mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
984e9793db
* origin/topic/seth/faf-updates: (27 commits) Undoing the FTP tests I updated earlier. Update the last two btest FAF tests. File analysis fixes and test updates. Fix a bug with getting analyzer tags. A few test updates. Some tests work now (at least they all don't fail anymore!) Forgot a file. Added protocol description functions that provide a super compressed log representation. Fix a bug where orig file information in http wasn't working right. Added mime types to http.log Clean up queued but unused file_over_new_connections event args. Add jar files to the default MHR lookups. Adding CAB files for MHR checking. Improve malware hash registry script. Fix a small issue with finding smtp entities. Added support for files to the notice framework. Make the custom libmagic database a git submodule. Add an is_orig parameter to file_over_new_connection event. Make magic for emitting application/msword mime type less strict. Disable more libmagic builtin checks that override the magic database. ... Conflicts: doc/scripts/DocSourcesList.cmake scripts/base/init-bare.bro scripts/test-all-policy.bro testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
56 lines
1.4 KiB
Text
56 lines
1.4 KiB
Text
@load ./main
|
|
@load ./entities
|
|
@load ./utils
|
|
@load base/utils/conn-ids
|
|
@load base/frameworks/files
|
|
|
|
module HTTP;
|
|
|
|
export {
|
|
## Default file handle provider for HTTP.
|
|
global get_file_handle: function(c: connection, is_orig: bool): string;
|
|
|
|
## Default file describer for HTTP.
|
|
global describe_file: function(f: fa_file): string;
|
|
}
|
|
|
|
function get_file_handle(c: connection, is_orig: bool): string
|
|
{
|
|
if ( ! c?$http )
|
|
return "";
|
|
|
|
if ( c$http$range_request && ! is_orig )
|
|
{
|
|
# Any multipart responses from the server are pieces of same file
|
|
# that correspond to range requests, so don't use mime depth to
|
|
# identify the file.
|
|
return cat(Analyzer::ANALYZER_HTTP, is_orig, c$id$orig_h, build_url(c$http));
|
|
}
|
|
else
|
|
{
|
|
local mime_depth = is_orig ? c$http$orig_mime_depth : c$http$resp_mime_depth;
|
|
return cat(Analyzer::ANALYZER_HTTP, c$start_time, is_orig,
|
|
c$http$trans_depth, mime_depth, id_string(c$id));
|
|
}
|
|
}
|
|
|
|
function describe_file(f: fa_file): string
|
|
{
|
|
# This shouldn't be needed, but just in case...
|
|
if ( f$source != "HTTP" )
|
|
return "";
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
if ( f$conns[cid]?$http )
|
|
return build_url_http(f$conns[cid]$http);
|
|
}
|
|
return "";
|
|
}
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Files::register_protocol(Analyzer::ANALYZER_HTTP,
|
|
[$get_file_handle = HTTP::get_file_handle,
|
|
$describe = HTTP::describe_file]);
|
|
}
|