mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 07:38:19 +00:00
c9524757d2
with a MIME type. Whenever that MIME is detected, Bro will now automatically activate the analyzer. The interface mimics how well-known ports are defined for protocol analyzers. This isn't actually used by any existing file analyzer (because we don't have any yet that target a specific file format), but there's a test making sure it works.
86 lines
2.7 KiB
Text
86 lines
2.7 KiB
Text
##! Internal functions and types used by the file analysis framework.
|
|
|
|
module Files;
|
|
|
|
%%{
|
|
#include "file_analysis/Manager.h"
|
|
%%}
|
|
|
|
type AnalyzerArgs: record;
|
|
|
|
## :bro:see:`Files::set_timeout_interval`.
|
|
function Files::__set_timeout_interval%(file_id: string, t: interval%): bool
|
|
%{
|
|
bool result = file_mgr->SetTimeoutInterval(file_id->CheckString(), t);
|
|
return new Val(result, TYPE_BOOL);
|
|
%}
|
|
|
|
## :bro:see:`Files::add_analyzer`.
|
|
function Files::__add_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool
|
|
%{
|
|
using BifType::Record::Files::AnalyzerArgs;
|
|
RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs);
|
|
bool result = file_mgr->AddAnalyzer(file_id->CheckString(),
|
|
file_mgr->GetComponentTag(tag), rv);
|
|
Unref(rv);
|
|
return new Val(result, TYPE_BOOL);
|
|
%}
|
|
|
|
## :bro:see:`Files::add_analyzers_for_mime_type`.
|
|
function Files::__add_analyzers_for_mime_type%(file_id: string, mtype: string, args: any%): files_tag_set
|
|
%{
|
|
using BifType::Record::Files::AnalyzerArgs;
|
|
RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs);
|
|
Val* analyzers = file_mgr->AddAnalyzersForMIMEType(file_id->CheckString(), mtype->CheckString(), rv);
|
|
Unref(rv);
|
|
return analyzers;
|
|
%}
|
|
|
|
## :bro:see:`Files::remove_analyzer`.
|
|
function Files::__remove_analyzer%(file_id: string, tag: Files::Tag, args: any%): bool
|
|
%{
|
|
using BifType::Record::Files::AnalyzerArgs;
|
|
RecordVal* rv = args->AsRecordVal()->CoerceTo(AnalyzerArgs);
|
|
bool result = file_mgr->RemoveAnalyzer(file_id->CheckString(),
|
|
file_mgr->GetComponentTag(tag) , rv);
|
|
Unref(rv);
|
|
return new Val(result, TYPE_BOOL);
|
|
%}
|
|
|
|
## :bro:see:`Files::stop`.
|
|
function Files::__stop%(file_id: string%): bool
|
|
%{
|
|
bool result = file_mgr->IgnoreFile(file_id->CheckString());
|
|
return new Val(result, TYPE_BOOL);
|
|
%}
|
|
|
|
## :bro:see:`Files::analyzer_name`.
|
|
function Files::__analyzer_name%(tag: Files::Tag%) : string
|
|
%{
|
|
return new StringVal(file_mgr->GetComponentName(tag));
|
|
%}
|
|
|
|
## :bro:see:`Files::register_for_mime_type`.
|
|
function Files::__register_for_mime_type%(id: Analyzer::Tag, mt: string%) : bool
|
|
%{
|
|
bool result = file_mgr->RegisterAnalyzerForMIMEType(id->AsEnumVal(), mt);
|
|
return new Val(result, TYPE_BOOL);
|
|
%}
|
|
|
|
module GLOBAL;
|
|
|
|
## For use within a :bro:see:`get_file_handle` handler to set a unique
|
|
## identifier to associate with the current input to the file analysis
|
|
## framework. Using an empty string for the handle signifies that the
|
|
## input will be ignored/discarded.
|
|
##
|
|
## handle: A string that uniquely identifies a file.
|
|
##
|
|
## .. bro:see:: get_file_handle
|
|
function set_file_handle%(handle: string%): any
|
|
%{
|
|
file_mgr->SetHandle(handle->CheckString());
|
|
return 0;
|
|
%}
|
|
|
|
const Files::salt: string;
|