diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro index 091c322990..754b788318 100644 --- a/scripts/base/files/pe/main.bro +++ b/scripts/base/files/pe/main.bro @@ -82,9 +82,9 @@ event file_state_remove(f: fa_file) Log::write(LOG, f$pe); } -event file_new(f: fa_file) +event file_mime_type(f: fa_file, mime_type: string) { - if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ ) + if ( mime_type == /application\/x-dosexec.*/ ) { Files::add_analyzer(f, Files::ANALYZER_PE); } diff --git a/src/file_analysis/analyzer/pe/Plugin.cc b/src/file_analysis/analyzer/pe/Plugin.cc index 1cc33b5759..8601dedb67 100644 --- a/src/file_analysis/analyzer/pe/Plugin.cc +++ b/src/file_analysis/analyzer/pe/Plugin.cc @@ -1,29 +1,24 @@ +// See the file in the main distribution directory for copyright. + #include "plugin/Plugin.h" -#include "file_analysis/Component.h" #include "PE.h" -namespace plugin { namespace Bro_PE { +namespace plugin { +namespace Bro_PE { class Plugin : public plugin::Plugin { -protected: - void InitPreScript() +public: + plugin::Configuration Configure() { - SetName("Bro::PE"); - SetVersion(-1); - SetAPIVersion(BRO_PLUGIN_API_VERSION); - SetDynamicPlugin(false); + AddComponent(new ::file_analysis::Component("PE", ::file_analysis::PE::Instantiate)); - SetDescription("Portable Executable analyzer"); - - AddComponent(new ::file_analysis::Component("PE", - ::file_analysis::PE::Instantiate)); - - extern std::list > __bif_events_init(); - AddBifInitFunction(&__bif_events_init); + plugin::Configuration config; + config.name = "Bro::PE"; + config.description = "Portable Executable analyzer"; + return config; } -}; +} plugin; -Plugin __plugin; - -} } +} +} diff --git a/src/types.bif b/src/types.bif index 70da9e14e0..180112dd8c 100644 --- a/src/types.bif +++ b/src/types.bif @@ -168,22 +168,6 @@ type PE::FileHeader: record; type PE::OptionalHeader: record; type PE::SectionHeader: record; -module Log; - -enum Writer %{ - WRITER_DEFAULT, - WRITER_NONE, - WRITER_ASCII, - WRITER_DATASERIES, - WRITER_SQLITE, - WRITER_ELASTICSEARCH, -%} - -enum ID %{ - Unknown, -%} - - module Tunnel; enum Type %{ NONE,