Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

FileAnalysis: add libmagic file type detection.

Browse source
This commit is contained in:
Jon Siwek 2013-03-04 16:20:10 -06:00
parent 9425c2508f
commit c330b46128
2 changed files with 41 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

39
src/file_analysis/Info.cc
View file

@ -51,6 +51,9 @@ int Info::file_type_idx = -1;
int Info::mime_type_idx = -1; int Info::mime_type_idx = -1;
int Info::actions_idx = -1; int Info::actions_idx = -1;
magic_t Info::magic = 0;
magic_t Info::magic_mime = 0;
void Info::InitFieldIndices() void Info::InitFieldIndices()
{ {
if ( file_id_idx != -1 ) return; if ( file_id_idx != -1 ) return;
@ -71,6 +74,21 @@ void Info::InitFieldIndices()
actions_idx = Idx("actions"); actions_idx = Idx("actions");
} }
static void init_magic(magic_t* magic, int flags)
{
*magic = magic_open(flags);
if ( ! *magic )
reporter->Error("can't init libmagic: %s", magic_error(*magic));
else if ( magic_load(*magic, 0) < 0 )
{
reporter->Error("can't load magic file: %s", magic_error(*magic));
magic_close(*magic);
*magic = 0;
}
}
Info::Info(const string& unique, Connection* conn, const string& protocol) Info::Info(const string& unique, Connection* conn, const string& protocol)
: file_id(unique), unique(unique), val(0), last_activity_time(network_time), : file_id(unique), unique(unique), val(0), last_activity_time(network_time),
postpone_timeout(false), need_reassembly(false), done(false), postpone_timeout(false), need_reassembly(false), done(false),
@ -78,6 +96,12 @@ Info::Info(const string& unique, Connection* conn, const string& protocol)
{ {
InitFieldIndices(); InitFieldIndices();
if ( ! magic )
{
init_magic(&magic, MAGIC_NONE);
init_magic(&magic_mime, MAGIC_MIME);
}
char id[20]; char id[20];
uitoa_n(calculate_unique_id(), id, sizeof(id), 62); uitoa_n(calculate_unique_id(), id, sizeof(id), 62);
@ -233,12 +257,23 @@ void Info::ReplayBOF()
if ( bof_buffer.chunks.empty() ) return; if ( bof_buffer.chunks.empty() ) return;
val->Assign(bof_buffer_idx, new StringVal(concatenate(bof_buffer.chunks))); BroString* bs = concatenate(bof_buffer.chunks);
const char* desc = magic_buffer(magic, bs->Bytes(), bs->Len());
const char* mime = magic_buffer(magic_mime, bs->Bytes(), bs->Len());
val->Assign(bof_buffer_idx, new StringVal(bs));
if ( desc )
val->Assign(file_type_idx, new StringVal(desc));
if ( mime )
val->Assign(mime_type_idx, new StringVal(mime));
using BifEnum::FileAnalysis::TRIGGER_BOF_BUFFER; using BifEnum::FileAnalysis::TRIGGER_BOF_BUFFER;
file_mgr->EvaluatePolicy(TRIGGER_BOF_BUFFER, this); file_mgr->EvaluatePolicy(TRIGGER_BOF_BUFFER, this);
// TODO: libmagic stuff if ( desc || mime )
file_mgr->EvaluatePolicy(BifEnum::FileAnalysis::TRIGGER_TYPE, this);
for ( size_t i = 0; i < bof_buffer.chunks.size(); ++i ) for ( size_t i = 0; i < bof_buffer.chunks.size(); ++i )
DataIn(bof_buffer.chunks[i]->Bytes(), bof_buffer.chunks[i]->Len()); DataIn(bof_buffer.chunks[i]->Bytes(), bof_buffer.chunks[i]->Len());

4
src/file_analysis/Info.h
View file

@ -3,6 +3,7 @@
#include <string> #include <string>
#include <vector> #include <vector>
#include <magic.h>
#include "Conn.h" #include "Conn.h"
#include "Val.h" #include "Val.h"
@ -183,6 +184,9 @@ protected:
*/ */
static void InitFieldIndices(); static void InitFieldIndices();
static magic_t magic;
static magic_t magic_mime;
public: public:
static int file_id_idx; static int file_id_idx;
static int parent_file_id_idx; static int parent_file_id_idx;