mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
597a4d6704
- policy/ renamed to scripts/ - By default BROPATH now contains: - scripts/ - scripts/policy - scripts/site - *Nearly* all tests pass. - All of scripts/base/ is loaded by main.cc - Can be disabled by setting $BRO_NO_BASE_SCRIPTS - Scripts in scripts/base/ don't use relative path loading to ease use of BRO_NO_BASE_SCRIPTS (to copy and paste that script). - The scripts in scripts/base/protocols/ only (or soon will only) do logging and state building. - The scripts in scripts/base/frameworks/ add functionality without causing any additional overhead. - All "detection" activity happens through scripts in scripts/policy/. - Communications framework modified temporarily to need an environment variable to actually enable (ENABLE_COMMUNICATION=1) - This is so the communications framework can be loaded as part of the base without causing trouble when it's not needed. - This will be removed once a resolution to ticket #540 is reached.
78 lines
No EOL
2 KiB
Text
78 lines
No EOL
2 KiB
Text
@load protocols/mime/file-ident
|
|
|
|
module MIME;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## Indicates that an MD5 sum was calculated for a MIME message.
|
|
MD5,
|
|
};
|
|
|
|
redef record Info += {
|
|
## The calculated MD5 sum for the MIME entity.
|
|
md5: string &log &optional;
|
|
|
|
## Optionally calculate the file's MD5 sum. Must be set prior to the
|
|
## first data chunk being see in an event.
|
|
calc_md5: bool &default=F;
|
|
|
|
## This boolean value indicates if an MD5 sum is being calculated
|
|
## for the current file transfer.
|
|
calculating_md5: bool &default=F;
|
|
};
|
|
|
|
## Generate MD5 sums for these filetypes.
|
|
const generate_md5 = /application\/x-dosexec/ # Windows and DOS executables
|
|
| /application\/x-executable/ # *NIX executable binary
|
|
&redef;
|
|
}
|
|
|
|
event mime_segment_data(c: connection, length: count, data: string) &priority=-5
|
|
{
|
|
if ( ! c?$mime ) return;
|
|
|
|
if ( c$mime$content_len == 0 )
|
|
{
|
|
if ( generate_md5 in c$mime$mime_type )
|
|
c$mime$calc_md5 = T;
|
|
|
|
if ( c$mime$calc_md5 )
|
|
{
|
|
c$mime$calculating_md5 = T;
|
|
md5_hash_init(c$id);
|
|
}
|
|
}
|
|
|
|
if ( c$mime$calculating_md5 )
|
|
md5_hash_update(c$id, data);
|
|
}
|
|
|
|
## In the event of a content gap during the MIME transfer, detect the state for
|
|
## the MD5 sum calculation and stop calculating the MD5 since it would be
|
|
## incorrect anyway.
|
|
event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5
|
|
{
|
|
if ( is_orig || ! c?$mime ) return;
|
|
|
|
if ( c$mime$calculating_md5 )
|
|
{
|
|
c$mime$calculating_md5 = F;
|
|
md5_hash_finish(c$id);
|
|
}
|
|
}
|
|
|
|
event mime_end_entity(c: connection) &priority=-3
|
|
{
|
|
# TODO: this check is only due to a bug in mime_end_entity that
|
|
# causes the event to be generated twice for the same real event.
|
|
if ( ! c?$mime )
|
|
return;
|
|
|
|
if ( c$mime$calculating_md5 )
|
|
{
|
|
c$mime$md5 = md5_hash_finish(c$id);
|
|
|
|
NOTICE([$note=MD5, $msg=fmt("Calculated a hash for a MIME entity from %s", c$id$orig_h),
|
|
$sub=c$mime$md5, $conn=c]);
|
|
}
|
|
} |