sethhall/file_analysis_test.bro

## file_analysis_test.bro
event file_windows_pe_dosstub(f: fa_file, checksum: count)
	{
	print fmt("pe header offset: %d", checksum);
	}

event file_windows_pe_timestamp(f: fa_file, ts: time)
	{
	print fmt("timestamp! %D", ts);
	print f$mime_type;
	}

event file_hash(f: fa_file, kind: string, hash: string)
	{
	print fmt("%s hash! %s", kind, hash);
	}

event file_new(f: fa_file)
	{
	if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ )
		{
		print "found a windows executable";
		FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_PE_ANALYZER]);
		}

	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_SHA1]);
	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_SHA256]);
	}
	event file_windows_pe_dosstub(f: fa_file, checksum: count)
	{
	print fmt("pe header offset: %d", checksum);
	}

	event file_windows_pe_timestamp(f: fa_file, ts: time)
	{
	print fmt("timestamp! %D", ts);
	print f$mime_type;
	}

	event file_hash(f: fa_file, kind: string, hash: string)
	{
	print fmt("%s hash! %s", kind, hash);
	}

	event file_new(f: fa_file)
	{
	if ( f?$mime_type && f$mime_type == /application\/x-dosexec.*/ )
	{
	print "found a windows executable";
	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_PE_ANALYZER]);
	}

	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_SHA1]);
	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_SHA256]);
	}