An interface for driving the analysis of files, possibly independent of any network protocol over which they’re transported.
Namespace: | Files |
---|---|
Imports: | base/bif/file_analysis.bif.bro, base/frameworks/analyzer, base/frameworks/logging, base/utils/site.bro |
Source File: | /scripts/base/frameworks/files/main.bro |
Files::disable: table &redef | A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers. |
Files::salt: string &redef | The salt concatenated to unique file handle strings generated by get_file_handle before hashing them in to a file id (the id field of fa_file). |
Files::AnalyzerArgs: record &redef | A structure which parameterizes a type of file analysis. |
Files::Info: record &redef | Contains all metadata related to the analysis of a given file. |
Files::ProtoRegistration: record |
Files::log_files: event | Event that can be handled to access the Info record as it is sent on to the logging framework. |
Files::add_analyzer: function | Adds an analyzer to the analysis of a given file. |
Files::analyzer_name: function | Translates a file analyzer enum value to a string with the analyzer’s name. |
Files::describe: function | Provides a text description regarding metadata of the file. |
Files::register_analyzer_add_callback: function | Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over. |
Files::register_protocol: function | Register callbacks for protocols that work with the Files framework. |
Files::remove_analyzer: function | Removes an analyzer from the analysis of a given file. |
Files::set_timeout_interval: function | Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up. |
Files::stop: function | Stops/ignores any further analysis of a given file. |
Type: | table [Files::Tag] of bool |
---|---|
Attributes: | &redef |
Default: | {} |
A table that can be used to disable file analysis completely for any files transferred over given network protocol analyzers.
Type: | string |
---|---|
Attributes: | &redef |
Default: | "I recommend changing this." |
The salt concatenated to unique file handle strings generated by get_file_handle before hashing them in to a file id (the id field of fa_file). Provided to help mitigate the possibility of manipulating parts of network connections that factor in to the file handle in order to generate two handles that would hash to the same file id.
Type: |
|
---|---|
Attributes: |
A structure which parameterizes a type of file analysis.
Type: |
|
---|---|
Attributes: |
Contains all metadata related to the analysis of a given file. For the most part, fields here are derived from ones of the same name in fa_file.
Type: |
|
---|
Type: | event (rec: Files::Info) |
---|
Event that can be handled to access the Info record as it is sent on to the logging framework.
Type: | function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = (coerce [] to record { chunk_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string; off:count;); stream_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string;); extract_filename:string; extract_limit:count; }) &optional) : bool |
---|
Adds an analyzer to the analysis of a given file.
F: | the file. |
---|---|
Tag: | the analyzer type. |
Args: | any parameters the analyzer takes. |
Returns: | true if the analyzer will be added, or false if analysis for the file isn’t currently active or the args were invalid for the analyzer type. |
Type: | function (tag: Files::Tag) : string |
---|
Translates a file analyzer enum value to a string with the analyzer’s name.
Tag: | The analyzer tag. |
---|---|
Returns: | The analyzer name corresponding to the tag. |
Type: | function (f: fa_file) : string |
---|
Provides a text description regarding metadata of the file. For example, with HTTP it would return a URL.
F: | The file to be described. |
---|---|
Returns: | a text description regarding metadata of the file. |
Type: | function (tag: Files::Tag, callback: function (f: fa_file, args: Files::AnalyzerArgs) : void) : void |
---|
Register a callback for file analyzers to use if they need to do some manipulation when they are being added to a file before the core code takes over. This is unlikely to be interesting for users and should only be called by file analyzer authors but is not required.
Tag: | Tag for the file analyzer. |
---|---|
Callback: | Function to execute when the given file analyzer is being added. |
Type: | function (tag: Analyzer::Tag, reg: Files::ProtoRegistration) : bool |
---|
Register callbacks for protocols that work with the Files framework. The callbacks must uniquely identify a file and each protocol can only have a single callback registered for it.
Tag: | Tag for the protocol analyzer having a callback being registered. |
---|---|
Reg: | A Files::ProtoRegistration record. |
Returns: | true if the protocol being registered was not previously registered. |
Type: | function (f: fa_file, tag: Files::Tag, args: Files::AnalyzerArgs &default = (coerce [] to record { chunk_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string; off:count;); stream_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string;); extract_filename:string; extract_limit:count; }) &optional) : bool |
---|
Removes an analyzer from the analysis of a given file.
F: | the file. |
---|---|
Tag: | the analyzer type. |
Args: | the analyzer (type and args) to remove. |
Returns: | true if the analyzer will be removed, or false if analysis for the file isn’t currently active. |
Type: | function (f: fa_file, t: interval) : bool |
---|
Sets the timeout_interval field of fa_file, which is used to determine the length of inactivity that is allowed for a file before internal state related to it is cleaned up. When used within a file_timeout handler, the analysis will delay timing out again for the period specified by t.
F: | the file. |
---|---|
T: | the amount of time the file can remain inactive before discarding. |
Returns: | true if the timeout interval was set, or false if analysis for the file isn’t currently active. |