ -57,12 +58,12 @@ public:
{ return analyzer_map.NextEntry(c); }
protected:
HashKey* GetKey(const RecordVal* args) const;
file_analysis::Analyzer* InstantiateAnalyzer(RecordVal* args) const;
void Insert(file_analysis::Analyzer* a, HashKey* key);
bool Remove(FA_Tag tag, HashKey* key);
private:
File* file;
CompositeHash* analyzer_hash; /**< AnalyzerArgs hashes. */
PDict(file_analysis::Analyzer) analyzer_map; /**< Indexed by AnalyzerArgs. */

12
src/file_analysis/DataEvent.cc
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include <string>
#include "DataEvent.h"
@ -17,10 +19,8 @@ file_analysis::Analyzer* DataEvent::Instantiate(RecordVal* args, File* file)
{
using BifType::Record::FileAnalysis::AnalyzerArgs;
const char* chunk_field = "chunk_event";
const char* stream_field = "stream_event";
int chunk_off = AnalyzerArgs->FieldOffset(chunk_field);
int stream_off = AnalyzerArgs->FieldOffset(stream_field);
int chunk_off = AnalyzerArgs->FieldOffset("chunk_event");
int stream_off = AnalyzerArgs->FieldOffset("stream_event");
Val* chunk_val = args->Lookup(chunk_off);
Val* stream_val = args->Lookup(stream_off);
@ -44,7 +44,7 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
if ( ! chunk_event ) return true;
val_list* args = new val_list;
args->append(file->GetVal()->Ref());
args->append(GetFile()->GetVal()->Ref());
args->append(new StringVal(new BroString(data, len, 0)));
args->append(new Val(offset, TYPE_COUNT));
@ -58,7 +58,7 @@ bool DataEvent::DeliverStream(const u_char* data, uint64 len)
if ( ! stream_event ) return true;
val_list* args = new val_list;
args->append(file->GetVal()->Ref());
args->append(GetFile()->GetVal()->Ref());
args->append(new StringVal(new BroString(data, len, 0)));
mgr.QueueEvent(stream_event, args);

9
src/file_analysis/DataEvent.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_DATAEVENT_H
#define FILE_ANALYSIS_DATAEVENT_H
@ -14,18 +16,17 @@ namespace file_analysis {
*/
class DataEvent : public file_analysis::Analyzer {
public:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset);
virtual bool DeliverStream(const u_char* data, uint64 len);
protected:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
protected:
DataEvent(RecordVal* args, File* file,
EventHandlerPtr ce, EventHandlerPtr se);
private:
EventHandlerPtr chunk_event;
EventHandlerPtr stream_event;
};

11
src/file_analysis/Extract.cc
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include <string>
#include "Extract.h"
@ -28,17 +30,18 @@ Extract::~Extract()
file_analysis::Analyzer* Extract::Instantiate(RecordVal* args, File* file)
{
using BifType::Record::FileAnalysis::AnalyzerArgs;
const char* field = "extract_filename";
Val* v = args->Lookup(AnalyzerArgs->FieldOffset(field));
Val* v = args->Lookup(AnalyzerArgs->FieldOffset("extract_filename"));
if ( ! v ) return 0;
if ( ! v )
return 0;
return new Extract(args, file, v->AsString()->CheckString());
}
bool Extract::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
{
if ( ! fd ) return false;
if ( ! fd )
return false;
safe_pwrite(fd, data, len, offset);
return true;

9
src/file_analysis/Extract.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_EXTRACT_H
#define FILE_ANALYSIS_EXTRACT_H
@ -14,17 +16,16 @@ namespace file_analysis {
*/
class Extract : public file_analysis::Analyzer {
public:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
virtual ~Extract();
virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset);
protected:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
protected:
Extract(RecordVal* args, File* file, const string& arg_filename);
private:
string filename;
int fd;
};

49
src/file_analysis/File.cc
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include <string>
#include <openssl/md5.h>
@ -49,13 +51,12 @@ int File::bof_buffer_size_idx = -1;
int File::bof_buffer_idx = -1;
int File::mime_type_idx = -1;
magic_t File::magic_mime = 0;
string File::salt;
void File::StaticInit()
{
if ( id_idx != -1 ) return;
if ( id_idx != -1 )
return;
id_idx = Idx("id");
parent_id_idx = Idx("parent_id");
@ -72,16 +73,14 @@ void File::StaticInit()
bof_buffer_idx = Idx("bof_buffer");
mime_type_idx = Idx("mime_type");
bro_init_magic(&magic_mime, MAGIC_MIME);
salt = BifConst::FileAnalysis::salt->CheckString();
}
File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag,
bool is_orig)
: id(""), unique(unique), val(0), postpone_timeout(false),
first_chunk(true), missed_bof(false), need_reassembly(false), done(false),
analyzers(this)
: id(""), unique(unique), val(0), postpone_timeout(false),
first_chunk(true), missed_bof(false), need_reassembly(false), done(false),
analyzers(this)
{
StaticInit();
@ -131,7 +130,8 @@ double File::GetLastActivityTime() const
void File::UpdateConnectionFields(Connection* conn)
{
if ( ! conn ) return;
if ( ! conn )
return;
Val* conns = val->Lookup(conns_idx);
@ -140,7 +140,8 @@ void File::UpdateConnectionFields(Connection* conn)
if ( ! conns )
{
is_first = true;
val->Assign(conns_idx, conns = empty_connection_table());
conns = empty_connection_table();
val->Assign(conns_idx, conns);
}
Val* idx = get_conn_id_val(conn);
@ -182,6 +183,7 @@ int File::Idx(const string& field)
int rval = fa_file_type->FieldOffset(field.c_str());
if ( rval < 0 )
reporter->InternalError("Unknown fa_file field: %s", field.c_str());
return rval;
}
@ -209,9 +211,12 @@ void File::SetTotalBytes(uint64 size)
bool File::IsComplete() const
{
Val* total = val->Lookup(total_bytes_idx);
if ( ! total ) return false;
if ( ! total )
return false;
if ( LookupFieldDefaultCount(seen_bytes_idx) >= total->AsCount() )
return true;
return false;
}
@ -232,7 +237,8 @@ bool File::RemoveAnalyzer(const RecordVal* args)
bool File::BufferBOF(const u_char* data, uint64 len)
{
if ( bof_buffer.full || bof_buffer.replayed ) return false;
if ( bof_buffer.full || bof_buffer.replayed )
return false;
uint64 desired_size = LookupFieldDefaultCount(bof_buffer_size_idx);
@ -250,7 +256,7 @@ bool File::BufferBOF(const u_char* data, uint64 len)
bool File::DetectMIME(const u_char* data, uint64 len)
{
const char* mime = bro_magic_buffer(magic_mime, data, len);
const char* mime = bro_magic_buffer(magic_mime_cookie, data, len);
if ( mime )
{
@ -268,7 +274,9 @@ bool File::DetectMIME(const u_char* data, uint64 len)
void File::ReplayBOF()
{
if ( bof_buffer.replayed ) return;
if ( bof_buffer.replayed )
return;
bof_buffer.replayed = true;
if ( bof_buffer.chunks.empty() )
@ -314,9 +322,7 @@ void File::DataIn(const u_char* data, uint64 len, uint64 offset)
// TODO: check reassembly requirement based on buffer size in record
if ( need_reassembly )
{
// TODO
}
reporter->InternalError("file_analyzer::File TODO: reassembly not yet supported");
// TODO: reassembly overflow stuff, increment overflow count, eval trigger
@ -327,7 +333,8 @@ void File::DataIn(const u_char* data, uint64 len)
{
analyzers.DrainModifications();
if ( BufferBOF(data, len) ) return;
if ( BufferBOF(data, len) )
return;
if ( missed_bof )
{
@ -360,7 +367,8 @@ void File::DataIn(const u_char* data, uint64 len)
void File::EndOfFile()
{
if ( done ) return;
if ( done )
return;
analyzers.DrainModifications();
@ -420,7 +428,8 @@ bool File::FileEventAvailable(EventHandlerPtr h)
void File::FileEvent(EventHandlerPtr h)
{
if ( ! FileEventAvailable(h) ) return;
if ( ! FileEventAvailable(h) )
return;
val_list* vl = new val_list();
vl->append(val->Ref());

30
src/file_analysis/File.h
View file

@ -1,9 +1,10 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_FILE_H
#define FILE_ANALYSIS_FILE_H
#include <string>
#include <vector>
#include <magic.h>
#include "AnalyzerTags.h"
#include "Conn.h"
@ -18,10 +19,7 @@ namespace file_analysis {
* Wrapper class around \c fa_file record values from script layer.
*/
class File {
friend class Manager;
public:
~File();
/**
@ -128,6 +126,7 @@ public:
void FileEvent(EventHandlerPtr h, val_list* vl);
protected:
friend class Manager;
/**
* Constructor; only file_analysis::Manager should be creating these.
@ -176,6 +175,17 @@ protected:
*/
bool DetectMIME(const u_char* data, uint64 len);
/**
* @return the field offset in #val record corresponding to \a field_name.
*/
static int Idx(const string& field_name);
/**
* Initializes static member.
*/
static void StaticInit();
private:
FileID id; /**< A pretty hash that likely identifies file */
string unique; /**< A string that uniquely identifies file */
RecordVal* val; /**< \c fa_file from script layer. */
@ -197,18 +207,6 @@ protected:
BroString::CVec chunks;
} bof_buffer; /**< Beginning of file buffer. */
/**
* @return the field offset in #val record corresponding to \a field_name.
*/
static int Idx(const string& field_name);
/**
* Initializes static member.
*/
static void StaticInit();
static magic_t magic_mime;
static string salt;
static int id_idx;

2
src/file_analysis/FileID.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_FILEID_H
#define FILE_ANALYSIS_FILEID_H

6
src/file_analysis/FileTimer.cc
View file

@ -1,9 +1,10 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include "Manager.h"
#include "File.h"
using namespace file_analysis;
FileTimer::FileTimer(double t, const FileID& id, double interval)
: Timer(t + interval, TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id)
{
@ -15,7 +16,8 @@ void FileTimer::Dispatch(double t, int is_expire)
{
File* file = file_mgr->Lookup(file_id);
if ( ! file ) return;
if ( ! file )
return;
double last_active = file->GetLastActivityTime();
double inactive_time = t > last_active ? t - last_active : 0.0;

6
src/file_analysis/FileTimer.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_FILETIMER_H
#define FILE_ANALYSIS_FILETIMER_H
@ -12,7 +14,6 @@ namespace file_analysis {
*/
class FileTimer : public Timer {
public:
FileTimer(double t, const FileID& id, double interval);
/**
@ -21,8 +22,7 @@ public:
*/
void Dispatch(double t, int is_expire);
protected:
private:
FileID file_id;
};

10
src/file_analysis/Hash.cc
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include <string>
#include "Hash.h"
@ -19,7 +21,8 @@ Hash::~Hash()
bool Hash::DeliverStream(const u_char* data, uint64 len)
{
if ( ! hash->IsValid() ) return false;
if ( ! hash->IsValid() )
return false;
if ( ! fed )
fed = len > 0;
@ -41,10 +44,11 @@ bool Hash::Undelivered(uint64 offset, uint64 len)
void Hash::Finalize()
{
if ( ! hash->IsValid() || ! fed ) return;
if ( ! hash->IsValid() || ! fed )
return;
val_list* vl = new val_list();
vl->append(file->GetVal()->Ref());
vl->append(GetFile()->GetVal()->Ref());
vl->append(new StringVal(kind));
vl->append(hash->Get());

11
src/file_analysis/Hash.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_HASH_H
#define FILE_ANALYSIS_HASH_H
@ -15,7 +17,6 @@ namespace file_analysis {
*/
class Hash : public file_analysis::Analyzer {
public:
virtual ~Hash();
virtual bool DeliverStream(const u_char* data, uint64 len);
@ -25,11 +26,11 @@ public:
virtual bool Undelivered(uint64 offset, uint64 len);
protected:
Hash(RecordVal* args, File* file, HashVal* hv, const char* kind);
void Finalize();
private:
HashVal* hash;
bool fed;
const char* kind;
@ -37,12 +38,10 @@ protected:
class MD5 : public Hash {
public:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
{ return file_hash ? new MD5(args, file) : 0; }
protected:
MD5(RecordVal* args, File* file)
: Hash(args, file, new MD5Val(), "md5")
{}
@ -50,12 +49,10 @@ protected:
class SHA1 : public Hash {
public:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
{ return file_hash ? new SHA1(args, file) : 0; }
protected:
SHA1(RecordVal* args, File* file)
: Hash(args, file, new SHA1Val(), "sha1")
{}
@ -63,12 +60,10 @@ protected:
class SHA256 : public Hash {
public:
static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
{ return file_hash ? new SHA256(args, file) : 0; }
protected:
SHA256(RecordVal* args, File* file)
: Hash(args, file, new SHA256Val(), "sha256")
{}

74
src/file_analysis/Manager.cc
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#include <vector>
#include <string>
@ -25,6 +27,7 @@ void Manager::Terminate()
vector<FileID> keys;
for ( IDMap::iterator it = id_map.begin(); it != id_map.end(); ++it )
keys.push_back(it->first);
for ( size_t i = 0; i < keys.size(); ++i )
Timeout(keys[i], true);
}
@ -37,7 +40,8 @@ void Manager::SetHandle(const string& handle)
void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
{
if ( IsDisabled(tag) ) return;
if ( IsDisabled(tag) )
return;
GetFileHandle(tag, conn, is_orig);
DataIn(data, len, offset, GetFile(current_handle, conn, tag, is_orig));
@ -52,7 +56,8 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
File* file)
{
if ( ! file ) return;
if ( ! file )
return;
file->DataIn(data, len, offset);
@ -63,8 +68,11 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig)
{
if ( IsDisabled(tag) ) return;
if ( IsDisabled(tag) )
return;
GetFileHandle(tag, conn, is_orig);
// Sequential data input shouldn't be going over multiple conns, so don't
// do the check to update connection set.
DataIn(data, len, GetFile(current_handle, conn, tag, is_orig, false));
@ -77,7 +85,8 @@ void Manager::DataIn(const u_char* data, uint64 len, const string& unique)
void Manager::DataIn(const u_char* data, uint64 len, File* file)
{
if ( ! file ) return;
if ( ! file )
return;
file->DataIn(data, len);
@ -93,7 +102,8 @@ void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn)
void Manager::EndOfFile(AnalyzerTag::Tag tag, Connection* conn, bool is_orig)
{
if ( IsDisabled(tag) ) return;
if ( IsDisabled(tag) )
return;
GetFileHandle(tag, conn, is_orig);
EndOfFile(current_handle);
@ -107,7 +117,8 @@ void Manager::EndOfFile(const string& unique)
void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag,
Connection* conn, bool is_orig)
{
if ( IsDisabled(tag) ) return;
if ( IsDisabled(tag) )
return;
GetFileHandle(tag, conn, is_orig);
Gap(offset, len, GetFile(current_handle, conn, tag, is_orig));
@ -120,7 +131,8 @@ void Manager::Gap(uint64 offset, uint64 len, const string& unique)
void Manager::Gap(uint64 offset, uint64 len, File* file)
{
if ( ! file ) return;
if ( ! file )
return;
file->Gap(offset, len);
}
@ -128,7 +140,8 @@ void Manager::Gap(uint64 offset, uint64 len, File* file)
void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
bool is_orig)
{
if ( IsDisabled(tag) ) return;
if ( IsDisabled(tag) )
return;
GetFileHandle(tag, conn, is_orig);
SetSize(size, GetFile(current_handle, conn, tag, is_orig));
@ -141,7 +154,8 @@ void Manager::SetSize(uint64 size, const string& unique)
void Manager::SetSize(uint64 size, File* file)
{
if ( ! file ) return;
if ( ! file )
return;
file->SetTotalBytes(size);
@ -153,7 +167,8 @@ bool Manager::PostponeTimeout(const FileID& file_id) const
{
File* file = Lookup(file_id);
if ( ! file ) return false;
if ( ! file )
return false;
file->postpone_timeout = true;
return true;
@ -163,7 +178,8 @@ bool Manager::SetTimeoutInterval(const FileID& file_id, double interval) const
{
File* file = Lookup(file_id);
if ( ! file ) return false;
if ( ! file )
return false;
file->SetTimeoutInterval(interval);
return true;
@ -173,7 +189,8 @@ bool Manager::AddAnalyzer(const FileID& file_id, RecordVal* args) const
{
File* file = Lookup(file_id);
if ( ! file ) return false;
if ( ! file )
return false;
return file->AddAnalyzer(args);
}
@ -182,7 +199,8 @@ bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const
{
File* file = Lookup(file_id);
if ( ! file ) return false;
if ( ! file )
return false;
return file->RemoveAnalyzer(args);
}
@ -190,8 +208,11 @@ bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const
File* Manager::GetFile(const string& unique, Connection* conn,
AnalyzerTag::Tag tag, bool is_orig, bool update_conn)
{
if ( unique.empty() ) return 0;
if ( IsIgnored(unique) ) return 0;
if ( unique.empty() )
return 0;
if ( IsIgnored(unique) )
return 0;
File* rval = str_map[unique];
@ -208,11 +229,14 @@ File* Manager::GetFile(const string& unique, Connection* conn,
id_map[id] = rval;
rval->ScheduleInactivityTimer();
if ( IsIgnored(unique) ) return 0;
if ( IsIgnored(unique) )
return 0;
}
else
{
rval->UpdateLastActivityTime();
if ( update_conn )
rval->UpdateConnectionFields(conn);
}
@ -224,7 +248,8 @@ File* Manager::Lookup(const FileID& file_id) const
{
IDMap::const_iterator it = id_map.find(file_id);
if ( it == id_map.end() ) return 0;
if ( it == id_map.end() )
return 0;
return it->second;
}
@ -233,7 +258,8 @@ void Manager::Timeout(const FileID& file_id, bool is_terminating)
{
File* file = Lookup(file_id);
if ( ! file ) return;
if ( ! file )
return;
file->postpone_timeout = false;
@ -258,7 +284,8 @@ bool Manager::IgnoreFile(const FileID& file_id)
{
IDMap::iterator it = id_map.find(file_id);
if ( it == id_map.end() ) return false;
if ( it == id_map.end() )
return false;
DBG_LOG(DBG_FILE_ANALYSIS, "Ignore FileID %s", file_id.c_str());
@ -271,7 +298,8 @@ bool Manager::RemoveFile(const string& unique)
{
StrMap::iterator it = str_map.find(unique);
if ( it == str_map.end() ) return false;
if ( it == str_map.end() )
return false;
it->second->EndOfFile();
@ -297,7 +325,8 @@ void Manager::GetFileHandle(AnalyzerTag::Tag tag, Connection* c, bool is_orig)
{
current_handle.clear();
if ( ! get_file_handle ) return;
if ( ! get_file_handle )
return;
val_list* vl = new val_list();
vl->append(new Val(tag, TYPE_COUNT));
@ -317,7 +346,8 @@ bool Manager::IsDisabled(AnalyzerTag::Tag tag)
Val* yield = disabled->Lookup(index);
Unref(index);
if ( ! yield ) return false;
if ( ! yield )
return false;
bool rval = yield->AsBool();
Unref(yield);

30
src/file_analysis/Manager.h
View file

@ -1,3 +1,5 @@
// See the file "COPYING" in the main distribution directory for copyright.
#ifndef FILE_ANALYSIS_MANAGER_H
#define FILE_ANALYSIS_MANAGER_H
@ -24,12 +26,8 @@ namespace file_analysis {
* Main entry point for interacting with file analysis.
*/
class Manager {
friend class FileTimer;
public:
Manager();
~Manager();
/**
@ -45,12 +43,12 @@ public:
/**
* Pass in non-sequential file data.
*/
void DataIn(const u_char* data, uint64 len, uint64 offset,
AnalyzerTag::Tag tag, Connection* conn, bool is_orig);
void DataIn(const u_char* data, uint64 len, uint64 offset,
const string& unique);
void DataIn(const u_char* data, uint64 len, uint64 offset,
File* file);
void DataIn(const u_char* data, uint64 len, uint64 offset,
AnalyzerTag::Tag tag, Connection* conn, bool is_orig);
void DataIn(const u_char* data, uint64 len, uint64 offset,
const string& unique);
void DataIn(const u_char* data, uint64 len, uint64 offset,
File* file);
/**
* Pass in sequential file data.
@ -121,6 +119,7 @@ public:
bool IsIgnored(const string& unique);
protected:
friend class FileTimer;
typedef map<string, File*> StrMap;
typedef set<string> StrSet;
@ -167,12 +166,13 @@ protected:
*/
static bool IsDisabled(AnalyzerTag::Tag tag);
StrMap str_map; /**< Map unique string to file_analysis::File. */
IDMap id_map; /**< Map file ID to file_analysis::File records. */
StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */
string current_handle; /**< Last file handle set by get_file_handle event.*/
private:
StrMap str_map; /**< Map unique string to file_analysis::File. */
IDMap id_map; /**< Map file ID to file_analysis::File records. */
StrSet ignored; /**< Ignored files. Will be finally removed on EOF. */
string current_handle; /**< Last file handle set by get_file_handle event.*/
static TableVal* disabled; /**< Table of disabled analyzers. */
static TableVal* disabled; /**< Table of disabled analyzers. */
};
} // namespace file_analysis