Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

FileAnalysis: remove some file events.

Browse source 
The file_new event now takes over the function of file_type, file_bof,
and file_bof_buffer.
This commit is contained in:
Jon Siwek 2013-04-10 14:34:23 -05:00
parent a2d9b47bcd
commit d9321e2203
28 changed files with 191 additions and 243 deletions
Download patch file Download diff file Expand all files Collapse all files

46
scripts/base/protocols/ftp/file-extract.bro
View file

@ -24,15 +24,26 @@ redef record Info += {
extract_file: bool &default=F;
};
function get_extraction_name(f: fa_file): string
{
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
++extract_count;
return r;
}
event file_new(f: fa_file) &priority=5
{
if ( ! f?$source ) return;
if ( f$source != "FTP_DATA" ) return;
if ( ! f?$conns ) return;
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
extract_count);
local extracting: bool = F;
if ( f?$mime_type && extract_file_types in f$mime_type )
{
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=get_extraction_name(f)]);
return;
}
if ( ! f?$conns ) return;
for ( cid in f$conns )
{
@ -44,31 +55,10 @@ event file_new(f: fa_file) &priority=5
if ( ! s$extract_file ) next;
if ( ! extracting )
{
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=fname]);
extracting = T;
++extract_count;
}
}
}
event file_type(f: fa_file) &priority=5
{
if ( ! f?$mime_type ) return;
if ( ! f?$source ) return;
if ( f$source != "FTP_DATA" ) return;
if ( extract_file_types !in f$mime_type ) return;
if ( f?$info && FileAnalysis::ACTION_EXTRACT in f$info$actions_taken )
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=get_extraction_name(f)]);
return;
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
extract_count);
++extract_count;
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
$extract_filename=fname]);
}
}
event file_state_remove(f: fa_file) &priority=4