Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/src/file_analysis.bif
Jon Siwek 3dd513e26e FileAnalysis: move unique file handle string generation to script-layer 
And add minimal integration with HTTP analyzer.
2013-03-12 13:44:31 -05:00

126 lines
4.1 KiB
Text
Raw Blame History

##! Internal functions and types used by the logging framework.
module FileAnalysis;
%%{
#include "file_analysis/Manager.h"
%%}
type Info: record;
type ActionArgs: record;
type ActionResults: record;
## An enumeration of possibly-interesting "events" that can occur over
## the course of analyzing files. The :bro:see:`FileAnalysis::policy`
## hook is called each time a trigger occurs.
enum Trigger %{
## Raised when any part of a new file is detected.
TRIGGER_NEW,
## Raised when file analysis has likely seen a complete file. That
## is when a number of bytes indicated by the *total_bytes* field of
## :bro:see:`FileAnalysis::Info` have been processed. Note that
## the *undelivered* field does not have to be zero for this to have
## occurred.
TRIGGER_DONE,
## Raised when file analysis for a given file is aborted due
## to not seeing any data for it recently. Note that this doesn't
## necessarily mean the full file wasn't seen (e.g. if the
## :bro:see:`FileAnalysis::Info` record indicates the file *total_bytes*
## isn't known). Use :bro:see:`FileAnalysis::postpone_timeout`
## during a :bro:see:`FileAnalysis::policy` handler for this trigger to
## defer the timeout until later.
TRIGGER_TIMEOUT,
## Raised when the beginning of a file is detected.
TRIGGER_BOF,
## Raised when the beginning of a file is available and that beginning
## is at least the number of bytes indicated by the *bof_buffer_size*
## field of :bro:see:`FileAnalysis::Info`.
TRIGGER_BOF_BUFFER,
## Raised when an initial guess at the file/mime type of a file is matched
## based on magic numbers.
TRIGGER_TYPE,
## Raised to signal that no more file data is incoming and it couldn't be
## determined whether the full file was actually seen.
TRIGGER_EOF,
## The reassembly buffer for the file filled and had to be discarded.
## The *undelivered* field of :bro:see:`FileAnalysis::Info` will
## indicate the number of bytes, if any, that were not all-in-sequence.
## TODO: Is it possible to extend the reassembly buffer when "handling"
## this trigger?
TRIGGER_REASSEMBLY_BUFFER_FULL,
## Raised when there's a missing chunk of data in the file stream.
TRIGGER_GAP,
%}
enum Action %{
ACTION_EXTRACT,
ACTION_MD5,
ACTION_SHA1,
ACTION_SHA256,
ACTION_DATA_EVENT,
%}
function FileAnalysis::postpone_timeout%(file_id: string%): bool
%{
using file_analysis::FileID;
bool result = file_mgr->PostponeTimeout(FileID(file_id->CheckString()));
return new Val(result, TYPE_BOOL);
%}
function FileAnalysis::add_action%(file_id: string, args: any%): bool
%{
using file_analysis::FileID;
using BifType::Record::FileAnalysis::ActionArgs;
RecordVal* rv = args->AsRecordVal()->CoerceTo(ActionArgs);
bool result = file_mgr->AddAction(FileID(file_id->CheckString()), rv);
Unref(rv);
return new Val(result, TYPE_BOOL);
%}
function FileAnalysis::remove_action%(file_id: string, args: any%): bool
%{
using file_analysis::FileID;
using BifType::Record::FileAnalysis::ActionArgs;
RecordVal* rv = args->AsRecordVal()->CoerceTo(ActionArgs);
bool result = file_mgr->RemoveAction(FileID(file_id->CheckString()), rv);
Unref(rv);
return new Val(result, TYPE_BOOL);
%}
function FileAnalysis::stop%(file_id: string%): bool
%{
using file_analysis::FileID;
bool result = file_mgr->IgnoreFile(FileID(file_id->CheckString()));
return new Val(result, TYPE_BOOL);
%}
function FileAnalysis::input_data%(source: string, data: string%): any
%{
file_mgr->DataIn(data->Bytes(), data->Len(), source->CheckString());
return 0;
%}
function FileAnalysis::input_data_chunk%(source: string, data: string,
offset: count%): any
%{
file_mgr->DataIn(data->Bytes(), data->Len(), offset, source->CheckString());
return 0;
%}
function FileAnalysis::gap%(source: string, offset: count, len: count%): any
%{
file_mgr->Gap(offset, len, source->CheckString());
return 0;
%}
function FileAnalysis::set_size%(source: string, size: count%): any
%{
file_mgr->SetSize(size, source->CheckString());
return 0;
%}
function FileAnalysis::input_eof%(source: string%): any
%{
file_mgr->EndOfFile(source->CheckString());
return 0;
%}
Reference in a new issue View git blame Copy permalink