mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 15:48:19 +00:00
cdf6b7864e
- Recorrected the module name to Files.
- Added Files::analyzer_name to get a more readable name for a
file analyzer.
- Improved and just overall better handled multipart mime
transfers in HTTP and SMTP. HTTP now has orig_fuids and resp_fuids
log fields since multiple "files" can be transferred with
multipart mime in a single request/response pair. SMTP has
an fuids field which has file unique IDs for all parts
transferred. FTP and IRC have a log field named fuid added
because only a single file can be transferred per irc and ftp
log line.
70 lines
1.8 KiB
Text
70 lines
1.8 KiB
Text
##! Analysis and logging for MIME entities found in HTTP sessions.
|
|
|
|
@load base/frameworks/files
|
|
@load base/utils/strings
|
|
@load base/utils/files
|
|
@load ./main
|
|
|
|
module HTTP;
|
|
|
|
export {
|
|
type Entity: record {
|
|
## Depth of the entity if multiple entities are sent in a single transaction.
|
|
depth: count &default=0;
|
|
|
|
## Filename for the entity if discovered from a header.
|
|
filename: string &optional;
|
|
};
|
|
|
|
redef record Info += {
|
|
## The current entity being seen.
|
|
entity: Entity &optional;
|
|
|
|
## Current number of MIME entities in the HTTP request message body.
|
|
orig_mime_depth: count &default=0;
|
|
## Current number of MIME entities in the HTTP response message body.
|
|
resp_mime_depth: count &default=0;
|
|
};
|
|
}
|
|
|
|
event http_begin_entity(c: connection, is_orig: bool) &priority=10
|
|
{
|
|
set_state(c, F, is_orig);
|
|
|
|
if ( is_orig )
|
|
++c$http$orig_mime_depth;
|
|
else
|
|
++c$http$resp_mime_depth;
|
|
|
|
c$http$entity = Entity($depth = is_orig ? c$http$orig_mime_depth : c$http$resp_mime_depth);
|
|
}
|
|
|
|
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
|
|
{
|
|
if ( name == "CONTENT-DISPOSITION" &&
|
|
/[fF][iI][lL][eE][nN][aA][mM][eE]/ in value )
|
|
{
|
|
c$http$entity$filename = extract_filename_from_content_disposition(value);
|
|
}
|
|
else if ( name == "CONTENT-TYPE" &&
|
|
/[nN][aA][mM][eE][:blank:]*=/ in value )
|
|
{
|
|
c$http$entity$filename = extract_filename_from_content_disposition(value);
|
|
}
|
|
}
|
|
|
|
event file_over_new_connection(f: fa_file, c: connection) &priority=5
|
|
{
|
|
if ( f$source == "HTTP" && c$http?$entity )
|
|
{
|
|
f$info$depth = c$http$entity$depth;
|
|
if ( c$http$entity?$filename )
|
|
f$info$filename = c$http$entity$filename;
|
|
}
|
|
}
|
|
|
|
event http_end_entity(c: connection, is_orig: bool) &priority=5
|
|
{
|
|
if ( c?$http && c$http?$entity )
|
|
delete c$http$entity;
|
|
}
|