mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 16:18:19 +00:00
FileAnalysis: remove some file events.
The file_new event now takes over the function of file_type, file_bof, and file_bof_buffer.
This commit is contained in:
Jon Siwek
parent
a2d9b47bcd
commit
d9321e2203
28 changed files with 191 additions and 243 deletions
|
|
@ -24,15 +24,26 @@ redef record Info += {
|
|||
extract_file: bool &default=F;
|
||||
};
|
||||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
return r;
|
||||
}
|
||||
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "FTP_DATA" ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
local extracting: bool = F;
|
||||
if ( f?$mime_type && extract_file_types in f$mime_type )
|
||||
{
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=get_extraction_name(f)]);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
|
|
@ -44,31 +55,10 @@ event file_new(f: fa_file) &priority=5
|
|||
|
||||
if ( ! s$extract_file ) next;
|
||||
|
||||
if ( ! extracting )
|
||||
{
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
++extract_count;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "FTP_DATA" ) return;
|
||||
if ( extract_file_types !in f$mime_type ) return;
|
||||
|
||||
if ( f?$info && FileAnalysis::ACTION_EXTRACT in f$info$actions_taken )
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=get_extraction_name(f)]);
|
||||
return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
++extract_count;
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
}
|
||||
}
|
||||
|
||||
event file_state_remove(f: fa_file) &priority=4
|
||||
|
|
|
|||
|
|
@ -25,32 +25,11 @@ export {
|
|||
|
||||
global extract_count: count = 0;
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
if ( extract_file_types !in f$mime_type ) return;
|
||||
|
||||
if ( f?$info && FileAnalysis::ACTION_EXTRACT in f$info$actions_taken )
|
||||
return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
c$http$extraction_file = fname;
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
event file_new(f: fa_file) &priority=5
|
||||
|
|
@ -59,27 +38,47 @@ event file_new(f: fa_file) &priority=5
|
|||
if ( f$source != "HTTP" ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
local fname: string;
|
||||
local c: connection;
|
||||
|
||||
if ( f?$mime_type && extract_file_types in f$mime_type )
|
||||
{
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
c = f$conns[cid];
|
||||
if ( ! c?$http ) next;
|
||||
c$http$extraction_file = fname;
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
local extracting: bool = F;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
c = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
if ( c$http$extract_file )
|
||||
{
|
||||
if ( ! extracting )
|
||||
{
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
++extract_count;
|
||||
}
|
||||
if ( ! c$http$extract_file ) next;
|
||||
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
break;
|
||||
}
|
||||
|
||||
if ( extracting )
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
c = f$conns[cid];
|
||||
if ( ! c?$http ) next;
|
||||
c$http$extraction_file = fname;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,28 +23,29 @@ export {
|
|||
&redef;
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
|
||||
if ( generate_md5 in f$mime_type )
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
else if ( f?$conns )
|
||||
if ( f?$mime_type && generate_md5 in f$mime_type )
|
||||
{
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
if ( c$http$calc_md5 )
|
||||
{
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
return;
|
||||
}
|
||||
}
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
if ( ! c$http$calc_md5 ) next;
|
||||
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,11 +34,11 @@ export {
|
|||
const ignored_incorrect_file_type_urls = /^$/ &redef;
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
|
|
@ -68,9 +68,9 @@ event file_type(f: fa_file) &priority=5
|
|||
|
||||
event file_over_new_connection(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
# Spread the mime around (e.g. for partial content, file_type event only
|
||||
|
|
@ -80,9 +80,7 @@ event file_over_new_connection(f: fa_file) &priority=5
|
|||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
c$http$mime_type = f$mime_type;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41,38 +41,6 @@ global dcc_expected_transfers: table[addr, port] of Info &read_expire=5mins;
|
|||
|
||||
global extract_count: count = 0;
|
||||
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
local extracting: bool = F;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next;
|
||||
|
||||
local s = dcc_expected_transfers[cid$resp_h, cid$resp_p];
|
||||
|
||||
if ( ! s$extract_file ) next;
|
||||
|
||||
if ( ! extracting )
|
||||
{
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
++extract_count;
|
||||
}
|
||||
|
||||
s$extraction_file = fname;
|
||||
}
|
||||
}
|
||||
|
||||
function set_dcc_mime(f: fa_file)
|
||||
{
|
||||
if ( ! f?$conns ) return;
|
||||
|
|
@ -105,6 +73,60 @@ function set_dcc_extraction_file(f: fa_file, filename: string)
|
|||
}
|
||||
}
|
||||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
return r;
|
||||
}
|
||||
|
||||
# this handler sets the IRC::Info mime type
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
if ( ! f?$mime_type ) return;
|
||||
|
||||
set_dcc_mime(f);
|
||||
}
|
||||
|
||||
# this handler check if file extraction is desired
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
|
||||
local fname: string;
|
||||
|
||||
if ( f?$mime_type && extract_file_types in f$mime_type )
|
||||
{
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
set_dcc_extraction_file(f, fname);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next;
|
||||
|
||||
local s = dcc_expected_transfers[cid$resp_h, cid$resp_p];
|
||||
|
||||
if ( ! s$extract_file ) next;
|
||||
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
s$extraction_file = fname;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
function log_dcc(f: fa_file)
|
||||
{
|
||||
if ( ! f?$conns ) return;
|
||||
|
|
@ -134,28 +156,7 @@ function log_dcc(f: fa_file)
|
|||
}
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
|
||||
set_dcc_mime(f);
|
||||
|
||||
if ( extract_file_types !in f$mime_type ) return;
|
||||
|
||||
if ( f?$info && FileAnalysis::ACTION_EXTRACT in f$info$actions_taken )
|
||||
return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
++extract_count;
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
set_dcc_extraction_file(f, fname);
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=-5
|
||||
event file_new(f: fa_file) &priority=-5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
|
|
|
|||
|
|
@ -12,7 +12,8 @@ export {
|
|||
};
|
||||
|
||||
## This is the default value for how much of the entity body should be
|
||||
## included for all MIME entities.
|
||||
## included for all MIME entities. The lesser of this value and
|
||||
## :bro:see:`default_file_bof_buffer_size` will be used.
|
||||
const default_entity_excerpt_len = 0 &redef;
|
||||
}
|
||||
|
||||
|
|
@ -20,16 +21,7 @@ event file_new(f: fa_file) &priority=5
|
|||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "SMTP" ) return;
|
||||
|
||||
if ( default_entity_excerpt_len > f$bof_buffer_size )
|
||||
f$bof_buffer_size = default_entity_excerpt_len;
|
||||
}
|
||||
|
||||
event file_bof_buffer(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$bof_buffer ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "SMTP" ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
|
|
|
|||
|
|
@ -88,6 +88,13 @@ function set_session(c: connection, new_entity: bool)
|
|||
}
|
||||
}
|
||||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
return r;
|
||||
}
|
||||
|
||||
event mime_begin_entity(c: connection) &priority=10
|
||||
{
|
||||
if ( ! c?$smtp ) return;
|
||||
|
|
@ -101,8 +108,7 @@ event file_new(f: fa_file) &priority=5
|
|||
if ( f$source != "SMTP" ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
local fname: string;
|
||||
local extracting: bool = F;
|
||||
|
||||
for ( cid in f$conns )
|
||||
|
|
@ -116,6 +122,7 @@ event file_new(f: fa_file) &priority=5
|
|||
{
|
||||
if ( ! extracting )
|
||||
{
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
|
|
@ -137,9 +144,7 @@ function check_extract_by_type(f: fa_file)
|
|||
if ( f?$info && FileAnalysis::ACTION_EXTRACT in f$info$actions_taken )
|
||||
return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
++extract_count;
|
||||
local fname: string = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
|
||||
|
|
@ -148,9 +153,7 @@ function check_extract_by_type(f: fa_file)
|
|||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( ! c?$smtp ) next;
|
||||
|
||||
c$smtp$current_entity$extraction_file = fname;
|
||||
}
|
||||
}
|
||||
|
|
@ -163,11 +166,11 @@ function check_md5_by_type(f: fa_file)
|
|||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "SMTP" ) return;
|
||||
if ( ! f?$mime_type ) return;
|
||||
|
||||
if ( f?$conns )
|
||||
for ( cid in f$conns )
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue