mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 00:58:19 +00:00
More file analysis updates.
- Recorrected the module name to Files.
- Added Files::analyzer_name to get a more readable name for a
file analyzer.
- Improved and just overall better handled multipart mime
transfers in HTTP and SMTP. HTTP now has orig_fuids and resp_fuids
log fields since multiple "files" can be transferred with
multipart mime in a single request/response pair. SMTP has
an fuids field which has file unique IDs for all parts
transferred. FTP and IRC have a log field named fuid added
because only a single file can be transferred per irc and ftp
log line.
This commit is contained in:
Seth Hall
parent
58d133e764
commit
cdf6b7864e
18 changed files with 257 additions and 120 deletions
|
|
@ -1,6 +1,4 @@
|
|||
@load ./main
|
||||
@load ./entities
|
||||
@load ./utils
|
||||
@load ./file-analysis
|
||||
#@load ./file-ident
|
||||
#@load ./file-hash
|
||||
#@load ./file-extract
|
||||
@load ./files
|
||||
70
scripts/base/protocols/http/entities.bro
Normal file
70
scripts/base/protocols/http/entities.bro
Normal file
|
|
@ -0,0 +1,70 @@
|
|||
##! Analysis and logging for MIME entities found in HTTP sessions.
|
||||
|
||||
@load base/frameworks/files
|
||||
@load base/utils/strings
|
||||
@load base/utils/files
|
||||
@load ./main
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
type Entity: record {
|
||||
## Depth of the entity if multiple entities are sent in a single transaction.
|
||||
depth: count &default=0;
|
||||
|
||||
## Filename for the entity if discovered from a header.
|
||||
filename: string &optional;
|
||||
};
|
||||
|
||||
redef record Info += {
|
||||
## The current entity being seen.
|
||||
entity: Entity &optional;
|
||||
|
||||
## Current number of MIME entities in the HTTP request message body.
|
||||
orig_mime_depth: count &default=0;
|
||||
## Current number of MIME entities in the HTTP response message body.
|
||||
resp_mime_depth: count &default=0;
|
||||
};
|
||||
}
|
||||
|
||||
event http_begin_entity(c: connection, is_orig: bool) &priority=10
|
||||
{
|
||||
set_state(c, F, is_orig);
|
||||
|
||||
if ( is_orig )
|
||||
++c$http$orig_mime_depth;
|
||||
else
|
||||
++c$http$resp_mime_depth;
|
||||
|
||||
c$http$entity = Entity($depth = is_orig ? c$http$orig_mime_depth : c$http$resp_mime_depth);
|
||||
}
|
||||
|
||||
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
|
||||
{
|
||||
if ( name == "CONTENT-DISPOSITION" &&
|
||||
/[fF][iI][lL][eE][nN][aA][mM][eE]/ in value )
|
||||
{
|
||||
c$http$entity$filename = extract_filename_from_content_disposition(value);
|
||||
}
|
||||
else if ( name == "CONTENT-TYPE" &&
|
||||
/[nN][aA][mM][eE][:blank:]*=/ in value )
|
||||
{
|
||||
c$http$entity$filename = extract_filename_from_content_disposition(value);
|
||||
}
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
{
|
||||
if ( f$source == "HTTP" && c$http?$entity )
|
||||
{
|
||||
f$info$depth = c$http$entity$depth;
|
||||
if ( c$http$entity?$filename )
|
||||
f$info$filename = c$http$entity$filename;
|
||||
}
|
||||
}
|
||||
|
||||
event http_end_entity(c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
if ( c?$http && c$http?$entity )
|
||||
delete c$http$entity;
|
||||
}
|
||||
|
|
@ -1,17 +1,17 @@
|
|||
@load ./main
|
||||
@load ./entities
|
||||
@load ./utils
|
||||
@load base/utils/conn-ids
|
||||
@load base/frameworks/files
|
||||
|
||||
module HTTP;
|
||||
|
||||
export {
|
||||
redef record Info += {
|
||||
## The sniffed mime type of the data being sent by the client.
|
||||
client_mime_type: string &log &optional;
|
||||
## An ordered vector of file unique IDs seen sent by the originator (client).
|
||||
orig_fuids: vector of string &log &default=string_vec();
|
||||
|
||||
## The sniffed mime type of the data being returned by the server.
|
||||
mime_type: string &log &optional;
|
||||
## An ordered vector of file unique IDs seen sent by the responder (server).
|
||||
resp_fuids: vector of string &log &default=string_vec();
|
||||
};
|
||||
|
||||
## Default file handle provider for HTTP.
|
||||
|
|
@ -26,33 +26,27 @@ function get_file_handle(c: connection, is_orig: bool): string
|
|||
local mime_depth = is_orig ? c$http$orig_mime_depth : c$http$resp_mime_depth;
|
||||
if ( c$http$range_request )
|
||||
{
|
||||
return cat(ANALYZER_HTTP, is_orig, c$id$orig_h, mime_depth, build_url(c$http));
|
||||
return cat(Analyzer::ANALYZER_HTTP, is_orig, c$id$orig_h, mime_depth, build_url(c$http));
|
||||
}
|
||||
else
|
||||
{
|
||||
return cat(ANALYZER_HTTP, c$start_time, is_orig,
|
||||
return cat(Analyzer::ANALYZER_HTTP, c$start_time, is_orig,
|
||||
c$http$trans_depth, mime_depth, id_string(c$id));
|
||||
}
|
||||
}
|
||||
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
Files::register_protocol(ANALYZER_HTTP, HTTP::get_file_handle);
|
||||
Files::register_protocol(Analyzer::ANALYZER_HTTP, HTTP::get_file_handle);
|
||||
}
|
||||
|
||||
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
||||
{
|
||||
if ( c?$http )
|
||||
{
|
||||
#if (!f?$mime_type)
|
||||
# print f;
|
||||
#
|
||||
#if ( f$is_orig )
|
||||
# c$http$client_mime_type = f$mime_type;
|
||||
#else
|
||||
# c$http$mime_type = f$mime_type;
|
||||
|
||||
if ( c$http?$filename )
|
||||
f$info$filename = c$http$filename;
|
||||
if ( f$is_orig )
|
||||
c$http$orig_fuids[|c$http$orig_fuids|] = f$id;
|
||||
else
|
||||
c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
|
||||
}
|
||||
}
|
||||
|
|
@ -75,10 +75,6 @@ export {
|
|||
## Indicates if this request can assume 206 partial content in
|
||||
## response.
|
||||
range_request: bool &default=F;
|
||||
## Number of MIME entities in the HTTP request message body so far.
|
||||
orig_mime_depth: count &default=0;
|
||||
## Number of MIME entities in the HTTP response message body so far.
|
||||
resp_mime_depth: count &default=0;
|
||||
};
|
||||
|
||||
## Structure to maintain state for an HTTP connection with multiple
|
||||
|
|
@ -104,8 +100,8 @@ export {
|
|||
} &redef;
|
||||
|
||||
## A list of HTTP methods. Other methods will generate a weird. Note
|
||||
## that the HTTP analyzer will only accept methods consisting solely
|
||||
## of letters ``[A-Za-z]``.
|
||||
## that the HTTP analyzer will only accept methods consisting solely
|
||||
## of letters ``[A-Za-z]``.
|
||||
const http_methods: set[string] = {
|
||||
"GET", "POST", "HEAD", "OPTIONS",
|
||||
"PUT", "DELETE", "TRACE", "CONNECT",
|
||||
|
|
@ -275,25 +271,9 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
else # server headers
|
||||
{
|
||||
if ( name == "CONTENT-DISPOSITION" &&
|
||||
/[fF][iI][lL][eE][nN][aA][mM][eE]/ in value )
|
||||
c$http$filename = extract_filename_from_content_disposition(value);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
event http_begin_entity(c: connection, is_orig: bool) &priority=5
|
||||
{
|
||||
set_state(c, F, is_orig);
|
||||
|
||||
if ( is_orig )
|
||||
++c$http$orig_mime_depth;
|
||||
else
|
||||
++c$http$resp_mime_depth;
|
||||
}
|
||||
|
||||
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &priority = 5
|
||||
{
|
||||
set_state(c, F, is_orig);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue