File: file-analysis-test.bro

package info (click to toggle)
bro 2.5-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 78,640 kB
  • sloc: ansic: 126,302; cpp: 95,205; yacc: 2,528; lex: 1,819; sh: 793; python: 700; makefile: 134
file content (116 lines) | stat: -rw-r--r-- 2,614 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
@load base/files/extract
@load base/files/hash

redef FileExtract::prefix = "./";

global test_file_analysis_source: string = "" &redef;

global test_file_analyzers: set[Files::Tag];

global test_get_file_name: function(f: fa_file): string =
	function(f: fa_file): string { return ""; } &redef;

global test_print_file_data_events: bool = F &redef;

global file_count: count = 0;

global file_map: table[string] of count;

function canonical_file_name(f: fa_file): string
	{
	return fmt("file #%d", file_map[f$id]);
	}

event file_chunk(f: fa_file, data: string, off: count)
	{
	if ( test_print_file_data_events )
		print "file_chunk", canonical_file_name(f), |data|, off, data;
	}

event file_stream(f: fa_file, data: string)
	{
	if ( test_print_file_data_events )
		print "file_stream", canonical_file_name(f), |data|, data;
	}

event file_new(f: fa_file)
	{
	print "FILE_NEW";

	file_map[f$id] = file_count;
	++file_count;

	print canonical_file_name(f), f$seen_bytes, f$missing_bytes;

	if ( test_file_analysis_source == "" ||
	     f$source == test_file_analysis_source )
		{
		for ( tag in test_file_analyzers )
			Files::add_analyzer(f, tag);

		local filename: string = test_get_file_name(f);
		if ( filename != "" )
			Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
			                       [$extract_filename=filename]);
		Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
		                       [$chunk_event=file_chunk,
		                        $stream_event=file_stream]);
		}
	}

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	print "FILE_OVER_NEW_CONNECTION";
	}

event file_timeout(f: fa_file)
	{
	print "FILE_TIMEOUT";
	}

event file_gap(f: fa_file, offset: count, len: count)
	{
	print "FILE_GAP";
	}

event file_state_remove(f: fa_file)
	{
	print "FILE_STATE_REMOVE";
	print canonical_file_name(f), f$seen_bytes, f$missing_bytes;
	if ( f?$conns )
		for ( cid in f$conns )
			print cid;

	if ( f?$bof_buffer )
		{
		print "FILE_BOF_BUFFER";
		print f$bof_buffer[0:11];
		}

	if ( f$info?$mime_type )
		{
		print "MIME_TYPE";
		print f$info$mime_type;
		}

	if ( f?$total_bytes )
		print "total bytes: " + fmt("%s", f$total_bytes);
	if ( f?$source )
		print "source: " + f$source;

	if ( ! f?$info ) return;

	if ( f$info?$md5 )
		print fmt("MD5: %s", f$info$md5);
	if ( f$info?$sha1 )
		print fmt("SHA1: %s", f$info$sha1);
	if ( f$info?$sha256 )
		print fmt("SHA256: %s", f$info$sha256);
	}

event bro_init()
	{
	add test_file_analyzers[Files::ANALYZER_MD5];
	add test_file_analyzers[Files::ANALYZER_SHA1];
	add test_file_analyzers[Files::ANALYZER_SHA256];
	}