base/frameworks/files/main.bro

Files

An interface for driving the analysis of files, possibly independent of any network protocol over which they’re transported.

Namespace:Files
Imports:base/bif/file_analysis.bif.bro, base/frameworks/analyzer, base/frameworks/logging, base/utils/site.bro
Source File:/scripts/base/frameworks/files/main.bro

Summary

Options

Files::disable: table &redef A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers.
Files::salt: string &redef The salt concatenated to unique file handle strings generated by get_file_handle before hashing them in to a file id (the id field of fa_file).

Types

Files::AnalyzerArgs: record &redef A structure which parameterizes a type of file analysis.
Files::Info: record &redef Contains all metadata related to the analysis of a given file.
Files::ProtoRegistration: record  

Redefinitions

Log::ID: enum  
fa_file: record &redef  

Events

Files::log_files: event Event that can be handled to access the Info record as it is sent on to the logging framework.

Functions

Files::add_analyzer: function Adds an analyzer to the analysis of a given file.
Files::analyzer_name: function Translates a file analyzer enum value to a string with the analyzer’s name.
Files::describe: function Provides a text description regarding metadata of the file.
Files::register_analyzer_add_callback: function Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over.
Files::register_protocol: function Register callbacks for protocols that work with the Files framework.
Files::remove_analyzer: function Removes an analyzer from the analysis of a given file.
Files::set_timeout_interval: function Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up.
Files::stop: function Stops/ignores any further analysis of a given file.

Detailed Interface

Options

Files::disable
Type:table [Files::Tag] of bool
Attributes:&redef
Default:{}

A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers.

Files::salt
Type:string
Attributes:&redef
Default:"I recommend changing this."

The salt concatenated to unique file handle strings generated by get_file_handle before hashing them in to a file id (the id field of fa_file). Provided to help mitigate the possibility of manipulating parts of network connections that factor in to the file handle in order to generate two handles that would hash to the same file id.

Types

Files::AnalyzerArgs
Type:

record

chunk_event: event (f: fa_file, data: string, off: count) &optional

An event which will be generated for all new file contents, chunk-wise. Used when tag (in the Files::add_analyzer function) is Files::ANALYZER_DATA_EVENT.

stream_event: event (f: fa_file, data: string) &optional

An event which will be generated for all new file contents, stream-wise. Used when tag is Files::ANALYZER_DATA_EVENT.

extract_filename: string &optional

(present if base/files/extract/main.bro is loaded)

The local filename to which to write an extracted file. This field is used in the core by the extraction plugin to know where to write the file to. If not specified, then a filename in the format “extract-<source>-<id>” is automatically assigned (using the source and id fields of fa_file).

extract_limit: count &default = FileExtract::default_limit &optional

(present if base/files/extract/main.bro is loaded)

The maximum allowed file size in bytes of extract_filename. Once reached, a file_extraction_limit event is raised and the analyzer will be removed unless FileExtract::set_limit is called to increase the limit. A value of zero means “no limit”.

Attributes:

&redef

A structure which parameterizes a type of file analysis.

Files::Info
Type:

record

ts: time &log

The time when the file was first seen.

fuid: string &log

An identifier associated with a single file.

tx_hosts: set [addr] &default = set() &optional &log

If this file was transferred over a network connection this should show the host or hosts that the data sourced from.

rx_hosts: set [addr] &default = set() &optional &log

If this file was transferred over a network connection this should show the host or hosts that the data traveled to.

conn_uids: set [string] &default = set() &optional &log

Connection UIDs over which the file was transferred.

source: string &log &optional

An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source.

depth: count &default = 0 &optional &log

A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection.

analyzers: set [string] &default = set() &optional &log

A set of analysis types done during the file analysis.

mime_type: string &log &optional

A mime type provided by the strongest file magic signature match against the bof_buffer field of fa_file, or in the cases where no buffering of the beginning of file occurs, an initial guess of the mime type based on the first data seen.

filename: string &log &optional

A filename for the file if one is available from the source for the file. These will frequently come from “Content-Disposition” headers in network protocols.

duration: interval &log &default = 0 secs &optional

The duration the file was analyzed for.

local_orig: bool &log &optional

If the source of this file is a network connection, this field indicates if the data originated from the local network or not as determined by the configured Site::local_nets.

is_orig: bool &log &optional

If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder.

seen_bytes: count &log &default = 0 &optional

Number of bytes provided to the file analysis engine for the file.

total_bytes: count &log &optional

Total number of bytes that are supposed to comprise the full file.

missing_bytes: count &log &default = 0 &optional

The number of bytes in the file stream that were completely missed during the process of analysis e.g. due to dropped packets.

overflow_bytes: count &log &default = 0 &optional

The number of not all-in-sequence bytes in the file stream that were delivered to file analyzers due to reassembly buffer overflow.

timedout: bool &log &default = F &optional

Whether the file analysis timed out at least once for the file.

parent_fuid: string &log &optional

Identifier associated with a container file from which this one was extracted as part of the file analysis.

md5: string &log &optional

(present if base/files/hash/main.bro is loaded)

An MD5 digest of the file contents.

sha1: string &log &optional

(present if base/files/hash/main.bro is loaded)

A SHA1 digest of the file contents.

sha256: string &log &optional

(present if base/files/hash/main.bro is loaded)

A SHA256 digest of the file contents.

x509: X509::Info &optional

(present if base/files/x509/main.bro is loaded)

Information about X509 certificates. This is used to keep certificate information until all events have been received.

extracted: string &optional &log

(present if base/files/extract/main.bro is loaded)

Local filename of extracted file.

Attributes:

&redef

Contains all metadata related to the analysis of a given file. For the most part, fields here are derived from ones of the same name in fa_file.

Files::ProtoRegistration
Type:

record

get_file_handle: function (c: connection, is_orig: bool) : string

A callback to generate a file handle on demand when one is needed by the core.

describe: function (f: fa_file) : string &default = function &optional

A callback to “describe” a file. In the case of an HTTP transfer the most obvious description would be the URL. It’s like an extremely compressed version of the normal log.

Events

Files::log_files
Type:event (rec: Files::Info)

Event that can be handled to access the Info record as it is sent on to the logging framework.

Functions

Files::add_analyzer
Type:function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = (coerce [] to record { chunk_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string; off:count;); stream_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string;); extract_filename:string; extract_limit:count; }) &optional) : bool

Adds an analyzer to the analysis of a given file.

F:the file.
Tag:the analyzer type.
Args:any parameters the analyzer takes.
Returns:true if the analyzer will be added, or false if analysis for the file isn’t currently active or the args were invalid for the analyzer type.
Files::analyzer_name
Type:function (tag: Files::Tag) : string

Translates a file analyzer enum value to a string with the analyzer’s name.

Tag:The analyzer tag.
Returns:The analyzer name corresponding to the tag.
Files::describe
Type:function (f: fa_file) : string

Provides a text description regarding metadata of the file. For example, with HTTP it would return a URL.

F:The file to be described.
Returns:a text description regarding metadata of the file.
Files::register_analyzer_add_callback
Type:function (tag: Files::Tag, callback: function (f: fa_file, args: Files::AnalyzerArgs) : void) : void

Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over. This is unlikely to be interesting for users and should only be called by file analyzer authors but is not required.

Tag:Tag for the file analyzer.
Callback:Function to execute when the given file analyzer is being added.
Files::register_protocol
Type:function (tag: Analyzer::Tag, reg: Files::ProtoRegistration) : bool

Register callbacks for protocols that work with the Files framework. The callbacks must uniquely identify a file and each protocol can only have a single callback registered for it.

Tag:Tag for the protocol analyzer having a callback being registered.
Reg:A Files::ProtoRegistration record.
Returns:true if the protocol being registered was not previously registered.
Files::remove_analyzer
Type:function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = (coerce [] to record { chunk_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string; off:count;); stream_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string;); extract_filename:string; extract_limit:count; }) &optional) : bool

Removes an analyzer from the analysis of a given file.

F:the file.
Tag:the analyzer type.
Args:the analyzer (type and args) to remove.
Returns:true if the analyzer will be removed, or false if analysis for the file isn’t currently active.
Files::set_timeout_interval
Type:function (f: fa_file, t: interval) : bool

Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up. When used within a file_timeout handler, the analysis will delay timing out again for the period specified by t.

F:the file.
T:the amount of time the file can remain inactive before discarding.
Returns:true if the timeout interval was set, or false if analysis for the file isn’t currently active.
Files::stop
Type:function (f: fa_file) : bool

Stops/ignores any further analysis of a given file.

F:the file.
Returns:true if analysis for the given file will be ignored for the rest of its contents, or false if analysis for the file isn’t currently active.
Copyright 2013, The Bro Project. Last updated on June 15, 2015. Created using Sphinx 1.2.2.