Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Update some doc tests and line numbers

Browse source
This commit is contained in:
Daniel Thayer 2014-05-16 16:53:56 -05:00
parent d230eed7f8
commit bb7781d2f6
4 changed files with 50 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

2
doc/scripting/index.rst
View file

@ -87,7 +87,7 @@ Up until this point, the script has merely done some basic setup. With the next
the script starts to define instructions to take in a given event. the script starts to define instructions to take in a given event.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
:lines: 38-62 :lines: 38-71
The workhorse of the script is contained in the event handler for The workhorse of the script is contained in the event handler for
``file_hash``. The :bro:see:`file_hash` event allows scripts to access ``file_hash``. The :bro:see:`file_hash` event allows scripts to access

21
testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro.btest
View file

@ -39,28 +39,37 @@ export {
const notice_threshold = 10 &redef; const notice_threshold = 10 &redef;
} }
event file_hash(f: fa_file, kind: string, hash: string) function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
{
if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
{ {
local hash_domain = fmt("%s.malware.hash.cymru.com", hash); local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
when ( local MHR_result = lookup_hostname_txt(hash_domain) ) when ( local MHR_result = lookup_hostname_txt(hash_domain) )
{ {
# Data is returned as "<dateFirstDetected> <detectionRate>" # Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split1(MHR_result, / /); local MHR_answer = split1(MHR_result, / /);
if ( |MHR_answer| == 2 ) if ( |MHR_answer| == 2 )
{ {
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
local mhr_detect_rate = to_count(MHR_answer[2]); local mhr_detect_rate = to_count(MHR_answer[2]);
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
if ( mhr_detect_rate >= notice_threshold ) if ( mhr_detect_rate >= notice_threshold )
{ {
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt(match_sub_url, hash); local virustotal_url = fmt(match_sub_url, hash);
NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); # We don't have the full fa_file record here in order to
# avoid the "when" statement cloning it (expensive!).
local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
Notice::populate_file_info2(fi, n);
NOTICE(n);
} }
} }
} }
} }
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
do_mhr_lookup(hash, Notice::create_file_info(f));
} }

21
testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
View file

@ -2,28 +2,37 @@
detect-MHR.bro detect-MHR.bro
event file_hash(f: fa_file, kind: string, hash: string) function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
{
if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
{ {
local hash_domain = fmt("%s.malware.hash.cymru.com", hash); local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
when ( local MHR_result = lookup_hostname_txt(hash_domain) ) when ( local MHR_result = lookup_hostname_txt(hash_domain) )
{ {
# Data is returned as "<dateFirstDetected> <detectionRate>" # Data is returned as "<dateFirstDetected> <detectionRate>"
local MHR_answer = split1(MHR_result, / /); local MHR_answer = split1(MHR_result, / /);
if ( |MHR_answer| == 2 ) if ( |MHR_answer| == 2 )
{ {
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
local mhr_detect_rate = to_count(MHR_answer[2]); local mhr_detect_rate = to_count(MHR_answer[2]);
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
if ( mhr_detect_rate >= notice_threshold ) if ( mhr_detect_rate >= notice_threshold )
{ {
local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected); local message = fmt("Malware Hash Registry Detection rate: %d%% Last seen: %s", mhr_detect_rate, readable_first_detected);
local virustotal_url = fmt(match_sub_url, hash); local virustotal_url = fmt(match_sub_url, hash);
NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]); # We don't have the full fa_file record here in order to
# avoid the "when" statement cloning it (expensive!).
local n: Notice::Info = Notice::Info($note=Match, $msg=message, $sub=virustotal_url);
Notice::populate_file_info2(fi, n);
NOTICE(n);
} }
} }
} }
} }
event file_hash(f: fa_file, kind: string, hash: string)
{
if ( kind == "sha1" && f?$mime_type && match_file_types in f$mime_type )
do_mhr_lookup(hash, Notice::create_file_info(f));
} }

2
testing/btest/doc/sphinx/include-scripts_policy_protocols_ssl_expiring-certs_bro.btest
View file

@ -5,4 +5,4 @@ expiring-certs.bro
NOTICE([$note=Certificate_Expires_Soon, NOTICE([$note=Certificate_Expires_Soon,
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after), $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
$conn=c, $suppress_for=1day, $conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]); $fuid=fuid]);