FileAnalysis: add is_orig field to fa_file & Info.

2025-10-04 07:38:19 +00:00 · 2013-04-23 10:50:43 -05:00 · 2013-04-23 10:50:43 -05:00 · f07760ba00
commit f07760ba00
parent cd0a8bfbdb
7 changed files with 29 additions and 15 deletions
--- a/scripts/base/frameworks/file-analysis/main.bro
+++ b/scripts/base/frameworks/file-analysis/main.bro
@ -46,6 +46,10 @@ export {
 		## path which was read, or some other input source.
 		source: string &log &optional;
 		## If the source of this file is is a network connection, this field
 		## may be set to indicate the directionality.
 		is_orig: bool &log &optional;
 		## The time at which the last activity for the file was seen.
 		last_active: time &log;
@ -236,6 +240,7 @@ function set_info(f: fa_file)
 	f$info$id = f$id;
 	if ( f?$parent_id ) f$info$parent_id = f$parent_id;
 	if ( f?$source ) f$info$source = f$source;
 	if ( f?$is_orig ) f$info$is_orig = f$is_orig;
 	f$info$last_active = f$last_active;
 	f$info$seen_bytes = f$seen_bytes;
 	if ( f?$total_bytes ) f$info$total_bytes = f$total_bytes;
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -341,6 +341,10 @@ type fa_file: record {
 	## path which was read, or some other input source.
 	source: string &optional;
 	## If the source of this file is is a network connection, this field
 	## may be set to indicate the directionality.
 	is_orig: bool &optional;
 	## The set of connections over which the file was transferred.
 	conns: table[conn_id] of connection &optional;
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -37,6 +37,7 @@ static RecordVal* get_conn_id_val(const Connection* conn)
 int File::id_idx = -1;
 int File::parent_id_idx = -1;
 int File::source_idx = -1;
 int File::is_orig_idx = -1;
 int File::conns_idx = -1;
 int File::last_active_idx = -1;
 int File::seen_bytes_idx = -1;
@ -59,6 +60,7 @@ void File::StaticInit()
 	id_idx = Idx("id");
 	parent_id_idx = Idx("parent_id");
 	source_idx = Idx("source");
 	is_orig_idx = Idx("is_orig");
 	conns_idx = Idx("conns");
 	last_active_idx = Idx("last_active");
 	seen_bytes_idx = Idx("seen_bytes");
@ -75,7 +77,8 @@ void File::StaticInit()
 	salt = BifConst::FileAnalysis::salt->CheckString();
 	}
-File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag)
+File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag,
           bool is_orig)
    : id(""), unique(unique), val(0), postpone_timeout(false),
      first_chunk(true), missed_bof(false), need_reassembly(false), done(false),
      analyzers(this)
@ -98,8 +101,9 @@ File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag)
 	if ( conn )
 		{
-		// add source and connection fields
+		// add source, connection, is_orig fields
 		val->Assign(source_idx, new StringVal(::Analyzer::GetTagName(tag)));
 		val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
 		UpdateConnectionFields(conn);
 		}
 	else
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -133,7 +133,7 @@ protected:
 	 * Constructor; only file_analysis::Manager should be creating these.
 	 */
 	File(const string& unique, Connection* conn = 0,
-	     AnalyzerTag::Tag tag = AnalyzerTag::Error);
+	     AnalyzerTag::Tag tag = AnalyzerTag::Error, bool is_orig = false);
 	/**
 	 * Updates the "conn_ids" and "conn_uids" fields in #val record with the
@ -214,6 +214,7 @@ protected:
 	static int id_idx;
 	static int parent_id_idx;
 	static int source_idx;
 	static int is_orig_idx;
 	static int conns_idx;
 	static int last_active_idx;
 	static int seen_bytes_idx;
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -40,7 +40,7 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	if ( IsDisabled(tag) ) return;
 	GetFileHandle(tag, conn, is_orig);
-	DataIn(data, len, offset, GetFile(current_handle, conn, tag));
+	DataIn(data, len, offset, GetFile(current_handle, conn, tag, is_orig));
 	}
 void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
@ -67,7 +67,7 @@ void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
 	GetFileHandle(tag, conn, is_orig);
 	// Sequential data input shouldn't be going over multiple conns, so don't
 	// do the check to update connection set.
-	DataIn(data, len, GetFile(current_handle, conn, tag, false));
+	DataIn(data, len, GetFile(current_handle, conn, tag, is_orig, false));
 	}
 void Manager::DataIn(const u_char* data, uint64 len, const string& unique)
@ -110,7 +110,7 @@ void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag,
 	if ( IsDisabled(tag) ) return;
 	GetFileHandle(tag, conn, is_orig);
-	Gap(offset, len, GetFile(current_handle, conn, tag));
+	Gap(offset, len, GetFile(current_handle, conn, tag, is_orig));
 	}
 void Manager::Gap(uint64 offset, uint64 len, const string& unique)
@ -131,7 +131,7 @@ void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
 	if ( IsDisabled(tag) ) return;
 	GetFileHandle(tag, conn, is_orig);
-	SetSize(size, GetFile(current_handle, conn, tag));
+	SetSize(size, GetFile(current_handle, conn, tag, is_orig));
 	}
 void Manager::SetSize(uint64 size, const string& unique)
@ -188,7 +188,7 @@ bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const
 	}
 File* Manager::GetFile(const string& unique, Connection* conn,
-                       AnalyzerTag::Tag tag, bool update_conn)
+                       AnalyzerTag::Tag tag, bool is_orig, bool update_conn)
 	{
 	if ( unique.empty() ) return 0;
 	if ( IsIgnored(unique) ) return 0;
@ -197,7 +197,7 @@ File* Manager::GetFile(const string& unique, Connection* conn,
 	if ( ! rval )
 		{
-		rval = str_map[unique] = new File(unique, conn, tag);
+		rval = str_map[unique] = new File(unique, conn, tag, is_orig);
 		FileID id = rval->GetID();
 		if ( id_map[id] )
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@ -135,7 +135,7 @@ protected:
 	 */
 	File* GetFile(const string& unique, Connection* conn = 0,
 	              AnalyzerTag::Tag tag = AnalyzerTag::Error,
-	              bool update_conn = true);
+	              bool is_orig = false, bool update_conn = true);
 	/**
 	 * @return the File object mapped to \a file_id, or a null pointer if no
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log
@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	file_analysis
-#open	2013-04-12-14-46-48
+#open	2013-04-23-15-41-01
-#fields	id	parent_id	source	last_active	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timeout_interval	bof_buffer_size	mime_type	timedout	conn_uids	analyzers	extracted_files	md5	sha1	sha256
+#fields	id	parent_id	source	is_orig	last_active	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timeout_interval	bof_buffer_size	mime_type	timedout	conn_uids	analyzers	extracted_files	md5	sha1	sha256
-#types	string	string	string	time	count	count	count	count	interval	count	string	bool	table[string]	table[enum]	table[string]	string	string	string
+#types	string	string	string	bool	time	count	count	count	count	interval	count	string	bool	table[string]	table[enum]	table[string]	string	string	string
-Cx92a0ym5R8	-	HTTP	1362692527.009775	4705	4705	0	0	120.000000	1024	text/plain	F	UWkUyAuUGXf	FileAnalysis::ANALYZER_SHA1,FileAnalysis::ANALYZER_EXTRACT,FileAnalysis::ANALYZER_DATA_EVENT,FileAnalysis::ANALYZER_MD5,FileAnalysis::ANALYZER_SHA256	Cx92a0ym5R8-file	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
+Cx92a0ym5R8	-	HTTP	F	1362692527.009775	4705	4705	0	0	120.000000	1024	text/plain	F	UWkUyAuUGXf	FileAnalysis::ANALYZER_SHA1,FileAnalysis::ANALYZER_EXTRACT,FileAnalysis::ANALYZER_DATA_EVENT,FileAnalysis::ANALYZER_MD5,FileAnalysis::ANALYZER_SHA256	Cx92a0ym5R8-file	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
-#close	2013-04-12-14-46-48
+#close	2013-04-23-15-41-01