Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

test-all-policy: Do not load iso-9660.zeek

Browse source 
Changing the default_file_bof_buffer_size has subtle impact on
MIME type detection and changed the zeek-testing baseline. Do
not load this new script via test-all-policy to avoid this.

The new test was mainly an aid to understand what is actually going on.
In short, if default_file_bof_buffer_size is larger than the file MIME
detection only runs when the buffer is full, or when the file is removed.
When a file transfer happens over multiple HTTP connections, only
some or one of the http.log entries will have a proper response MIME type.

PCAP extracted from 2009-M57-day11-18.trace.gz.
This commit is contained in:
Arne Welzel 2024-02-26 16:35:34 +01:00
parent 1a5ce65e3d
commit e11c20e1eb
6 changed files with 38 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/test-all-policy.zeek
View file

@ -72,7 +72,7 @@
@load frameworks/notice/extend-email/hostnames.zeek @load frameworks/notice/extend-email/hostnames.zeek
@load files/x509/disable-certificate-events-known-certs.zeek @load files/x509/disable-certificate-events-known-certs.zeek
@load frameworks/packet-filter/shunt.zeek @load frameworks/packet-filter/shunt.zeek
@load frameworks/signatures/iso-9660.zeek # @load frameworks/signatures/iso-9660.zeek
@load frameworks/software/version-changes.zeek @load frameworks/software/version-changes.zeek
@load frameworks/software/vulnerable.zeek @load frameworks/software/vulnerable.zeek
# @load frameworks/spicy/record-spicy-batch.zeek # @load frameworks/spicy/record-spicy-batch.zeek

1
scripts/zeekygen/__load__.zeek
View file

@ -10,6 +10,7 @@
@load frameworks/management/node/__load__.zeek @load frameworks/management/node/__load__.zeek
@load frameworks/management/node/main.zeek @load frameworks/management/node/main.zeek
@load frameworks/files/extract-all-files.zeek @load frameworks/files/extract-all-files.zeek
@load frameworks/signatures/iso-9660.zeek
@load policy/misc/dump-events.zeek @load policy/misc/dump-events.zeek
@load policy/protocols/conn/speculative-service.zeek @load policy/protocols/conn/speculative-service.zeek

7
testing/btest/Baseline/scripts.base.files.mime.vnd.ms-cab-compressed-multi-conn/files.log.cut Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
fuid source mime_type filename
FJYJFE2AmtoQavCYEh HTTP application/vnd.ms-cab-compressed windows6.0-kb955430-x86-express_9c8a57958486102e94e591384dc69dd7e8d01169.cab
FJYJFE2AmtoQavCYEh HTTP application/vnd.ms-cab-compressed windows6.0-kb955430-x86-express_9c8a57958486102e94e591384dc69dd7e8d01169.cab
FJYJFE2AmtoQavCYEh HTTP application/vnd.ms-cab-compressed windows6.0-kb955430-x86-express_9c8a57958486102e94e591384dc69dd7e8d01169.cab
FJYJFE2AmtoQavCYEh HTTP application/vnd.ms-cab-compressed windows6.0-kb955430-x86-express_9c8a57958486102e94e591384dc69dd7e8d01169.cab
FJYJFE2AmtoQavCYEh HTTP application/vnd.ms-cab-compressed windows6.0-kb955430-x86-express_9c8a57958486102e94e591384dc69dd7e8d01169.cab

7
testing/btest/Baseline/scripts.base.files.mime.vnd.ms-cab-compressed-multi-conn/http.log.cut Normal file
View file

@ -0,0 +1,7 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
uid method host status_code resp_fuids response_body_len resp_mime_types
CHhAvVGS1DHFjwGM9 GET au.download.windowsupdate.com 206 FJYJFE2AmtoQavCYEh 5473 -
ClEkJM2Vm5giqnMf4h GET au.download.windowsupdate.com 206 FJYJFE2AmtoQavCYEh 6622 -
C4J4Th3PJpwUYZZ6gc GET au.download.windowsupdate.com 206 FJYJFE2AmtoQavCYEh 7551 -
CtPZjS20MLrsMUOJi2 GET au.download.windowsupdate.com 206 FJYJFE2AmtoQavCYEh 11791 -
CUM0KZ3MLUfNB0cl11 GET au.download.windowsupdate.com 206 FJYJFE2AmtoQavCYEh 8181 application/vnd.ms-cab-compressed

BIN
testing/btest/Traces/http/vnd.ms-cab-compressed-multi-conn.pcap Normal file
View file

Binary file not shown.

22
testing/btest/scripts/base/files/mime/vnd.ms-cab-compressed-multi-conn.zeek Normal file
View file

@ -0,0 +1,22 @@
# @TEST-DOC: Increasing default_file_bof_buffer_size has subtle impact on mime_type detection and association for partial file transfers over HTTP. Test mainly to aid understanding.
#
# @TEST-EXEC: zeek -b -r $TRACES/http/vnd.ms-cab-compressed-multi-conn.pcap %INPUT
# @TEST-EXEC: zeek-cut -m fuid source mime_type filename < files.log > files.log.cut
# @TEST-EXEC: btest-diff files.log.cut
# @TEST-EXEC: zeek-cut -m uid method host status_code resp_fuids response_body_len resp_mime_types < http.log > http.log.cut
# @TEST-EXEC: btest-diff http.log.cut
@load base/protocols/http
@load base/frameworks/files
# Increases default_file_bof_buffer_size, resulting in only one of the GET
# of http.log having the application/vnd.ms-cab-compressed associated.
@load policy/frameworks/signatures/iso-9660
redef LogAscii::use_json = F;
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
{
if ( f$source == "HTTP" )
f$info$filename = split_string(c$http$uri, /\//)[-1];
}