mirror of
https://github.com/zeek/zeek.git
synced 2025-10-16 05:28:20 +00:00
Large overhaul in name and appearance for file analysis.
This commit is contained in:
Seth Hall
parent
caf61f619b
commit
df2841458d
39 changed files with 420 additions and 875 deletions
|
|
@ -1,3 +1,3 @@
|
|||
@load ./main
|
||||
@load ./dcc-send
|
||||
#@load ./dcc-send
|
||||
@load ./file-analysis
|
||||
|
|
|
|||
|
|
@ -15,12 +15,6 @@
|
|||
module IRC;
|
||||
|
||||
export {
|
||||
## Pattern of file mime types to extract from IRC DCC file transfers.
|
||||
const extract_file_types = /NO_DEFAULT/ &redef;
|
||||
|
||||
## On-disk prefix for files to be extracted from IRC DCC file transfers.
|
||||
const extraction_prefix = "irc-dcc-item" &redef;
|
||||
|
||||
redef record Info += {
|
||||
## DCC filename requested.
|
||||
dcc_file_name: string &log &optional;
|
||||
|
|
@ -28,101 +22,10 @@ export {
|
|||
dcc_file_size: count &log &optional;
|
||||
## Sniffed mime type of the file.
|
||||
dcc_mime_type: string &log &optional;
|
||||
|
||||
## The file handle for the file to be extracted
|
||||
extraction_file: string &log &optional;
|
||||
|
||||
## A boolean to indicate if the current file transfer should be extracted.
|
||||
extract_file: bool &default=F;
|
||||
};
|
||||
}
|
||||
|
||||
global dcc_expected_transfers: table[addr, port] of Info &read_expire=5mins;
|
||||
|
||||
function set_dcc_mime(f: fa_file)
|
||||
{
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next;
|
||||
|
||||
local s = dcc_expected_transfers[cid$resp_h, cid$resp_p];
|
||||
|
||||
s$dcc_mime_type = f$mime_type;
|
||||
}
|
||||
}
|
||||
|
||||
function set_dcc_extraction_file(f: fa_file, filename: string)
|
||||
{
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next;
|
||||
|
||||
local s = dcc_expected_transfers[cid$resp_h, cid$resp_p];
|
||||
|
||||
s$extraction_file = filename;
|
||||
}
|
||||
}
|
||||
|
||||
function get_extraction_name(f: fa_file): string
|
||||
{
|
||||
local r = fmt("%s-%s.dat", extraction_prefix, f$id);
|
||||
return r;
|
||||
}
|
||||
|
||||
# this handler sets the IRC::Info mime type
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
if ( ! f?$mime_type ) return;
|
||||
|
||||
set_dcc_mime(f);
|
||||
}
|
||||
|
||||
# this handler check if file extraction is desired
|
||||
event file_new(f: fa_file) &priority=5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
|
||||
local fname: string;
|
||||
|
||||
if ( f?$mime_type && extract_file_types in f$mime_type )
|
||||
{
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
set_dcc_extraction_file(f, fname);
|
||||
return;
|
||||
}
|
||||
|
||||
if ( ! f?$conns ) return;
|
||||
|
||||
for ( cid in f$conns )
|
||||
{
|
||||
local c: connection = f$conns[cid];
|
||||
|
||||
if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next;
|
||||
|
||||
local s = dcc_expected_transfers[cid$resp_h, cid$resp_p];
|
||||
|
||||
if ( ! s$extract_file ) next;
|
||||
|
||||
fname = get_extraction_name(f);
|
||||
FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
|
||||
$extract_filename=fname]);
|
||||
s$extraction_file = fname;
|
||||
return;
|
||||
}
|
||||
}
|
||||
global dcc_expected_transfers: table[addr, port] of Info &synchronized &read_expire=5mins;
|
||||
|
||||
function log_dcc(f: fa_file)
|
||||
{
|
||||
|
|
@ -143,22 +46,17 @@ function log_dcc(f: fa_file)
|
|||
|
||||
# Delete these values in case another DCC transfer
|
||||
# happens during the IRC session.
|
||||
delete irc$extract_file;
|
||||
delete irc$extraction_file;
|
||||
delete irc$dcc_file_name;
|
||||
delete irc$dcc_file_size;
|
||||
delete irc$dcc_mime_type;
|
||||
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
event file_new(f: fa_file) &priority=-5
|
||||
{
|
||||
if ( ! f?$source ) return;
|
||||
if ( f$source != "IRC_DATA" ) return;
|
||||
|
||||
log_dcc(f);
|
||||
if ( f?$source && f$source == "IRC_DATA" )
|
||||
log_dcc(f);
|
||||
}
|
||||
|
||||
event irc_dcc_message(c: connection, is_orig: bool,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
@load ./dcc-send.bro
|
||||
@load ./dcc-send
|
||||
@load base/utils/conn-ids
|
||||
@load base/frameworks/file-analysis/main
|
||||
@load base/frameworks/files
|
||||
|
||||
module IRC;
|
||||
|
||||
|
|
@ -11,15 +11,13 @@ export {
|
|||
|
||||
function get_file_handle(c: connection, is_orig: bool): string
|
||||
{
|
||||
if ( is_orig ) return "";
|
||||
return cat(ANALYZER_IRC_DATA, " ", c$start_time, " ", id_string(c$id));
|
||||
if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers )
|
||||
return "";
|
||||
|
||||
return cat(ANALYZER_IRC_DATA, c$start_time, c$id, is_orig);
|
||||
}
|
||||
|
||||
module GLOBAL;
|
||||
|
||||
event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
|
||||
&priority=5
|
||||
event bro_init() &priority=5
|
||||
{
|
||||
if ( tag != ANALYZER_IRC_DATA ) return;
|
||||
set_file_handle(IRC::get_file_handle(c, is_orig));
|
||||
Files::register_protocol(ANALYZER_IRC_DATA, IRC::get_file_handle);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue