Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 07:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fixed a problem with file names and path names containing nulls.

Browse source 
This would come up when a string is UTF-16 containing characters
outside of straight ASCII.  The file analysis framework uses
CheckString to create file IDs which can't cope with the NULL bytes.
This commit is contained in:
Seth Hall 2016-03-03 15:52:34 -05:00
parent e02c612742
commit b9afc01d91
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/base/protocols/smb/files.bro
View file

@ -25,8 +25,11 @@ function get_file_handle(c: connection, is_orig: bool): string
local file_name = current_file?$name ? current_file$name : ""; local file_name = current_file?$name ? current_file$name : "";
# Include last_mod time if available because if a file has been modified it # Include last_mod time if available because if a file has been modified it
# should be considered a new file. # should be considered a new file.
local last_mod = current_file?$times ? current_file$times$modified : double_to_time(0.0); local last_mod = cat(current_file?$times ? current_file$times$modified : double_to_time(0.0));
return cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod); # TODO: This is doing hexdump to avoid problems due to file analysis handling
# using CheckString which is not immune to encapsulated null bytes.
# This needs to be fixed lower in the file analysis code later.
return hexdump(cat(Analyzer::ANALYZER_SMB, c$id$orig_h, c$id$resp_h, path_name, file_name, last_mod));
} }
function describe_file(f: fa_file): string function describe_file(f: fa_file): string