base/frameworks/files/main.bro

Files

An interface for driving the analysis of files, possibly independent of any network protocol over which they’re transported.

Namespace:Files Imports:base/bif/file_analysis.bif.bro, base/frameworks/analyzer, base/frameworks/logging, base/utils/site.bro Source File:/scripts/base/frameworks/files/main.bro

Summary

Options

Files::analyze_by_mime_type_automatically: bool &redef	Decide if you want to automatically attached analyzers to files based on the detected mime type of the file.
Files::disable: table &redef	A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers.
Files::enable_reassembler: bool &redef	The default setting for file reassembly.
Files::reassembly_buffer_size: count &redef	The default per-file reassembly buffer size.
Files::salt: string &redef	The salt concatenated to unique file handle strings generated by get_file_handle before hashing them in to a file id (the id field of fa_file).

Types

Files::AnalyzerArgs: record &redef	A structure which parameterizes a type of file analysis.
Files::Info: record &redef	Contains all metadata related to the analysis of a given file.
Files::ProtoRegistration: record

Redefinitions

Log::ID: enum
fa_file: record &redef

Events

Files::log_files: event

Event that can be handled to access the Info record as it is sent on to the logging framework.

Functions

Files::add_analyzer: function	Adds an analyzer to the analysis of a given file.
Files::all_registered_mime_types: function	Returns a table of all MIME-type-to-analyzer mappings currently registered.
Files::analyzer_name: function	Translates a file analyzer enum value to a string with the analyzer’s name.
Files::describe: function	Provides a text description regarding metadata of the file.
Files::disable_reassembly: function	Disables the file reassembler on this file.
Files::enable_reassembly: function	Allows the file reassembler to be used if it’s necessary because the file is transferred out of order.
Files::register_analyzer_add_callback: function	Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over.
Files::register_for_mime_type: function	Registers a MIME type for an analyzer.
Files::register_for_mime_types: function	Registers a set of MIME types for an analyzer.
Files::register_protocol: function	Register callbacks for protocols that work with the Files framework.
Files::registered_mime_types: function	Returns a set of all MIME types currently registered for a specific analyzer.
Files::remove_analyzer: function	Removes an analyzer from the analysis of a given file.
Files::set_reassembly_buffer_size: function	Set the maximum size the reassembly buffer is allowed to grow for the given file.
Files::set_timeout_interval: function	Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up.
Files::stop: function	Stops/ignores any further analysis of a given file.

Detailed Interface

Options

Files::analyze_by_mime_type_automatically

Type:bool Attributes:&redef Default:T

Decide if you want to automatically attached analyzers to files based on the detected mime type of the file.

Files::disable

Type:table [Files::Tag] of bool Attributes:&redef Default:{}

A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers.

Files::enable_reassembler

Type:bool Attributes:&redef Default:T

The default setting for file reassembly.

Files::reassembly_buffer_size

Type:count Attributes:&redef Default:524288

The default per-file reassembly buffer size.

Files::salt

Type:string Attributes:&redef Default:"I recommend changing this."

The salt concatenated to unique file handle strings generated by get_file_handle before hashing them in to a file id (the id field of fa_file). Provided to help mitigate the possibility of manipulating parts of network connections that factor in to the file handle in order to generate two handles that would hash to the same file id.

Types

Files::AnalyzerArgs

Type:

record

chunk_event: event (f: fa_file, data: string, off: count) &optional

An event which will be generated for all new file contents, chunk-wise. Used when tag (in the Files::add_analyzer function) is Files::ANALYZER_DATA_EVENT.

stream_event: event (f: fa_file, data: string) &optional

An event which will be generated for all new file contents, stream-wise. Used when tag is Files::ANALYZER_DATA_EVENT.

extract_filename: string &optional

(present if base/files/extract/main.bro is loaded)

The local filename to which to write an extracted file. This field is used in the core by the extraction plugin to know where to write the file to. If not specified, then a filename in the format “extract-<source>-<id>” is automatically assigned (using the source and id fields of fa_file).

extract_limit: count &default = FileExtract::default_limit &optional

(present if base/files/extract/main.bro is loaded)

The maximum allowed file size in bytes of extract_filename. Once reached, a file_extraction_limit event is raised and the analyzer will be removed unless FileExtract::set_limit is called to increase the limit. A value of zero means “no limit”.

Attributes:

&redef

A structure which parameterizes a type of file analysis.

Files::Info

Type:

record

ts: time &log

The time when the file was first seen.

fuid: string &log

An identifier associated with a single file.

tx_hosts: set [addr] &default = {  } &optional &log

If this file was transferred over a network connection this should show the host or hosts that the data sourced from.

rx_hosts: set [addr] &default = {  } &optional &log

If this file was transferred over a network connection this should show the host or hosts that the data traveled to.

conn_uids: set [string] &default = {  } &optional &log

Connection UIDs over which the file was transferred.

source: string &log &optional

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

depth: count &default = 0 &optional &log

A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.

analyzers: set [string] &default = {  } &optional &log

A set of analysis types done during the file analysis.

mime_type: string &log &optional

A mime type provided by the strongest file magic signature match against the bof_buffer field of fa_file, or in the cases where no buffering of the beginning of file occurs, an initial guess of the mime type based on the first data seen.

filename: string &log &optional

A filename for the file if one is available from the source for the file. These will frequently come from “Content-Disposition” headers in network protocols.

duration: interval &log &default = 0 secs &optional

The duration the file was analyzed for.

local_orig: bool &log &optional

If the source of this file is a network connection, this field indicates if the data originated from the local network or not as determined by the configured Site::local_nets.

is_orig: bool &log &optional

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.

seen_bytes: count &log &default = 0 &optional

Number of bytes provided to the file analysis engine for the file.

total_bytes: count &log &optional

Total number of bytes that are supposed to comprise the full file.

missing_bytes: count &log &default = 0 &optional

The number of bytes in the file stream that were completely missed during the process of analysis e.g. due to dropped packets.

overflow_bytes: count &log &default = 0 &optional

The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled.

timedout: bool &log &default = F &optional

Whether the file analysis timed out at least once for the file.

parent_fuid: string &log &optional

Identifier associated with a container file from which this one was extracted as part of the file analysis.

md5: string &log &optional

(present if base/files/hash/main.bro is loaded)

An MD5 digest of the file contents.

sha1: string &log &optional

(present if base/files/hash/main.bro is loaded)

A SHA1 digest of the file contents.

sha256: string &log &optional

(present if base/files/hash/main.bro is loaded)

A SHA256 digest of the file contents.

x509: X509::Info &optional

(present if base/files/x509/main.bro is loaded)

Information about X509 certificates. This is used to keep certificate information until all events have been received.

extracted: string &optional &log

(present if base/files/extract/main.bro is loaded)

Local filename of extracted file.

extracted_cutoff: bool &optional &log

(present if base/files/extract/main.bro is loaded)

Set to true if the file being extracted was cut off so the whole file was not logged.

extracted_size: count &optional &log

(present if base/files/extract/main.bro is loaded)

The number of bytes extracted to disk.

entropy: double &log &optional

(present if policy/frameworks/files/entropy-test-all-files.bro is loaded)

The information density of the contents of the file, expressed as a number of bits per character.

Attributes:

&redef

Contains all metadata related to the analysis of a given file. For the most part, fields here are derived from ones of the same name in fa_file.

Files::ProtoRegistration

Type:

record

get_file_handle: function (c: connection, is_orig: bool) : string

A callback to generate a file handle on demand when one is needed by the core.

describe: function (f: fa_file) : string &default = function &optional

A callback to “describe” a file. In the case of an HTTP transfer the most obvious description would be the URL. It’s like an extremely compressed version of the normal log.

Events

Files::log_files

Type:event (rec: Files::Info)

Event that can be handled to access the Info record as it is sent on to the logging framework.

Functions

Files::add_analyzer

Type:function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=104857600] &optional) : bool

Adds an analyzer to the analysis of a given file.

F:the file. Tag:the analyzer type. Args:any parameters the analyzer takes. Returns:true if the analyzer will be added, or false if analysis for the file isn’t currently active or the args were invalid for the analyzer type.

Files::all_registered_mime_types

Type:function () : table [Files::Tag] of set [string]

Returns a table of all MIME-type-to-analyzer mappings currently registered.

Returns:A table mapping each analyzer to the set of MIME types registered for it.

Files::analyzer_name

Type:function (tag: Files::Tag) : string

Translates a file analyzer enum value to a string with the analyzer’s name.

Tag:The analyzer tag. Returns:The analyzer name corresponding to the tag.

Files::describe

Type:function (f: fa_file) : string

Provides a text description regarding metadata of the file. For example, with HTTP it would return a URL.

F:The file to be described. Returns:a text description regarding metadata of the file.

Files::disable_reassembly

Type:function (f: fa_file) : void

Disables the file reassembler on this file. If the file is not transferred out of order this will have no effect.

F:the file.

Files::enable_reassembly

Type:function (f: fa_file) : void

Allows the file reassembler to be used if it’s necessary because the file is transferred out of order.

F:the file.

Files::register_analyzer_add_callback

Type:function (tag: Files::Tag, callback: function (f: fa_file, args: Files::AnalyzerArgs) : void) : void

Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over. This is unlikely to be interesting for users and should only be called by file analyzer authors but is not required.

Tag:Tag for the file analyzer. Callback:Function to execute when the given file analyzer is being added.

Files::register_for_mime_type

Type:function (tag: Files::Tag, mt: string) : bool

Registers a MIME type for an analyzer. If a future file with this type is seen, the analyzer will be automatically assigned to parsing it. The function adds to all MIME types already registered, it doesn’t replace them.

Tag:The tag of the analyzer. Mt:The MIME type in the form “foo/bar” (case-insensitive). Returns:True if the MIME type was successfully registered.

Files::register_for_mime_types

Type:function (tag: Files::Tag, mime_types: set [string]) : bool

Registers a set of MIME types for an analyzer. If a future connection on one of these types is seen, the analyzer will be automatically assigned to parsing it. The function adds to all MIME types already registered, it doesn’t replace them.

Tag:The tag of the analyzer. Mts:The set of MIME types, each in the form “foo/bar” (case-insensitive). Returns:True if the MIME types were successfully registered.

Files::register_protocol

Type:function (tag: Analyzer::Tag, reg: Files::ProtoRegistration) : bool

Register callbacks for protocols that work with the Files framework. The callbacks must uniquely identify a file and each protocol can only have a single callback registered for it.

Tag:Tag for the protocol analyzer having a callback being registered. Reg:A Files::ProtoRegistration record. Returns:true if the protocol being registered was not previously registered.

Files::registered_mime_types

Type:function (tag: Files::Tag) : set [string]

Returns a set of all MIME types currently registered for a specific analyzer.

Tag:The tag of the analyzer. Returns:The set of MIME types.

Files::remove_analyzer

Type:function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = [chunk_event=<uninitialized>, stream_event=<uninitialized>, extract_filename=<uninitialized>, extract_limit=104857600] &optional) : bool

Removes an analyzer from the analysis of a given file.

F:the file. Tag:the analyzer type. Args:the analyzer (type and args) to remove. Returns:true if the analyzer will be removed, or false if analysis for the file isn’t currently active.

Files::set_reassembly_buffer_size

Type:function (f: fa_file, max: count) : void

Set the maximum size the reassembly buffer is allowed to grow for the given file.

F:the file. Max:Maximum allowed size of the reassembly buffer.

Files::set_timeout_interval

Type:function (f: fa_file, t: interval) : bool

Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up. When used within a file_timeout handler, the analysis will delay timing out again for the period specified by t.

F:the file. T:the amount of time the file can remain inactive before discarding. Returns:true if the timeout interval was set, or false if analysis for the file isn’t currently active.

Files::stop

Type:function (f: fa_file) : bool

Stops/ignores any further analysis of a given file.

F:the file. Returns:true if analysis for the given file will be ignored for the rest of its contents, or false if analysis for the file isn’t currently active.