mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
FileAnalysis: remove some file events.
The file_new event now takes over the function of file_type, file_bof, and file_bof_buffer.
This commit is contained in:
Jon Siwek
parent
a2d9b47bcd
commit
d9321e2203
28 changed files with 191 additions and 243 deletions
|
|
@ -25,32 +25,11 @@ export {
|
|||
|
||||
global extract_count: count = 0;
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
if ( extract_file_types !in f$mime_type ) return;
|
||||
|
||||
if ( f?$info && FileAnalysis::ACTION_EXTRACT in f$info$actions_taken )
|
||||
return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
local r = fmt("%s-%s-%d.dat", extraction_prefix, f$id, extract_count);
|
||||
++extract_count;
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
c$http$extraction_file = fname;
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
||||
event file_new(f: fa_file) &priority=5
|
||||
|
|
@ -59,27 +38,47 @@ event file_new(f: fa_file) &priority=5
|
|||
if ( f$source != "HTTP" ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
local fname: string = fmt("%s-%s-%d.dat", extraction_prefix, f$id,
|
||||
extract_count);
|
||||
local fname: string;
|
||||
local c: connection;
|
||||
|
||||
if ( f?$mime_type && extract_file_types in f$mime_type )
|
||||
{
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
c = f$conns[cid];
|
||||
if ( ! c?$http ) next;
|
||||
c$http$extraction_file = fname;
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
local extracting: bool = F;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
c = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
if ( c$http$extract_file )
|
||||
{
|
||||
if ( ! extracting )
|
||||
{
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
++extract_count;
|
||||
}
|
||||
if ( ! c$http$extract_file ) next;
|
||||
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
extracting = T;
|
||||
break;
|
||||
}
|
||||
|
||||
if ( extracting )
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
c = f$conns[cid];
|
||||
if ( ! c?$http ) next;
|
||||
c$http$extraction_file = fname;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,28 +23,29 @@ export {
|
|||
&redef;
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
|
||||
if ( generate_md5 in f$mime_type )
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
else if ( f?$conns )
|
||||
if ( f?$mime_type && generate_md5 in f$mime_type )
|
||||
{
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
if ( c$http$calc_md5 )
|
||||
{
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
return;
|
||||
}
|
||||
}
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
if ( ! c$http$calc_md5 ) next;
|
||||
|
||||
FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,11 +34,11 @@ export {
|
|||
const ignored_incorrect_file_type_urls = /^$/ &redef;
|
||||
}
|
||||
|
||||
event file_type(f: fa_file) &priority=5
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
|
|
@ -68,9 +68,9 @@ event file_type(f: fa_file) &priority=5
|
|||
|
||||
event file_over_new_connection(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "HTTP" ) return;
|
||||
if ( ! f?$mime_type ) return;
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
# Spread the mime around (e.g. for partial content, file_type event only
|
||||
|
|
@ -80,9 +80,7 @@ event file_over_new_connection(f: fa_file) &priority=5
|
|||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( ! c?$http ) next;
|
||||
|
||||
c$http$mime_type = f$mime_type;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue