-
Notifications
You must be signed in to change notification settings - Fork 3
/
uniq-hashes-flag.bro
66 lines (54 loc) · 1.67 KB
/
uniq-hashes-flag.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
###########################################
# Script to add an extra columns of uniq_hash flag, host and
# peer descr for the uniq hashes that BRO sees in a day.
# fatemabw 10/04/16
###########################################
module Uniq_hashes;
redef record Files::Info += {
## Adding a field column of host and uniq_hash to show from where
## the file got downloaded and whether seen first time or duplicate.
host: string &optional &log;
uniq_hash: bool &optional &log;
#peer_host: addr &optional &log;
peer_descr: string &optional &log;
};
global SECONDS_IN_DAY = 60*60*24;
global uniq_hashes: set[string] &synchronized;
function midnight(): time
{
local now = current_time();
local dt = time_to_double(now);
local mn = double_to_count(dt / SECONDS_IN_DAY) * SECONDS_IN_DAY;
local mn_EST = mn + 14400.0;
return double_to_time(mn_EST);
}
function interval_to_midnight(): interval
{
return midnight() - current_time();
}
event reset_hashes()
{
uniq_hashes = set(); #I think this is the proper way to clear a set?
}
event file_hash(f: fa_file, kind: string, hash: string)
{
#print "file_hash", f$id, kind, hash;
local peer = get_event_peer();
#f$info$peer_host = peer$host;
f$info$peer_descr = peer$descr;
if(f?$http && f$http?$host)
f$info$host = f$http$host;
if(hash in uniq_hashes)
f$info$uniq_hash = F;
else
{
add uniq_hashes[hash];
f$info$uniq_hash = T;
}
}
event bro_init()
{ #print "current_time", current_time();
#print "midnight", midnight();
#print "Time to midnight:", interval_to_midnight();
schedule interval_to_midnight() { reset_hashes()};
}