/// <summary> /// /// </summary> /// <param name="session"></param> /// <param name="message"></param> private void ProcessFiles(Session session, Message message) { byte[] header1 = woanware.IO.ReadFileHeader(message.Response.TempFile, 4); if (header1 == null) { return; } byte[] header2 = null; if (message.Response.TempFileSize > 520) { header2 = woanware.IO.ReadFileHeader(message.Response.TempFile, 6, 512); } if (header2 == null) { return; } foreach (FileSig sig in this.fileSigs) { // Do we have a match on file type if (ByteArrayCompare(sig.Sig, header1) == false) { continue; } if (sig.OffsetSubHeader > 0) { // Do we have a match on file type if (ByteArrayCompare(sig.SigSubHeader, header2) == false) { continue; } } // Now extract the contents string dir = session.SrcIpText + "." + session.SourcePort + "-" + session.DstIpText + "." + session.DestinationPort; if (System.IO.Directory.Exists(System.IO.Path.Combine(this.outputDirectory, dir)) == false) { IO.CreateDirectory(System.IO.Path.Combine(this.outputDirectory, dir)); } string fileName = message.Response.GetContentDispositionFileName; // Cannot determine a file name from the Content // Disposition HTTP header so lets make one up if (fileName.Length == 0) { fileName = Guid.NewGuid().ToString() + "." + sig.Extension + ".safe"; } else { fileName += ".safe"; } File.Copy(message.Response.TempFile, System.IO.Path.Combine(this.outputDirectory, dir, fileName), true); DownloadDetails downloadDetails = new DownloadDetails(); downloadDetails.SrcIp = session.SrcIpText; downloadDetails.SrcPort = session.SourcePort; downloadDetails.DstIp = session.DstIpText; downloadDetails.DstPort = session.DestinationPort; downloadDetails.File = fileName; try { // Not sure if BufferedStream should be wrapped in using block using (var stream = new BufferedStream(File.OpenRead(System.IO.Path.Combine(this.outputDirectory, dir, fileName)), 1200000)) { MD5 md5 = new MD5CryptoServiceProvider(); byte[] hashMd5 = md5.ComputeHash(stream); downloadDetails.Md5 = woanware.Text.ConvertByteArrayToHexString(hashMd5); } } catch (Exception) { } downloadDetails.Save(System.IO.Path.Combine(this.outputDirectory, dir, "Download.Details." + fileName + ".xml")); break; } }
/// <summary> /// /// </summary> /// <param name="dataDirectory"></param> /// <param name="outputDirectory"></param> public void PostProcess(string dataDirectory, string outputDirectory) { CsvConfiguration csvConfiguration = new CsvConfiguration(); csvConfiguration.QuoteAllFields = true; using (FileStream fileStream = new FileStream(System.IO.Path.Combine(outputDirectory, "File.Hashes.csv"), FileMode.Append, FileAccess.Write, FileShare.Read)) using (StreamWriter streamWriter = new StreamWriter(fileStream)) using (CsvHelper.CsvWriter csvWriter = new CsvHelper.CsvWriter(streamWriter, csvConfiguration)) { // Now MD5 the files foreach (string file in System.IO.Directory.EnumerateFiles(outputDirectory, "*.xml", SearchOption.AllDirectories)) { string fileName = System.IO.Path.GetFileName(file); if (fileName.StartsWith("Download.Details.") == false) { continue; } DownloadDetails downloadDetails = new DownloadDetails(); string ret = downloadDetails.Load(file); if (ret.Length == 0) { csvWriter.WriteField(downloadDetails.Md5); csvWriter.WriteField(downloadDetails.File); csvWriter.WriteField(downloadDetails.SrcIp); csvWriter.WriteField(downloadDetails.SrcPort); csvWriter.WriteField(downloadDetails.DstIp); csvWriter.WriteField(downloadDetails.DstPort); csvWriter.NextRecord(); } } } }