Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

FileAnalysis: small tweak to file handle generation.

Browse source 
For files that go over a single connection, add connection start time
to handle, so the file id will always differ even if the same connection
parameters are later used to transfer a file (same one or different).
This commit is contained in:
Jon Siwek 2013-03-12 16:06:06 -05:00
parent 3dd513e26e
commit bb3228e8f6
2 changed files with 10 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/base/frameworks/file-analysis/main.bro
View file

@ -127,16 +127,19 @@ function get_handle(c: connection, is_orig: bool): string
local cid: conn_id = c$id; local cid: conn_id = c$id;
if ( "ftp-data" in c$service ) if ( "ftp-data" in c$service )
rval = fmt("%s: %s", "ftp-data", conn_str(c)); rval = fmt("%s ftp-data: %s", c$start_time, conn_str(c));
if ( "irc-dcc-data" in c$service )
rval = fmt("%s irc-dcc-data: %s", c$start_time, conn_str(c));
else if ( c?$http ) else if ( c?$http )
{ {
if ( c$http$range_request ) if ( c$http$range_request )
rval = fmt("http(%s): %s: %s", is_orig, c$id$orig_h, rval = fmt("%s http(%s): %s: %s", c$start_time, is_orig,
HTTP::build_url(c$http)); c$id$orig_h, HTTP::build_url(c$http));
else else
rval = fmt("http(%s, %s): %s", is_orig, c$http$trans_depth, rval = fmt("%s http(%s, %s): %s", c$start_time, is_orig,
conn_str(c)); c$http$trans_depth, conn_str(c));
} }
#print fmt("file handle: %s", rval); #print fmt("file handle: %s", rval);

2
src/HTTP.cc
View file

@ -855,6 +855,8 @@ void HTTP_Analyzer::Done()
Unref(unanswered_requests.front()); Unref(unanswered_requests.front());
unanswered_requests.pop(); unanswered_requests.pop();
} }
file_mgr->EndOfFile(Conn());
} }
void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)