Merge branch 'master' of ssh://git.bro-ids.org/bro

2025-10-11 19:18:19 +00:00 · 2013-08-26 13:57:47 -04:00 · 2013-08-26 13:57:47 -04:00 · abd7cdff43
commit abd7cdff43
parent 72d2cd363e df84083227
110 changed files with 1513 additions and 1677 deletions
--- a/scripts/base/files/extract/main.bro
+++ b/scripts/base/files/extract/main.bro
@ -7,6 +7,10 @@ export {
 	## The prefix where files are extracted to.
 	const prefix = "./extract_files/" &redef;

+	## The default max size for extracted files (they won't exceed this
+	## number of bytes), unlimited.
+	const default_limit = 0 &redef;
+
 	redef record Files::Info += {
 		## Local filenames of extracted file.
 		extracted: string &optional &log;
@ -17,9 +21,32 @@ export {
 		## This field is used in the core by the extraction plugin
 		## to know where to write the file to.  It's also optional
 		extract_filename: string &optional;
+		## The maximum allowed file size in bytes of *extract_filename*.
+		## Once reached, a :bro:see:`file_extraction_limit` event is
+		## raised and the analyzer will be removed unless
+		## :bro:see:`FileExtract::set_limit` is called to increase the
+		## limit.  A value of zero means "no limit".
+		extract_limit: count &default=default_limit;
 	};
+
+	## Sets the maximum allowed extracted file size.
+	##
+	## f: A file that's being extracted.
+	##
+	## args: Arguments that identify a file extraction analyzer.
+	##
+	## n: Allowed number of bytes to be extracted.
+	##
+	## Returns: false if a file extraction analyzer wasn't active for
+	##          the file, else true.
+	global set_limit: function(f: fa_file, args: Files::AnalyzerArgs, n: count): bool;
 }

+function set_limit(f: fa_file, args: Files::AnalyzerArgs, n: count): bool
+	{
+	return __set_limit(f$id, args, n);
+	}
+
 function on_add(f: fa_file, args: Files::AnalyzerArgs)
 	{
 	if ( ! args?$extract_filename )
@ -27,12 +54,10 @@ function on_add(f: fa_file, args: Files::AnalyzerArgs)

 	f$info$extracted = args$extract_filename;
 	args$extract_filename = build_path_compressed(prefix, args$extract_filename);
+	mkdir(prefix);
 	}

 event bro_init() &priority=10
 	{
 	Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);
-
-	# Create the extraction directory.
-	mkdir(prefix);
-	}
+	}
--- a/scripts/policy/tuning/defaults/load.bro
+++ b/scripts/policy/tuning/defaults/load.bro
@ -1,2 +1,3 @@
@load ./packet-fragments
-@load ./warnings
+@load ./warnings
+@load ./extracted_file_limits.bro
--- a/scripts/policy/tuning/defaults/extracted_file_limits.bro
+++ b/scripts/policy/tuning/defaults/extracted_file_limits.bro
@ -0,0 +1,4 @@
+@load base/files/extract
+
+# 100 MB.
+redef FileExtract::default_limit = 104857600;
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@ -89,6 +89,7 @@
@load protocols/ssl/validate-certs.bro
@load tuning/__load__.bro
@load tuning/defaults/__load__.bro
+@load tuning/defaults/extracted_file_limits.bro
@load tuning/defaults/packet-fragments.bro
@load tuning/defaults/warnings.bro
@load tuning/logs-to-elasticsearch.bro