mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
984e9793db
* origin/topic/seth/faf-updates: (27 commits) Undoing the FTP tests I updated earlier. Update the last two btest FAF tests. File analysis fixes and test updates. Fix a bug with getting analyzer tags. A few test updates. Some tests work now (at least they all don't fail anymore!) Forgot a file. Added protocol description functions that provide a super compressed log representation. Fix a bug where orig file information in http wasn't working right. Added mime types to http.log Clean up queued but unused file_over_new_connections event args. Add jar files to the default MHR lookups. Adding CAB files for MHR checking. Improve malware hash registry script. Fix a small issue with finding smtp entities. Added support for files to the notice framework. Make the custom libmagic database a git submodule. Add an is_orig parameter to file_over_new_connection event. Make magic for emitting application/msword mime type less strict. Disable more libmagic builtin checks that override the magic database. ... Conflicts: doc/scripts/DocSourcesList.cmake scripts/base/init-bare.bro scripts/test-all-policy.bro testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
29 lines
630 B
Text
29 lines
630 B
Text
@load base/frameworks/intel
|
|
@load base/protocols/smtp
|
|
@load base/utils/urls
|
|
@load ./where-locations
|
|
|
|
event intel_mime_data(f: fa_file, data: string)
|
|
{
|
|
if ( ! f?$conns )
|
|
return;
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
local c: connection = f$conns[cid];
|
|
local urls = find_all_urls_without_scheme(data);
|
|
for ( url in urls )
|
|
{
|
|
Intel::seen([$indicator=url,
|
|
$indicator_type=Intel::URL,
|
|
$conn=c,
|
|
$where=SMTP::IN_MESSAGE]);
|
|
}
|
|
}
|
|
}
|
|
|
|
event file_new(f: fa_file)
|
|
{
|
|
if ( f$source == "SMTP" )
|
|
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
|
|
}
|