mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
72 lines
2.3 KiB
C++
72 lines
2.3 KiB
C++
// See the file "COPYING" in the main distribution directory for copyright.
|
|
|
|
#include "zeek/analyzer/protocol/file/File.h"
|
|
|
|
#include <algorithm>
|
|
|
|
#include "zeek/Reporter.h"
|
|
#include "zeek/RuleMatcher.h"
|
|
#include "zeek/analyzer/protocol/file/events.bif.h"
|
|
#include "zeek/file_analysis/Manager.h"
|
|
#include "zeek/util.h"
|
|
|
|
namespace zeek::analyzer::file {
|
|
|
|
File_Analyzer::File_Analyzer(const char* name, Connection* conn) : TCP_ApplicationAnalyzer(name, conn) {}
|
|
|
|
void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig) {
|
|
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
|
|
|
|
int n = std::min(len, BUFFER_SIZE - buffer_len);
|
|
|
|
if ( n ) {
|
|
memcpy(buffer + buffer_len, (const char*)data, n);
|
|
buffer_len += n;
|
|
|
|
if ( buffer_len == BUFFER_SIZE )
|
|
Identify();
|
|
}
|
|
|
|
if ( orig )
|
|
file_id_orig = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig, file_id_orig);
|
|
else
|
|
file_id_resp = file_mgr->DataIn(data, len, GetAnalyzerTag(), Conn(), orig, file_id_resp);
|
|
}
|
|
|
|
void File_Analyzer::Undelivered(uint64_t seq, int len, bool orig) {
|
|
TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
|
|
|
|
if ( orig )
|
|
file_id_orig = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, file_id_orig);
|
|
else
|
|
file_id_resp = file_mgr->Gap(seq, len, GetAnalyzerTag(), Conn(), orig, file_id_resp);
|
|
}
|
|
|
|
void File_Analyzer::Done() {
|
|
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
|
|
|
|
if ( buffer_len && buffer_len != BUFFER_SIZE )
|
|
Identify();
|
|
|
|
if ( ! file_id_orig.empty() )
|
|
file_mgr->EndOfFile(file_id_orig);
|
|
else
|
|
file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), true);
|
|
|
|
if ( ! file_id_resp.empty() )
|
|
file_mgr->EndOfFile(file_id_resp);
|
|
else
|
|
file_mgr->EndOfFile(GetAnalyzerTag(), Conn(), false);
|
|
}
|
|
|
|
void File_Analyzer::Identify() {
|
|
detail::RuleMatcher::MIME_Matches matches;
|
|
file_mgr->DetectMIME(reinterpret_cast<const u_char*>(buffer), buffer_len, &matches);
|
|
std::string match = matches.empty() ? "<unknown>" : *(matches.begin()->second.begin());
|
|
|
|
if ( file_transferred )
|
|
EnqueueConnEvent(file_transferred, ConnVal(), make_intrusive<StringVal>(buffer_len, buffer),
|
|
make_intrusive<StringVal>("<unknown>"), make_intrusive<StringVal>(match));
|
|
}
|
|
|
|
} // namespace zeek::analyzer::file
|