mirror of
https://github.com/zeek/zeek.git
synced 2025-10-08 01:28:20 +00:00
Update line numbers mentioned in scripting tutorial
This commit is contained in:
Daniel Thayer
parent
f615683460
commit
de93a5796e
1 changed files with 11 additions and 11 deletions
|
|
@ -95,7 +95,7 @@ the information associated with a file for which Bro's file analysis framework h
|
|||
generated a hash. The event handler is passed the file itself as ``f``, the type of digest
|
||||
algorithm used as ``kind`` and the hash generated as ``hash``.
|
||||
|
||||
On line 3, an ``if`` statement is used to check for the correct type of hash, in this case
|
||||
On line 34, an ``if`` statement is used to check for the correct type of hash, in this case
|
||||
a SHA1 hash. It also checks for a mime type we've defined as being of interest as defined in the
|
||||
constant ``match_file_types``. The comparison is made against the expression ``f$mime_type``, which uses
|
||||
the ``$`` dereference operator to check the value ``mime_type`` inside the variable ``f``. Once both
|
||||
|
|
@ -113,22 +113,22 @@ this event continues and upon receipt of the values returned by
|
|||
the malware was first detected and the detection rate by splitting on an text space
|
||||
and storing the values returned in a local table variable. In line 12, if the table
|
||||
returned by ``split1`` has two entries, indicating a successful split, we store the detection
|
||||
date in ``mhr_first_detected`` and the rate in ``mhr_detect_rate`` on lines 14 and 15 respectively
|
||||
date in ``mhr_first_detected`` and the rate in ``mhr_detect_rate`` on lines 18 and 14 respectively
|
||||
using the appropriate conversion functions. From this point on, Bro knows it has seen a file
|
||||
transmitted which has a hash that has been seen by the Team Cymru Malware Hash Registry, the rest
|
||||
of the script is dedicated to producing a notice.
|
||||
|
||||
On line 17, the detection time is processed into a string representation and stored in
|
||||
On line 19, the detection time is processed into a string representation and stored in
|
||||
``readable_first_detected``. The script then compares the detection rate against the
|
||||
``notice_threshold`` that was defined earlier. If the detection rate is high enough, the script
|
||||
creates a concise description of the notice on line 22, a possible URL to check the sample against
|
||||
creates a concise description of the notice on line 20, a possible URL to check the sample against
|
||||
``virustotal.com``'s database, and makes the call to :bro:id:`NOTICE` to hand the relevant information
|
||||
off to the Notice framework.
|
||||
|
||||
In approximately 25 lines of code, Bro provides an amazing
|
||||
In approximately a few dozen lines of code, Bro provides an amazing
|
||||
utility that would be incredibly difficult to implement and deploy
|
||||
with other products. In truth, claiming that Bro does this in 25
|
||||
lines is a misdirection; there is a truly massive number of things
|
||||
with other products. In truth, claiming that Bro does this in such a small
|
||||
number of lines is a misdirection; there is a truly massive number of things
|
||||
going on behind-the-scenes in Bro, but it is the inclusion of the
|
||||
scripting language that gives analysts access to those underlying
|
||||
layers in a succinct and well defined manner.
|
||||
|
|
@ -657,7 +657,7 @@ using a 20 bit subnet mask.
|
|||
|
||||
Because this is a script that doesn't use any kind of network
|
||||
analysis, we can handle the event :bro:id:`bro_init` which is always
|
||||
generated by Bro's core upon startup. On lines six and seven, two
|
||||
generated by Bro's core upon startup. On lines five and six, two
|
||||
locally scoped vectors are created to hold our lists of subnets and IP
|
||||
addresses respectively. Then, using a set of nested ``for`` loops, we
|
||||
iterate over every subnet and every IP address and use an ``if``
|
||||
|
|
@ -760,7 +760,7 @@ string against which it will be tested to be on the right.
|
|||
In the sample above, two local variables are declared to hold our
|
||||
sample sentence and regular expression. Our regular expression in
|
||||
this case will return true if the string contains either the word
|
||||
``quick`` or the word ``fox``. The ``if`` statement on line six uses
|
||||
``quick`` or the word ``fox``. The ``if`` statement on line eight uses
|
||||
embedded matching and the ``in`` operator to check for the existence
|
||||
of the pattern within the string. If the statement resolves to true,
|
||||
:bro:id:`split` is called to break the string into separate pieces.
|
||||
|
|
@ -1001,7 +1001,7 @@ filename for the current call to ``Log::write``. The definition for
|
|||
this function has to take as its parameters a ``Log::ID`` called id, a
|
||||
string called ``path`` and the appropriate record type for the logs called
|
||||
``rec``. You can see the definition of ``mod5`` used in this example on
|
||||
line one conforms to that requirement. The function simply returns
|
||||
line 38 conforms to that requirement. The function simply returns
|
||||
``factor-mod5`` if the factorial is divisible evenly by 5, otherwise, it
|
||||
returns ``factor-non5``. In the additional ``bro_init`` event
|
||||
handler, we define a locally scoped ``Log::Filter`` and assign it a
|
||||
|
|
@ -1153,7 +1153,7 @@ possible while staying concise.
|
|||
|
||||
While much of the script relates to the actual detection, the parts
|
||||
specific to the Notice Framework are actually quite interesting in
|
||||
themselves. On line 18 the script's ``export`` block adds the value
|
||||
themselves. On line 13 the script's ``export`` block adds the value
|
||||
``SSH::Interesting_Hostname_Login`` to the enumerable constant
|
||||
``Notice::Type`` to indicate to the Bro core that a new type of notice
|
||||
is being defined. The script then calls ``NOTICE`` and defines the
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue