mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
ae0b328826
Allow spicy parsers to generate their own file IDs and provide them to Zeek. This duplicates functionality that is currently possible (and used) by some binpac-based analyzers. One example for an analyzer creating its own file IDs is the SSL analyzer.
63 lines
3 KiB
Text
63 lines
3 KiB
Text
# @TEST-REQUIRES: have-spicy
|
|
#
|
|
# @TEST-EXEC: spicyz -d -o test.hlto ssh.spicy ./ssh-cond.evt
|
|
# This is equivalent to file-analysis-data-in, besides the fact that we provide our own file ID.
|
|
#
|
|
# @TEST-EXEC: zeek -r ${TRACES}/ssh/single-conn.trace test.hlto %INPUT Spicy::enable_print=T | sort >output
|
|
#
|
|
# @TEST-EXEC: cat files.log | zeek-cut fuid filename >files.log.tmp && mv files.log.tmp files.log
|
|
# @TEST-EXEC: btest-diff files.log
|
|
#
|
|
# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-canonifier-spicy btest-diff output
|
|
|
|
# @TEST-START-FILE ssh.spicy
|
|
module SSH;
|
|
|
|
import spicy;
|
|
import zeek;
|
|
|
|
global file_counter = 0;
|
|
|
|
public type Banner = unit {
|
|
magic : /SSH-/ {
|
|
# This is a bit of cheating.
|
|
local d: spicy::Base64Stream;
|
|
local dec : bytes = spicy::base64_decode(d, b"MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEyMTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3QgU2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnvUA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRrmBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++AcxGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmKFsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7XrJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7HTgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoNFvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrzmqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wWIRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZUSpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==");
|
|
dec += spicy::base64_finish(d);
|
|
|
|
print self.file_id;
|
|
zeek::file_data_in(dec);
|
|
}
|
|
version : /[^-]*/;
|
|
dash : /-/;
|
|
software: /[^\r\n]*/;
|
|
|
|
var file_id: string = zeek::file_begin("application/x-x509-ca-cert", "FaAaAaAaAaAaAaAaAa");
|
|
var file_name: string = "foo-%d.txt" % ++file_counter;
|
|
};
|
|
|
|
on Banner::%done { zeek::file_end(self.file_id); }
|
|
|
|
# @TEST-END-FILE
|
|
|
|
# @TEST-START-FILE ssh-cond.evt
|
|
|
|
import zeek;
|
|
|
|
protocol analyzer spicy::SSH over TCP:
|
|
parse with SSH::Banner,
|
|
port 22/tcp,
|
|
replaces SSH;
|
|
|
|
on SSH::Banner::software -> event have_filename($file, self.file_name);
|
|
|
|
# @TEST-END-FILE
|
|
|
|
# Trigger creation of `files.log`.
|
|
@load base/protocols/ssl
|
|
redef X509::log_x509_in_files_log = T;
|
|
|
|
event have_filename(f: fa_file, filename: string)
|
|
{
|
|
f$info$filename = filename;
|
|
}
|