Detect file type #581

jameskerr · 2020-04-08T23:23:50Z

Fixes #573

This function reads the first 4 bytes to see if it matches the pcap signatures, then checks for zeek headers on the first four lines with a regex, then checks for json by reading the first 4 lines and seeing if they are json parsable.

This reads the first bits of the file and checks some heuristics. This will be used for choosing which endpoint to send the data to. /packets or /zeek.

src/js/lib/fileType.test.js

mikesbrown · 2020-04-09T21:22:32Z

src/js/lib/fileType.js

+}
+
+function isZeekHeader(line) {
+  return /^#\w+\s+\S+/.test(line)


This will match a trivially-contrived sourcable sh file, like

#source me to do stuff export A=b

Instead of ^#\w+\s+\S+, check for ^#separator \S+ ?

I see what you mean. How does the proposed regex prevent that problem?

I'm also checking the first 4 lines of the file to see if they match that regex. Is it true that all zeek filees start with the "separator" header?

Lastly, is it a security concern if they spoof this with a non-zeek file? All we do with it pass along the file path to zqd. Whatever they do in zqd will probably throw an error. I don't think anything is able to be "sourced".

Let me ask a zqd dev if this needs to be more robust. @henridf will this zeek detector regex be good enough for ingest?

Is it true that all zeek filees start with the "separator" header?

I think they must since all lines after have to use the separator as defined.

Lastly, is it a security concern if they spoof this with a non-zeek file?

Not necessarily. My $0.02 was, if we are doing file detection we can at least block obviously invalid text files before they go all the way through to zqd.

Aww I see what you mean. If someone accidentally gives us a file with standard # comments at the top of the file (which many files do). Got it. Yeah I'll update that.

Thanks. Still happy to hear anyone else's comments on this issue.

src/js/lib/fileType.test.js

mikesbrown

Thanks for addressing my comments.

jameskerr added 2 commits April 8, 2020 14:50

test: Add sample logs to test file detection

4635497

feat: Detect pcap vs zeek file

fcd2ae1

This reads the first bits of the file and checks some heuristics. This will be used for choosing which endpoint to send the data to. /packets or /zeek.

jameskerr requested a review from mason-fish April 8, 2020 23:24

mikesbrown reviewed Apr 9, 2020

View reviewed changes

src/js/lib/fileType.test.js Show resolved Hide resolved

mikesbrown reviewed Apr 9, 2020

View reviewed changes

jameskerr and others added 3 commits April 10, 2020 16:24

fix: Use smaller samples based off sample.pcap

ed8f5ed

fix: Check first line for separator header

51796de

test: add pcapng test

704de96

mikesbrown approved these changes Apr 10, 2020

View reviewed changes

jameskerr merged commit 6449d84 into master Apr 13, 2020

jameskerr deleted the detect-file-type branch April 13, 2020 18:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Detect file type #581

Detect file type #581

jameskerr commented Apr 8, 2020

mikesbrown Apr 9, 2020

jameskerr Apr 10, 2020

mikesbrown Apr 10, 2020

jameskerr Apr 10, 2020

mikesbrown Apr 10, 2020

mikesbrown left a comment

Detect file type #581

Detect file type #581

Conversation

jameskerr commented Apr 8, 2020

mikesbrown Apr 9, 2020

Choose a reason for hiding this comment

jameskerr Apr 10, 2020

Choose a reason for hiding this comment

mikesbrown Apr 10, 2020

Choose a reason for hiding this comment

jameskerr Apr 10, 2020

Choose a reason for hiding this comment

mikesbrown Apr 10, 2020

Choose a reason for hiding this comment

mikesbrown left a comment

Choose a reason for hiding this comment