mirror of
https://github.com/zeek/zeek.git
synced 2025-10-16 21:48:21 +00:00
Review/fix/change file reassembly functionality.
- Re-arrange how some fa_file fields (e.g. source, connection info, mime type) get updated/set for consistency. - Add more robust mechanisms for flushing the reassembly buffer. The goal being to report all gaps and deliveries to file analyzers regardless of the state of the reassembly buffer at the time it has to be flushed.
This commit is contained in:
Jon Siwek
parent
edaf7edc11
commit
cbbe7b52dc
26 changed files with 370 additions and 238 deletions
|
|
@ -133,7 +133,7 @@ export {
|
|||
## each file.
|
||||
const enable_reassembler = T &redef;
|
||||
|
||||
## The default allow per-file reassembly buffer size.
|
||||
## The default per-file reassembly buffer size.
|
||||
const reassembly_buffer_size = 1048576 &redef;
|
||||
|
||||
## Allows the file reassembler to be used if it's necessary because the
|
||||
|
|
@ -490,7 +490,6 @@ event file_mime_type(f: fa_file, mime_type: string) &priority=10
|
|||
|
||||
f$info$mime_type = mime_type;
|
||||
|
||||
|
||||
if ( analyze_by_mime_type_automatically &&
|
||||
mime_type in mime_type_to_analyzers )
|
||||
{
|
||||
|
|
|
|||
|
|
@ -353,8 +353,9 @@ type connection: record {
|
|||
## gives up and discards any internal state related to the file.
|
||||
const default_file_timeout_interval: interval = 2 mins &redef;
|
||||
|
||||
## Default amount of bytes that file analysis will buffer to provide
|
||||
## data back in time to attached analyzers
|
||||
## Default amount of bytes that file analysis will buffer in order to use
|
||||
## for mime type matching. File analyzers attached at the time of mime type
|
||||
## matching or later, will receive a copy of this buffer.
|
||||
const default_file_bof_buffer_size: count = 4096 &redef;
|
||||
|
||||
## A file that Bro is analyzing. This is Bro's type for describing the basic
|
||||
|
|
@ -395,8 +396,9 @@ type fa_file: record {
|
|||
missing_bytes: count &default=0;
|
||||
|
||||
## The number of bytes in the file stream that were not delivered to
|
||||
## stream file analyzers. This could be overlapping bytes or
|
||||
## bytes that couldn't be reassembled.
|
||||
## stream file analyzers. Generally, this consists of bytes that
|
||||
## couldn't be reassembled, either because reassembly simply isn't
|
||||
## enabled, or due to size limitations of the reassembly buffer.
|
||||
overflow_bytes: count &default=0;
|
||||
|
||||
## The amount of time between receiving new data for this file that
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue