Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

files/main: No empty file_ids

Browse source 
When an analyzer calls DataIn(), there's a costly callback construct
going through the event queue. If an analyzer does not have a
get_file_handle() handler installed, the produced file_id would
end up empty and ignored. Consequently, the get_file_handle() callback
was invoked for every new DataIn() invocations.

This is surprising and costly. Log a warning when this happens and
instead set a generically generated file handle value instead to
prevent the repeated get_file_handle() invocations.
This commit is contained in:
Arne Welzel 2023-02-04 12:02:37 +01:00
parent cdadc32985
commit e4ab7b2d70
2 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/frameworks/files/main.zeek
View file

@ -513,7 +513,11 @@ function describe(f: fa_file): string
event get_file_handle(tag: Files::Tag, c: connection, is_orig: bool) &priority=5
{
if ( tag !in registered_protocols )
{
Reporter::warning(fmt("get_file_handle() invoked for %s", tag));
set_file_handle(fmt("%s-fallback-%s-%s-%s", tag, c$uid, is_orig, network_time()));
return;
}
local handler = registered_protocols[tag];
set_file_handle(handler$get_file_handle(c, is_orig));