FileAnalysis: add more params to some events.

2025-10-06 00:28:21 +00:00 · 2013-04-11 11:24:18 -05:00 · 2013-04-11 11:24:18 -05:00 · e2fbee9054
commit e2fbee9054
parent 2747e839fb
8 changed files with 113 additions and 48 deletions
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -145,9 +145,16 @@ void File::UpdateConnectionFields(Connection* conn)
 	Val* idx = get_conn_id_val(conn);
 	if ( ! conns->AsTableVal()->Lookup(idx) )
 		{
-		conns->AsTableVal()->Assign(idx, conn->BuildConnVal());
-		if ( ! is_first )
-			file_mgr->FileEvent(file_over_new_connection, this);
+		Val* conn_val = conn->BuildConnVal();
+		conns->AsTableVal()->Assign(idx, conn_val);
+
+		if ( ! is_first && FileEventAvailable(file_over_new_connection) )
+			{
+			val_list* vl = new val_list();
+			vl->append(val->Ref());
+			vl->append(conn_val->Ref());
+			FileEvent(file_over_new_connection, vl);
+			}
 		}

 	Unref(idx);
@ -266,8 +273,7 @@ void File::ReplayBOF()

 	DetectTypes(bs->Bytes(), bs->Len());

-	file_mgr->FileEvent(file_new, this);
-	mgr.Drain(); // need immediate feedback about actions to add
+	FileEvent(file_new);

 	for ( size_t i = 0; i < bof_buffer.chunks.size(); ++i )
 		DataIn(bof_buffer.chunks[i]->Bytes(), bof_buffer.chunks[i]->Len());
@ -281,9 +287,7 @@ void File::DataIn(const u_char* data, uint64 len, uint64 offset)
 		{
 		// TODO: this should all really be delayed until we attempt reassembly
 		DetectTypes(data, len);
-		file_mgr->FileEvent(file_new, this);
-		mgr.Drain(); // need immediate feedback about actions to add
-		actions.DrainModifications();
+		FileEvent(file_new);
 		first_chunk = false;
 		}

@ -318,9 +322,7 @@ void File::DataIn(const u_char* data, uint64 len)
 	if ( missed_bof )
 		{
 		DetectTypes(data, len);
-		file_mgr->FileEvent(file_new, this);
-		mgr.Drain(); // need immediate feedback about actions to add
-		actions.DrainModifications();
+		FileEvent(file_new);
 		missed_bof = false;
 		}

@ -366,7 +368,7 @@ void File::EndOfFile()
 			actions.QueueRemoveAction(act->Args());
 		}

-	file_mgr->FileEvent(file_state_remove, this);
+	FileEvent(file_state_remove);

 	actions.DrainModifications();
 	}
@ -388,8 +390,41 @@ void File::Gap(uint64 offset, uint64 len)
 			actions.QueueRemoveAction(act->Args());
 		}

-	file_mgr->FileEvent(file_gap, this);
+	if ( FileEventAvailable(file_gap) )
+		{
+		val_list* vl = new val_list();
+		vl->append(val->Ref());
+		vl->append(new Val(offset, TYPE_COUNT));
+		vl->append(new Val(len, TYPE_COUNT));
+		FileEvent(file_gap, vl);
+		}

 	actions.DrainModifications();
 	IncrementByteCount(len, missing_bytes_idx);
 	}
+
+bool File::FileEventAvailable(EventHandlerPtr h)
+	{
+	return h && ! file_mgr->IsIgnored(unique);
+	}
+
+void File::FileEvent(EventHandlerPtr h)
+	{
+	if ( ! FileEventAvailable(h) ) return;
+
+	val_list* vl = new val_list();
+	vl->append(val->Ref());
+	FileEvent(h, vl);
+	}
+
+void File::FileEvent(EventHandlerPtr h, val_list* vl)
+	{
+	mgr.QueueEvent(h, vl);
+
+	if ( h == file_new || h == file_timeout )
+		{
+		// immediate feedback is required for these events.
+		mgr.Drain();
+		actions.DrainModifications();
+		}
+	}
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -106,6 +106,22 @@ public:
 	 */
 	void Gap(uint64 offset, uint64 len);

+	/**
+	 * @return true if event has a handler and the file isn't ignored.
+	 */
+	bool FileEventAvailable(EventHandlerPtr h);
+
+	/**
+	 * Raises an event related to the file's life-cycle, the only parameter
+	 * to that event is the \c fa_file record..
+	 */
+	void FileEvent(EventHandlerPtr h);
+
+	/**
+	 * Raises an event related to the file's life-cycle.
+	 */
+	void FileEvent(EventHandlerPtr h, val_list* vl);
+
 protected:

 	/**
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -147,17 +147,6 @@ void Manager::SetSize(uint64 size, File* file)
 		RemoveFile(file->GetUnique());
 	}

-void Manager::FileEvent(EventHandlerPtr h, File* file)
-	{
-	if ( ! h ) return;
-	if ( IsIgnored(file->GetUnique()) ) return;
-
-	val_list * vl = new val_list();
-	vl->append(file->GetVal()->Ref());
-
-	mgr.QueueEvent(h, vl);
-	}
-
 bool Manager::PostponeTimeout(const FileID& file_id) const
 	{
 	File* file = Lookup(file_id);
@ -235,8 +224,7 @@ void Manager::Timeout(const FileID& file_id, bool is_terminating)

 	file->postpone_timeout = false;

-	FileEvent(file_timeout, file);
-	mgr.Drain(); // need immediate feedback about whether to postpone
+	file->FileEvent(file_timeout);

 	if ( file->postpone_timeout && ! is_terminating )
 		{
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@ -111,9 +111,9 @@ public:
 	bool RemoveAction(const FileID& file_id, const RecordVal* args) const;

 	/**
-	 * Queues an event related to the file's life-cycle.
+	 * @return whether the file mapped to \a unique is being ignored.
 	 */
-	 void FileEvent(EventHandlerPtr h, File* file);
+	bool IsIgnored(const string& unique);

 protected:

@ -149,11 +149,6 @@ protected:
 	 */
 	bool RemoveFile(const string& unique);

-	/**
-	 * @return whether the file mapped to \a unique is being ignored.
-	 */
-	bool IsIgnored(const string& unique);
-
 	/**
 	 * Sets #current_handle to a unique file handle string based on what the
 	 * \c get_file_handle event derives from the connection params.  The