mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
e11c20e1eb
Changing the default_file_bof_buffer_size has subtle impact on MIME type detection and changed the zeek-testing baseline. Do not load this new script via test-all-policy to avoid this. The new test was mainly an aid to understand what is actually going on. In short, if default_file_bof_buffer_size is larger than the file MIME detection only runs when the buffer is full, or when the file is removed. When a file transfer happens over multiple HTTP connections, only some or one of the http.log entries will have a proper response MIME type. PCAP extracted from 2009-M57-day11-18.trace.gz.
22 lines
994 B
Text
22 lines
994 B
Text
# @TEST-DOC: Increasing default_file_bof_buffer_size has subtle impact on mime_type detection and association for partial file transfers over HTTP. Test mainly to aid understanding.
|
|
#
|
|
# @TEST-EXEC: zeek -b -r $TRACES/http/vnd.ms-cab-compressed-multi-conn.pcap %INPUT
|
|
# @TEST-EXEC: zeek-cut -m fuid source mime_type filename < files.log > files.log.cut
|
|
# @TEST-EXEC: btest-diff files.log.cut
|
|
# @TEST-EXEC: zeek-cut -m uid method host status_code resp_fuids response_body_len resp_mime_types < http.log > http.log.cut
|
|
# @TEST-EXEC: btest-diff http.log.cut
|
|
|
|
@load base/protocols/http
|
|
@load base/frameworks/files
|
|
|
|
# Increases default_file_bof_buffer_size, resulting in only one of the GET
|
|
# of http.log having the application/vnd.ms-cab-compressed associated.
|
|
@load policy/frameworks/signatures/iso-9660
|
|
|
|
redef LogAscii::use_json = F;
|
|
|
|
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
|
|
{
|
|
if ( f$source == "HTTP" )
|
|
f$info$filename = split_string(c$http$uri, /\//)[-1];
|
|
}
|