mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
a55ce01ef3
Removed "file_mime_type" and "file_mime_types" event, replacing them with a new event called "file_metadata_inferred". It has a record argument of type "inferred_file_metadata", which contains the mime type information that the earlier events used to supply. The idea here is that future extensions to the record with new metadata will be less likely to break user code than the alternatives (adding new events or new event parameters). Addresses BIT-1368.
24 lines
585 B
Text
24 lines
585 B
Text
|
|
global mime_to_ext: table[string] of string = {
|
|
["application/x-dosexec"] = "exe",
|
|
["text/plain"] = "txt",
|
|
["image/jpeg"] = "jpg",
|
|
["image/png"] = "png",
|
|
["text/html"] = "html",
|
|
};
|
|
|
|
event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata)
|
|
{
|
|
if ( f$source != "HTTP" )
|
|
return;
|
|
|
|
if ( ! meta?$mime_type )
|
|
return;
|
|
|
|
if ( meta$mime_type !in mime_to_ext )
|
|
return;
|
|
|
|
local fname = fmt("%s-%s.%s", f$source, f$id, mime_to_ext[meta$mime_type]);
|
|
print fmt("Extracting file %s", fname);
|
|
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname]);
|
|
}
|