Files transferred over FTP were showing incorrect sizes.

The server-reported file size was being collected poorly and if
a file name had a number in it, that was reported as the file
size instead of the actual size.

A new test is included to avoid reintroducing the problem.

scripts/base/protocols/ftp/main.bro

@@ -213,7 +213,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		#       on a different file could be checked, but the file size will
 		#       be overwritten by the server response to the RETR command
 		#       if that's given as well which would be more correct.
-		c$ftp$file_size = extract_count(msg);
+		c$ftp$file_size = extract_count(msg, F);
 		}
 
 	# PASV and EPSV processing

scripts/base/utils/numbers.bro

@@ -1,10 +1,26 @@
-## Extract the first integer found in the given string.
-## If no integer can be found, 0 is returned.
-function extract_count(s: string): count
+
+## Extract an integer from a string.
+## 
+## s: The string to search for a number.
+## 
+## get_first: Provide `F` if you would like the last number found.
+##
+## Returns: The request integer from the given string or 0 if
+##          no integer was found.
+function extract_count(s: string, get_first: bool &default=T): count
 	{
-	local parts = split_string_n(s, /[0-9]+/, T, 1);
-	if ( 1 in parts )
-		return to_count(parts[1]);
+	local extract_num_pattern = /[0-9]+/;
+	if ( get_first )
+		{
+		local first_parts = split_string_n(s, extract_num_pattern, T, 1);
+		if ( 1 in first_parts )
+			return to_count(first_parts[1]);
+		}
 	else
-		return 0;
+		{
+		local last_parts = split_string_all(s, extract_num_pattern);
+		if ( |last_parts| > 1 )
+			return to_count(last_parts[|last_parts|-2]);
+		}
+	return 0;
 	}

testing/btest/Baseline/scripts.base.protocols.ftp.ftp-get-file-size/ftp.log

@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ftp
+#open	2016-03-11-17-40-18
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	user	password	command	arg	mime_type	file_size	reply_code	reply_msg	data_channel.passive	data_channel.orig_h	data_channel.resp_h	data_channel.resp_p	fuid
+#types	time	string	addr	port	addr	port	string	string	string	string	string	count	count	string	bool	addr	addr	port	string
+1457455890.667768	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,187)	T	192.168.21.95	164.107.123.6	47035	-
+1457455890.667768	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,187)	-	-	-	-	-
+1457455891.781896	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,231)	T	192.168.21.95	164.107.123.6	47079	FaFkMs3Gc0F1kvwXD
+1457455894.380514	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,211)	T	192.168.21.95	164.107.123.6	47059	Fm58Rm14ZG2Ai7nW9g
+1457455900.398202	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	PASV	-	-	-	227	Entering Passive Mode (164,107,123,6,183,197)	T	192.168.21.95	164.107.123.6	47045	FnxQXApi8WTTWNyH1
+1457455900.530943	CXWv6p3arKYeMETxOg	192.168.21.95	54089	164.107.123.6	21	<unknown>	-	RETR	ftp://164.107.123.6/mirror/internic/rfc/rfc1001.txt	text/plain	154427	226	File send OK.	-	-	-	-	FJblKh2PaOnGa8zcmg
+#close	2016-03-11-17-40-18

testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.bro

@@ -0,0 +1,5 @@
+# This tests extracting the server reported file size 
+# from FTP sessions.
+#
+# @TEST-EXEC: bro -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap
+# @TEST-EXEC: btest-diff ftp.log