def parse_files(self):
"""Parse the files-json.log file and its associated files."""
files_log = os.path.join(self.suricata_path, self.files_log)
if not os.path.isfile(files_log):
log.warning("Unable to find the files-json.log log file")
return
files = {}
# Index all the available files.
files_dir = os.path.join(self.suricata_path, self.files_dir)
if not os.path.exists(files_dir):
log.warning("Suricata files dir is not available. Maybe you forgot to enable Suricata file-store ?")
return
for filename in os.listdir(files_dir):
filepath = os.path.join(files_dir, filename)
files[Files.md5_file(filepath)] = filepath
for line in open(files_log, "rb"):
event = json.loads(line)
# Not entirely sure what's up, but some files are given just an
# ID, some files are given just an md5 hash (and maybe some get
# neither?) So take care of these situations.
if "id" in event:
filepath = os.path.join(files_dir, "file.%s" % event["id"])
elif "md5" in event:
filepath = files.get(event["md5"])
else:
filepath = None
if not filepath or not os.path.isfile(filepath):
log.warning(
"Suricata dropped file with id=%s and md5=%s not found, "
"skipping it..", event.get("id"), event.get("md5")
)
continue
referer = event.get("http_referer")
if referer == "<unknown>":
referer = None
self.results["files"].append({
"id": int(filepath.split(".", 1)[-1]),
"filesize": event["size"],
"filename": os.path.basename(event["filename"]),
"hostname": event.get("http_host"),
"uri": event.get("http_uri"),
"md5": Files.md5_file(filepath),
"sha1": Files.sha1_file(filepath),
"magic": event.get("magic"),
"referer": referer,
})
def parse_files(self):
"""Parse the files-json.log file and its associated files."""
files_log = os.path.join(self.suricata_path, self.files_log)
if not os.path.isfile(files_log):
log.warning("Unable to find the files-json.log log file")
return
files = {}
# Index all the available files.
files_dir = os.path.join(self.suricata_path, self.files_dir)
if not os.path.exists(files_dir):
log.warning("Suricata files dir is not available. Maybe you forgot to enable Suricata file-store ?")
return
for filename in os.listdir(files_dir):
filepath = os.path.join(files_dir, filename)
files[Files.md5_file(filepath)] = filepath
for line in open(files_log, "rb"):
event = json.loads(line)
# Not entirely sure what's up, but some files are given just an
# ID, some files are given just an md5 hash (and maybe some get
# neither?) So take care of these situations.
if "id" in event:
filepath = os.path.join(files_dir, "file.%s" % event["id"])
elif "md5" in event:
filepath = files.get(event["md5"])
else:
filepath = None
if not filepath or not os.path.isfile(filepath):
log.warning(
"Suricata dropped file with id=%s and md5=%s not found, "
"skipping it..", event.get("id"), event.get("md5")
)
continue
referer = event.get("http_referer")
if referer == "<unknown>":
referer = None
self.results["files"].append({
"id": int(filepath.split(".")[-1]),
"filesize": event["size"],
"filename": os.path.basename(event["filename"]),
"hostname": event.get("http_host"),
"uri": event.get("http_uri"),
"md5": Files.md5_file(filepath),
"sha1": Files.sha1_file(filepath),
"magic": event.get("magic"),
"referer": referer,
})
def test_hash_file(self):
filepath = Files.temp_put("hehe")
assert Files.md5_file(filepath) == "529ca8050a00180790cf88b63468826a"
assert Files.sha1_file(
filepath) == "42525bb6d3b0dc06bb78ae548733e8fbb55446b3"
assert Files.sha256_file(
filepath
) == "0ebe2eca800cf7bd9d9d9f9f4aafbc0c77ae155f43bbbeca69cb256a24c7f9bb"
def test_hash_file(self):
filepath = Files.temp_put("hehe", "/tmp")
assert Files.md5_file(filepath) == "529ca8050a00180790cf88b63468826a"
assert Files.sha1_file(filepath) == "42525bb6d3b0dc06bb78ae548733e8fbb55446b3"
assert Files.sha256_file(filepath) == "0ebe2eca800cf7bd9d9d9f9f4aafbc0c77ae155f43bbbeca69cb256a24c7f9bb"