Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 00:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Updates the files event api and brings file reassembly up to master.

Browse source
This commit is contained in:
Seth Hall 2014-09-26 00:40:37 -04:00
parent 42b2d56279
commit cafd35e746
47 changed files with 515 additions and 637 deletions
Download patch file Download diff file Expand all files Collapse all files

42
src/file_analysis/analyzer/extract/Extract.cc
View file

@ -12,7 +12,7 @@ using namespace file_analysis;
Extract::Extract(RecordVal* args, File* file, const string& arg_filename,
uint64 arg_limit)
: file_analysis::Analyzer(file_mgr->GetComponentTag("EXTRACT"), args, file),
filename(arg_filename), limit(arg_limit)
filename(arg_filename), limit(arg_limit), depth(0)
{
fd = open(filename.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_APPEND, 0666);
@ -53,7 +53,7 @@ file_analysis::Analyzer* Extract::Instantiate(RecordVal* args, File* file)
limit->AsCount());
}
static bool check_limit_exceeded(uint64 lim, uint64 len, uint64* n)
static bool check_limit_exceeded(uint64 lim, uint64 depth, uint64 len, uint64* n)
{
if ( lim == 0 )
{
@ -61,18 +61,21 @@ static bool check_limit_exceeded(uint64 lim, uint64 len, uint64* n)
return false;
}
//if ( off >= lim )
// {
// *n = 0;
// return true;
// }
//
//*n = lim - off;
if ( len > *n )
if ( depth >= lim )
{
*n = 0;
return true;
}
else if ( depth + len > lim )
{
printf("exceeded the maximum extraction lenght depth: %llu len: %llu lim: %llu\n", depth, len, lim);
*n = lim - depth;
return true;
}
else
{
*n = len;
}
return false;
}
@ -83,7 +86,7 @@ bool Extract::DeliverStream(const u_char* data, uint64 len)
return false;
uint64 towrite = 0;
bool limit_exceeded = check_limit_exceeded(limit, len, &towrite);
bool limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite);
if ( limit_exceeded && file_extraction_limit )
{
@ -95,12 +98,21 @@ bool Extract::DeliverStream(const u_char* data, uint64 len)
vl->append(new Val(len, TYPE_COUNT));
f->FileEvent(file_extraction_limit, vl);
// Limit may have been modified by BIF, re-check it.
limit_exceeded = check_limit_exceeded(limit, len, &towrite);
// Limit may have been modified by a BIF, re-check it.
limit_exceeded = check_limit_exceeded(limit, depth, len, &towrite);
}
if ( towrite > 0 )
safe_write(fd, (const char *) data, towrite);
{
safe_pwrite(fd, (const u_char *) data, towrite, depth);
depth += towrite;
}
return ( ! limit_exceeded );
}
bool Extract::Undelivered(uint64 offset, uint64 len)
{
depth += len;
return true;
}