mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
Updated detection of Flash and AdobeAIR.
This commit is contained in:
Jan Grashoefer
parent
5ffe76f336
commit
b765c95d6e
2 changed files with 38 additions and 5 deletions
|
|
@ -280,6 +280,13 @@ function parse_mozilla(unparsed_version: string): Description
|
||||||
v = parse(parts[1])$version;
|
v = parse(parts[1])$version;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
|
||||||
|
{
|
||||||
|
software_name = "AdobeAIR";
|
||||||
|
parts = split_string_all(unparsed_version, /AdobeAIR\/[0-9\.]*/);
|
||||||
|
if ( 1 in parts )
|
||||||
|
v = parse(parts[1])$version;
|
||||||
|
}
|
||||||
else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
|
else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
|
||||||
{
|
{
|
||||||
software_name = "Unspecified WebKit";
|
software_name = "Unspecified WebKit";
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,8 @@ export {
|
||||||
redef record Info += {
|
redef record Info += {
|
||||||
## Indicates if the server is an omniture advertising server.
|
## Indicates if the server is an omniture advertising server.
|
||||||
omniture: bool &default=F;
|
omniture: bool &default=F;
|
||||||
|
## The unparsed Flash version, if detected.
|
||||||
|
flash_version: string &optional;
|
||||||
};
|
};
|
||||||
|
|
||||||
redef enum Software::Type += {
|
redef enum Software::Type += {
|
||||||
|
|
@ -22,12 +24,19 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
||||||
{
|
{
|
||||||
if ( is_orig )
|
if ( is_orig )
|
||||||
{
|
{
|
||||||
if ( name == "X-FLASH-VERSION" )
|
switch ( name )
|
||||||
{
|
{
|
||||||
# Flash doesn't include it's name so we'll add it here since it
|
case "X-FLASH-VERSION":
|
||||||
# simplifies the version parsing.
|
# Flash doesn't include it's name so we'll add it here since it
|
||||||
value = cat("Flash/", value);
|
# simplifies the version parsing.
|
||||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
|
c$http$flash_version = cat("Flash/", value);
|
||||||
|
break;
|
||||||
|
case "X-REQUESTED-WITH":
|
||||||
|
# This header is usually used to indicate AJAX requests (XMLHttpRequest),
|
||||||
|
# but Chrome uses this header also to indicate the use of Flash.
|
||||||
|
if ( /Flash/ in value )
|
||||||
|
c$http$flash_version = value;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|
@ -38,6 +47,23 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
|
||||||
|
{
|
||||||
|
# If a Flash was detected, it has to be logged considering the user agent.
|
||||||
|
if ( is_orig && c$http?$flash_version )
|
||||||
|
{
|
||||||
|
# AdobeAIR contains a seperate Flash, which should be emphasized.
|
||||||
|
# Note: We assume that the user agent header was not reset by the app.
|
||||||
|
if( c$http?$user_agent )
|
||||||
|
{
|
||||||
|
if ( /AdobeAIR/ in c$http$user_agent )
|
||||||
|
c$http$flash_version = cat("AdobeAIR-", c$http$flash_version);
|
||||||
|
}
|
||||||
|
|
||||||
|
Software::found(c$id, [$unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
event log_http(rec: Info)
|
event log_http(rec: Info)
|
||||||
{
|
{
|
||||||
# We only want to inspect requests that were sent to omniture advertising
|
# We only want to inspect requests that were sent to omniture advertising
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue