Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bro's hashing architecture allows easy utilization and extensibility of hashing by using opaque values.
- Loading branch information
Showing
15 changed files
with
295 additions
and
116 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
0.1 | ||
0.2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
// See the file "COPYING" in the main distribution directory for copyright. | ||
|
||
#include "FuzzyHash.h" | ||
|
||
#include <file_analysis/Manager.h> | ||
|
||
using namespace plugin::JGras_FuzzyHashing; | ||
|
||
FuzzyHash::FuzzyHash(RecordVal* args, file_analysis::File* file, FuzzyHashVal* hv, | ||
const char* arg_kind) | ||
: file_analysis::Analyzer(file_mgr->GetComponentTag(to_upper(arg_kind).c_str()), args, file), | ||
fuzzy_hash(hv), | ||
fed(false), | ||
kind(arg_kind) | ||
{ | ||
fuzzy_hash->Init(); | ||
} | ||
|
||
FuzzyHash::~FuzzyHash() | ||
{ | ||
Unref(fuzzy_hash); | ||
} | ||
|
||
bool FuzzyHash::DeliverStream(const u_char* data, uint64 len) | ||
{ | ||
if ( ! fuzzy_hash->IsValid() ) | ||
return false; | ||
|
||
if ( ! fed ) | ||
fed = len > 0; | ||
|
||
fuzzy_hash->Feed(data, len); | ||
return true; | ||
} | ||
|
||
bool FuzzyHash::EndOfFile() | ||
{ | ||
Finalize(); | ||
return false; | ||
} | ||
|
||
bool FuzzyHash::Undelivered(uint64 offset, uint64 len) | ||
{ | ||
return false; | ||
} | ||
|
||
void FuzzyHash::Finalize() | ||
{ | ||
if ( ! fuzzy_hash->IsValid() || ! fed ) | ||
return; | ||
|
||
val_list* vl = new val_list(); | ||
vl->append(GetFile()->GetVal()->Ref()); | ||
vl->append(new StringVal(kind)); | ||
vl->append(fuzzy_hash->Get()); | ||
|
||
mgr.QueueEvent(file_fuzzy_hash, vl); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
// See the file "COPYING" in the main distribution directory for copyright. | ||
|
||
// #include <Serializer.h> | ||
|
||
#include "FuzzyHashVal.h" | ||
|
||
using namespace plugin::JGras_FuzzyHashing; | ||
|
||
FuzzyHashVal::FuzzyHashVal(OpaqueType* t) : HashVal(t) | ||
{ | ||
} | ||
|
||
/* | ||
IMPLEMENT_SERIAL(FuzzyHashVal, SER_FUZZY_HASH_VAL); | ||
bool FuzzyHashVal::DoSerialize(SerialInfo* info) const | ||
{ | ||
DO_SERIALIZE(SER_FUZZY_HASH_VAL, OpaqueVal); | ||
return SERIALIZE(valid); | ||
} | ||
bool FuzzyHashVal::DoUnserialize(UnserialInfo* info) | ||
{ | ||
DO_UNSERIALIZE(OpaqueVal); | ||
return UNSERIALIZE(&valid); | ||
} | ||
*/ | ||
|
||
static OpaqueType* ssdeep_type = new OpaqueType("ssdeep"); | ||
|
||
SSDeepVal::SSDeepVal() : FuzzyHashVal(ssdeep_type) | ||
{ | ||
} | ||
|
||
bool SSDeepVal::DoInit() | ||
{ | ||
assert(! IsValid()); | ||
state = fuzzy_new(); | ||
return state != NULL; | ||
} | ||
|
||
bool SSDeepVal::DoFeed(const void* data, size_t size) | ||
{ | ||
if ( ! IsValid() ) | ||
return false; | ||
|
||
bool success = (fuzzy_update(state, static_cast<const u_char*>(data), size) == 0); | ||
return success; | ||
} | ||
|
||
StringVal* SSDeepVal::DoGet() | ||
{ | ||
if ( ! IsValid() ) | ||
return new StringVal(""); | ||
|
||
char hash[FUZZY_MAX_RESULT] = ""; | ||
if (fuzzy_digest(state, hash, 0) != 0 ) | ||
return new StringVal(""); | ||
|
||
fuzzy_free(state); | ||
return new StringVal(hash); | ||
} | ||
|
||
/* | ||
IMPLEMENT_SERIAL(SSDeepVal, SER_SSDEEP_VAL); | ||
bool SSDeepVal::DoSerialize(SerialInfo* info) const | ||
{ | ||
DO_SERIALIZE(SER_SSDEEP_VAL, HashVal); | ||
if ( ! IsValid() ) | ||
return true; | ||
if ( ! (SERIALIZE(ctx.A) && | ||
SERIALIZE(ctx.B) && | ||
SERIALIZE(ctx.C) && | ||
SERIALIZE(ctx.D) && | ||
SERIALIZE(ctx.Nl) && | ||
SERIALIZE(ctx.Nh)) ) | ||
return false; | ||
for ( int i = 0; i < MD5_LBLOCK; ++i ) | ||
{ | ||
if ( ! SERIALIZE(ctx.data[i]) ) | ||
return false; | ||
} | ||
if ( ! SERIALIZE(ctx.num) ) | ||
return false; | ||
return true; | ||
} | ||
bool SSDeepVal::DoUnserialize(UnserialInfo* info) | ||
{ | ||
DO_UNSERIALIZE(FuzzyHashVal); | ||
if ( ! IsValid() ) | ||
return true; | ||
if ( ! (UNSERIALIZE(&ctx.A) && | ||
UNSERIALIZE(&ctx.B) && | ||
UNSERIALIZE(&ctx.C) && | ||
UNSERIALIZE(&ctx.D) && | ||
UNSERIALIZE(&ctx.Nl) && | ||
UNSERIALIZE(&ctx.Nh)) ) | ||
return false; | ||
for ( int i = 0; i < MD5_LBLOCK; ++i ) | ||
{ | ||
if ( ! UNSERIALIZE(&ctx.data[i]) ) | ||
return false; | ||
} | ||
if ( ! UNSERIALIZE(&ctx.num) ) | ||
return false; | ||
return true; | ||
} | ||
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
// See the file "COPYING" in the main distribution directory for copyright. | ||
|
||
#ifndef BRO_PLUGIN_JGRAS_FUZZYHASHING_VAL_H | ||
#define BRO_PLUGIN_JGRAS_FUZZYHASHING_VAL_H | ||
|
||
#include <OpaqueVal.h> | ||
|
||
#include "fuzzy.h" | ||
|
||
namespace plugin { | ||
namespace JGras_FuzzyHashing { | ||
|
||
class FuzzyHashVal : public HashVal { | ||
protected: | ||
FuzzyHashVal() { }; | ||
FuzzyHashVal(OpaqueType* t); | ||
|
||
//DECLARE_SERIAL(FuzzyHashVal); | ||
}; | ||
|
||
class SSDeepVal : public FuzzyHashVal { | ||
public: | ||
// TODO: static functionality? | ||
//static void digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH]); | ||
|
||
SSDeepVal(); | ||
|
||
protected: | ||
friend class Val; | ||
|
||
virtual bool DoInit() override; | ||
virtual bool DoFeed(const void* data, size_t size) override; | ||
virtual StringVal* DoGet() override; | ||
|
||
//DECLARE_SERIAL(SSDeepVal); | ||
|
||
private: | ||
fuzzy_state* state; | ||
}; | ||
|
||
} | ||
} | ||
|
||
#endif |
Oops, something went wrong.