Merge branch 'master' into topic/jsiwek/faf-updates

Conflicts: testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
2025-10-04 15:48:19 +00:00 · 2013-07-31 10:05:36 -05:00 · 2013-07-31 10:05:36 -05:00 · 9bd7a65071
commit 9bd7a65071
parent 5fa9c5865b af9e181731
91 changed files with 14058 additions and 402 deletions
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@ -114,7 +114,7 @@ function ftp_message(s: Info)
 	s$arg = s$cmdarg$arg;
 	if ( s$cmdarg$cmd in file_cmds )
 		s$arg = build_url_ftp(s);
-	
+
 	if ( s$arg == "" )
 		delete s$arg;

@ -142,7 +142,7 @@ function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
 	s$passive = chan$passive;
 	s$data_channel = chan;
 	ftp_data_expected[chan$resp_h, chan$resp_p] = s;
-	Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p, 
+	Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p,
 	                            Analyzer::ANALYZER_FTP_DATA,
 	                            5mins);
 	}
--- a/scripts/base/protocols/ftp/utils.bro
+++ b/scripts/base/protocols/ftp/utils.bro
@ -13,7 +13,7 @@ export {
 	##
 	## Returns: A URL, not prefixed by "ftp://".
 	global build_url: function(rec: Info): string;
-	
+
 	## Creates a URL from an :bro:type:`FTP::Info` record.
 	##
 	## rec: An :bro:type:`FTP::Info` record.
@ -36,7 +36,7 @@ function build_url(rec: Info): string

 	return fmt("%s%s", addr_to_uri(rec$id$resp_h), comp_path);
 	}
-	
+
 function build_url_ftp(rec: Info): string
 	{
 	return fmt("ftp://%s", build_url(rec));
--- a/scripts/base/protocols/http/files.bro
+++ b/scripts/base/protocols/http/files.bro
@ -16,7 +16,7 @@ export {

 function get_file_handle(c: connection, is_orig: bool): string
 	{
-	if ( ! c?$http ) 
+	if ( ! c?$http )
 		return "";

 	if ( c$http$range_request && ! is_orig )
@ -29,7 +29,7 @@ function get_file_handle(c: connection, is_orig: bool): string
 	else
 		{
 		local mime_depth = is_orig ? c$http$orig_mime_depth : c$http$resp_mime_depth;
-		return cat(Analyzer::ANALYZER_HTTP, c$start_time, is_orig, 
+		return cat(Analyzer::ANALYZER_HTTP, c$start_time, is_orig,
 		           c$http$trans_depth, mime_depth, id_string(c$id));
 		}
 	}
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -1,5 +1,5 @@
-##! Implements base functionality for HTTP analysis.  The logging model is 
-##! to log request/response pairs and all relevant metadata together in 
+##! Implements base functionality for HTTP analysis.  The logging model is
+##! to log request/response pairs and all relevant metadata together in
 ##! a single record.

@load base/utils/numbers
@ -15,10 +15,10 @@ export {
 		## Placeholder.
 		EMPTY
 	};
-	
+
 	## This setting changes if passwords used in Basic-Auth are captured or not.
 	const default_capture_password = F &redef;
-	
+
 	type Info: record {
 		## Timestamp for when the request happened.
 		ts:                      time      &log;
@ -26,7 +26,7 @@ export {
 		uid:                     string    &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
 		id:                      conn_id   &log;
-		## Represents the pipelined depth into the connection of this 
+		## Represents the pipelined depth into the connection of this
 		## request/response transaction.
 		trans_depth:             count     &log;
 		## Verb used in the HTTP request (GET, POST, HEAD, etc.).
@ -60,24 +60,24 @@ export {
 		## A set of indicators of various attributes discovered and
 		## related to a particular request/response pair.
 		tags:                    set[Tags] &log;
-		
+
 		## Username if basic-auth is performed for the request.
 		username:                string    &log &optional;
 		## Password if basic-auth is performed for the request.
 		password:                string    &log &optional;
-		
+
 		## Determines if the password will be captured for this request.
 		capture_password:        bool      &default=default_capture_password;
-		
+
 		## All of the headers that may indicate if the request was proxied.
 		proxied:                 set[string] &log &optional;
-		
+
 		## Indicates if this request can assume 206 partial content in
 		## response.
 		range_request:           bool      &default=F;
 	};
-	
-	## Structure to maintain state for an HTTP connection with multiple 
+
+	## Structure to maintain state for an HTTP connection with multiple
 	## requests and responses.
 	type State: record {
 		## Pending requests.
@ -87,7 +87,7 @@ export {
 		## Current response in the pending queue.
 		current_response: count                &default=0;
 	};
-		
+
 	## A list of HTTP headers typically used to indicate proxied requests.
 	const proxy_headers: set[string] = {
 		"FORWARDED",
@ -111,8 +111,8 @@ export {
 		"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
 		"SEARCH"
 	} &redef;
-	
-	## Event that can be handled to access the HTTP record as it is sent on 
+
+	## Event that can be handled to access the HTTP record as it is sent on
 	## to the logging framework.
 	global log_http: event(rec: Info);
 }
@ -147,12 +147,12 @@ function new_http_session(c: connection): Info
 	tmp$ts=network_time();
 	tmp$uid=c$uid;
 	tmp$id=c$id;
-	# $current_request is set prior to the Info record creation so we 
+	# $current_request is set prior to the Info record creation so we
 	# can use the value directly here.
 	tmp$trans_depth = c$http_state$current_request;
 	return tmp;
 	}
-	
+
 function set_state(c: connection, request: bool, is_orig: bool)
 	{
 	if ( ! c?$http_state )
@ -160,19 +160,19 @@ function set_state(c: connection, request: bool, is_orig: bool)
 		local s: State;
 		c$http_state = s;
 		}
-		
+
 	# These deal with new requests and responses.
 	if ( request || c$http_state$current_request !in c$http_state$pending )
 		c$http_state$pending[c$http_state$current_request] = new_http_session(c);
 	if ( ! is_orig && c$http_state$current_response !in c$http_state$pending )
 		c$http_state$pending[c$http_state$current_response] = new_http_session(c);
-	
+
 	if ( is_orig )
 		c$http = c$http_state$pending[c$http_state$current_request];
 	else
 		c$http = c$http_state$pending[c$http_state$current_response];
 	}
-	
+
 event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=5
 	{
@ -181,17 +181,17 @@ event http_request(c: connection, method: string, original_URI: string,
 		local s: State;
 		c$http_state = s;
 		}
-	
+
 	++c$http_state$current_request;
 	set_state(c, T, T);
-	
+
 	c$http$method = method;
 	c$http$uri = unescaped_URI;

 	if ( method !in http_methods )
 		event conn_weird("unknown_HTTP_method", c, method);
 	}
-	
+
 event http_reply(c: connection, version: string, code: count, reason: string) &priority=5
 	{
 	if ( ! c?$http_state )
@ -199,7 +199,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 		local s: State;
 		c$http_state = s;
 		}
-	
+
 	# If the last response was an informational 1xx, we're still expecting
 	# the real response to the request, so don't create a new Info record yet.
 	if ( c$http_state$current_response !in c$http_state$pending ||
@ -207,7 +207,7 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 	       ! code_in_range(c$http_state$pending[c$http_state$current_response]$status_code, 100, 199)) )
 		++c$http_state$current_response;
 	set_state(c, F, F);
-	
+
 	c$http$status_code = code;
 	c$http$status_msg = reason;
 	if ( code_in_range(code, 100, 199) )
@ -216,33 +216,33 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 		c$http$info_msg = reason;
 		}
 	}
-	
+
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
 	{
 	set_state(c, F, is_orig);
-	
+
 	if ( is_orig ) # client headers
 		{
 		if ( name == "REFERER" )
 			c$http$referrer = value;
-		
+
 		else if ( name == "HOST" )
 			# The split is done to remove the occasional port value that shows up here.
 			c$http$host = split1(value, /:/)[1];

 		else if ( name == "RANGE" )
 			c$http$range_request = T;
-		
+
 		else if ( name == "USER-AGENT" )
 			c$http$user_agent = value;
-		
+
 		else if ( name in proxy_headers )
 				{
 				if ( ! c$http?$proxied )
 					c$http$proxied = set();
 				add c$http$proxied[fmt("%s -> %s", name, value)];
 				}
-		
+
 		else if ( name == "AUTHORIZATION" )
 			{
 			if ( /^[bB][aA][sS][iI][cC] / in value )
@ -266,17 +266,17 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 		}

 	}
-	
+
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = 5
 	{
 	set_state(c, F, is_orig);
-	
+
 	if ( is_orig )
 		c$http$request_body_len = stat$body_length;
 	else
 		c$http$response_body_len = stat$body_length;
 	}
-	
+
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = -5
 	{
 	# The reply body is done so we're ready to log.
@ -305,4 +305,4 @@ event connection_state_remove(c: connection) &priority=-5
 			}
 		}
 	}
-	
+
--- a/scripts/base/protocols/irc/dcc-send.bro
+++ b/scripts/base/protocols/irc/dcc-send.bro
@ -2,7 +2,7 @@
 ##!
 ##! There is a major problem with this script in the cluster context because
 ##! we might see A send B a message that a DCC connection is to be expected,
-##! but that connection will actually be between B and C which could be 
+##! but that connection will actually be between B and C which could be
 ##! analyzed on a different worker.
 ##!

@ -44,7 +44,7 @@ function log_dcc(f: fa_file)
 		Log::write(IRC::LOG, irc);
 		irc$command = tmp;

-		# Delete these values in case another DCC transfer 
+		# Delete these values in case another DCC transfer
 		# happens during the IRC session.
 		delete irc$dcc_file_name;
 		delete irc$dcc_file_size;
@ -57,7 +57,7 @@ function log_dcc(f: fa_file)

 event file_new(f: fa_file) &priority=-5
 	{
-	if ( f$source == "IRC_DATA" ) 
+	if ( f$source == "IRC_DATA" )
 		log_dcc(f);
 	}

--- a/scripts/base/protocols/smtp/entities.bro
+++ b/scripts/base/protocols/smtp/entities.bro
@ -19,7 +19,7 @@ export {
 	};

 	redef record State += {
-		## Track the number of MIME encoded files transferred 
+		## Track the number of MIME encoded files transferred
 		## during a session.
 		mime_depth: count &default=0;
 	};
@ -33,7 +33,7 @@ event mime_begin_entity(c: connection) &priority=10

 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( f$source == "SMTP" && c?$smtp ) 
+	if ( f$source == "SMTP" && c?$smtp )
 		{
 		if ( c$smtp?$entity && c$smtp$entity?$filename )
 			f$info$filename = c$smtp$entity$filename;
@ -57,6 +57,6 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5

 event mime_end_entity(c: connection) &priority=5
 	{
-	if ( c?$smtp && c$smtp?$entity ) 
+	if ( c?$smtp && c$smtp?$entity )
 		delete c$smtp$entity;
 	}
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -226,7 +226,10 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		{
 		if ( ! c$smtp?$to )
 			c$smtp$to = set();
-		add c$smtp$to[h$value];
+
+		local to_parts = split(h$value, /[[:blank:]]*,[[:blank:]]*/);
+		for ( i in to_parts )
+			add c$smtp$to[to_parts[i]];
 		}

 	else if ( h$name == "X-ORIGINATING-IP" )
@ -296,4 +299,4 @@ function describe(rec: Info): string
 			(abbrev_subject != "" ? fmt(": %s", abbrev_subject) : ""));
 		}
 		return "";
-	}
+	}