mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
a55ce01ef3
Removed "file_mime_type" and "file_mime_types" event, replacing them with a new event called "file_metadata_inferred". It has a record argument of type "inferred_file_metadata", which contains the mime type information that the earlier events used to supply. The idea here is that future extensions to the record with new metadata will be less likely to break user code than the alternatives (adding new events or new event parameters). Addresses BIT-1368.
75 lines
1.6 KiB
Text
75 lines
1.6 KiB
Text
@load ./info
|
|
@load ./main
|
|
@load ./utils
|
|
@load base/utils/conn-ids
|
|
@load base/frameworks/files
|
|
|
|
module FTP;
|
|
|
|
export {
|
|
redef record Info += {
|
|
## File unique ID.
|
|
fuid: string &optional &log;
|
|
};
|
|
|
|
## Default file handle provider for FTP.
|
|
global get_file_handle: function(c: connection, is_orig: bool): string;
|
|
|
|
## Describe the file being transferred.
|
|
global describe_file: function(f: fa_file): string;
|
|
|
|
redef record fa_file += {
|
|
ftp: FTP::Info &optional;
|
|
};
|
|
}
|
|
|
|
function get_file_handle(c: connection, is_orig: bool): string
|
|
{
|
|
if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
|
|
return "";
|
|
|
|
return cat(Analyzer::ANALYZER_FTP_DATA, c$start_time, c$id, is_orig);
|
|
}
|
|
|
|
function describe_file(f: fa_file): string
|
|
{
|
|
# This shouldn't be needed, but just in case...
|
|
if ( f$source != "FTP" )
|
|
return "";
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
if ( f$conns[cid]?$ftp )
|
|
return FTP::describe(f$conns[cid]$ftp);
|
|
}
|
|
return "";
|
|
}
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Files::register_protocol(Analyzer::ANALYZER_FTP_DATA,
|
|
[$get_file_handle = FTP::get_file_handle,
|
|
$describe = FTP::describe_file]);
|
|
}
|
|
|
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
|
|
{
|
|
if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
|
|
return;
|
|
|
|
local ftp = ftp_data_expected[c$id$resp_h, c$id$resp_p];
|
|
ftp$fuid = f$id;
|
|
|
|
f$ftp = ftp;
|
|
}
|
|
|
|
event file_metadata_inferred(f: fa_file, meta: inferred_file_metadata) &priority=5
|
|
{
|
|
if ( ! f?$ftp )
|
|
return;
|
|
|
|
if ( ! meta?$mime_type )
|
|
return;
|
|
|
|
f$ftp$mime_type = meta$mime_type;
|
|
}
|