mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
705a84d688
http.log now has files taken from request and response bodies in different fields for each, and can now track multiple files per body. That is, the "extraction_file" field is now "extracted_request_files" and "extracted_response_files".
100 lines
2.5 KiB
Text
100 lines
2.5 KiB
Text
##! Extracts the items from HTTP traffic, one per file. At this time only
|
|
##! the message body from the server can be extracted with this script.
|
|
|
|
@load ./main
|
|
@load ./file-analysis
|
|
|
|
module HTTP;
|
|
|
|
export {
|
|
## Pattern of file mime types to extract from HTTP response entity bodies.
|
|
const extract_file_types = /NO_DEFAULT/ &redef;
|
|
|
|
## The on-disk prefix for files to be extracted from HTTP entity bodies.
|
|
const extraction_prefix = "http-item" &redef;
|
|
|
|
redef record Info += {
|
|
## On-disk location where files in request body were extracted.
|
|
extracted_request_files: vector of string &log &optional;
|
|
|
|
## On-disk location where files in response body were extracted.
|
|
extracted_response_files: vector of string &log &optional;
|
|
|
|
## Indicates if the response body is to be extracted or not. Must be
|
|
## set before or by the first :bro:see:`file_new` for the file content.
|
|
extract_file: bool &default=F;
|
|
};
|
|
}
|
|
|
|
function get_extraction_name(f: fa_file): string
|
|
{
|
|
local r = fmt("%s-%s.dat", extraction_prefix, f$id);
|
|
return r;
|
|
}
|
|
|
|
function add_extraction_file(c: connection, is_orig: bool, fn: string)
|
|
{
|
|
if ( is_orig )
|
|
{
|
|
if ( ! c$http?$extracted_request_files )
|
|
c$http$extracted_request_files = vector();
|
|
c$http$extracted_request_files[|c$http$extracted_request_files|] = fn;
|
|
}
|
|
else
|
|
{
|
|
if ( ! c$http?$extracted_response_files )
|
|
c$http$extracted_response_files = vector();
|
|
c$http$extracted_response_files[|c$http$extracted_response_files|] = fn;
|
|
}
|
|
}
|
|
|
|
event file_new(f: fa_file) &priority=5
|
|
{
|
|
if ( ! f?$source ) return;
|
|
if ( f$source != "HTTP" ) return;
|
|
if ( ! f?$conns ) return;
|
|
|
|
local fname: string;
|
|
local c: connection;
|
|
|
|
if ( f?$mime_type && extract_file_types in f$mime_type )
|
|
{
|
|
fname = get_extraction_name(f);
|
|
FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
|
|
$extract_filename=fname]);
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
c = f$conns[cid];
|
|
if ( ! c?$http ) next;
|
|
add_extraction_file(c, f$is_orig, fname);
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
local extracting: bool = F;
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
c = f$conns[cid];
|
|
|
|
if ( ! c?$http ) next;
|
|
|
|
if ( ! c$http$extract_file ) next;
|
|
|
|
fname = get_extraction_name(f);
|
|
FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
|
|
$extract_filename=fname]);
|
|
extracting = T;
|
|
break;
|
|
}
|
|
|
|
if ( extracting )
|
|
for ( cid in f$conns )
|
|
{
|
|
c = f$conns[cid];
|
|
if ( ! c?$http ) next;
|
|
add_extraction_file(c, f$is_orig, fname);
|
|
}
|
|
}
|