mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
984e9793db
* origin/topic/seth/faf-updates: (27 commits) Undoing the FTP tests I updated earlier. Update the last two btest FAF tests. File analysis fixes and test updates. Fix a bug with getting analyzer tags. A few test updates. Some tests work now (at least they all don't fail anymore!) Forgot a file. Added protocol description functions that provide a super compressed log representation. Fix a bug where orig file information in http wasn't working right. Added mime types to http.log Clean up queued but unused file_over_new_connections event args. Add jar files to the default MHR lookups. Adding CAB files for MHR checking. Improve malware hash registry script. Fix a small issue with finding smtp entities. Added support for files to the notice framework. Make the custom libmagic database a git submodule. Add an is_orig parameter to file_over_new_connection event. Make magic for emitting application/msword mime type less strict. Disable more libmagic builtin checks that override the magic database. ... Conflicts: doc/scripts/DocSourcesList.cmake scripts/base/init-bare.bro scripts/test-all-policy.bro testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
33 lines
1.1 KiB
Text
33 lines
1.1 KiB
Text
@load ./addrs
|
|
|
|
## This function can be used to generate a consistent filename for when
|
|
## contents of a file, stream, or connection are being extracted to disk.
|
|
function generate_extraction_filename(prefix: string, c: connection, suffix: string): string
|
|
{
|
|
local conn_info = fmt("%s:%d-%s:%d", addr_to_uri(c$id$orig_h), c$id$orig_p,
|
|
addr_to_uri(c$id$resp_h), c$id$resp_p);
|
|
|
|
if ( prefix != "" )
|
|
conn_info = fmt("%s_%s", prefix, conn_info);
|
|
if ( suffix != "" )
|
|
conn_info = fmt("%s_%s", conn_info, suffix);
|
|
|
|
return conn_info;
|
|
}
|
|
|
|
## For CONTENT-DISPOSITION headers, this function can be used to extract
|
|
## the filename.
|
|
function extract_filename_from_content_disposition(data: string): string
|
|
{
|
|
local filename = sub(data, /^.*[nN][aA][mM][eE][[:blank:]]*\*?=[[:blank:]]*/, "");
|
|
|
|
# Remove quotes around the filename if they are there.
|
|
if ( /^\"/ in filename )
|
|
filename = split_n(filename, /\"/, F, 2)[2];
|
|
|
|
# Remove the language and encoding if it's there.
|
|
if ( /^[a-zA-Z0-9\!#$%&+-^_`{}~]+'[a-zA-Z0-9\!#$%&+-^_`{}~]*'/ in filename )
|
|
filename = sub(filename, /^.+'.*'/, "");
|
|
|
|
return unescape_URI(filename);
|
|
}
|