Added protocol description functions that provide a super compressed log representation.

scripts/base/frameworks/analyzer/main.bro

@@ -81,6 +81,13 @@ export {
 	## Returns: The analyzer name corresponding to the tag.
 	global name: function(tag: Analyzer::Tag) : string;
 
+	## Translates an analyzer's name to a tag enum value.
+	##
+	## name: The analyzer name.
+	##
+	## Returns: The analyzer tag corresponding to the name.
+	global get_tag: function(name: string): Analyzer::Tag;
+
 	## Schedules an analyzer for a future connection originating from a given IP
 	## address and port.
 	##
@@ -187,6 +194,11 @@ function name(atype: Analyzer::Tag) : string
 	return __name(atype);
 	}
 
+function get_tag(name: string): Analyzer::Tag
+	{
+	return __tag(name);
+	}
+
 function schedule_analyzer(orig: addr, resp: addr, resp_p: port,
 			   analyzer: Analyzer::Tag, tout: interval) : bool
 	{

scripts/base/frameworks/files/main.bro

@@ -2,6 +2,7 @@
 ##! any network protocol over which they're transported.
 
 @load base/bif/file_analysis.bif
+@load base/frameworks/analyzer
 @load base/frameworks/logging
 @load base/utils/site
 
@@ -173,17 +174,36 @@ export {
 	## Returns: The analyzer name corresponding to the tag.
 	global analyzer_name: function(tag: Files::Tag): string;
 
+	## Provides a text description regarding metadata of the file.
+	## For example, with HTTP it would return a URL.
+	##
+	## f: The file to be described.
+	##
+	## Returns a text description regarding metadata of the file.
+	global describe: function(f: fa_file): string;
+
+	type ProtoRegistration: record {
+		## A callback to generate a file handle on demand when
+		## one is needed by the core.
+		get_file_handle: function(c: connection, is_orig: bool): string;
+		
+		## A callback to "describe" a file.  In the case of an HTTP
+		## transfer the most obvious description would be the URL.
+		## It's like an extremely compressed version of the normal log.
+		describe: function(f: fa_file): string
+				&default=function(f: fa_file): string { return ""; };
+	};
+
 	## Register callbacks for protocols that work with the Files framework.  
 	## The callbacks must uniquely identify a file and each protocol can 
 	## only have a single callback registered for it.
 	## 
 	## tag: Tag for the protocol analyzer having a callback being registered.
 	##
-	## callback: Function that can generate a file handle for the protocol analyzer
-	##           defined previously.
+	## reg: A :bro:see:`ProtoRegistration` record.
 	##
 	## Returns: true if the protocol being registered was not previously registered.
-	global register_protocol: function(tag: Files::Tag, callback: function(c: connection, is_orig: bool): string): bool;
+	global register_protocol: function(tag: Analyzer::Tag, reg: ProtoRegistration): bool;
 
 	## Register a callback for file analyzers to use if they need to do some manipulation
 	## when they are being added to a file before the core code takes over.  This is 
@@ -210,8 +230,7 @@ redef record AnalyzerArgs += {
 };
 
 # Store the callbacks for protocol analyzers that have files.
-global registered_protocols: table[Files::Tag] of function(c: connection, is_orig: bool): string = table()
-		&default=function(c: connection, is_orig: bool): string { return cat(c$uid, is_orig); };
+global registered_protocols: table[Analyzer::Tag] of ProtoRegistration = table();
 
 global analyzer_add_callbacks: table[Files::Tag] of function(f: fa_file, args: AnalyzerArgs) = table();
 
@@ -321,15 +340,28 @@ event file_state_remove(f: fa_file) &priority=-10
 	Log::write(Files::LOG, f$info);
 	}
 
-function register_protocol(tag: Files::Tag, callback: function(c: connection, is_orig: bool): string): bool
+function register_protocol(tag: Analyzer::Tag, reg: ProtoRegistration): bool
 	{
 	local result = (tag !in registered_protocols);
-	registered_protocols[tag] = callback;
+	registered_protocols[tag] = reg;
 	return result;
 	}
 
-event get_file_handle(tag: Files::Tag, c: connection, is_orig: bool) &priority=5
+function describe(f: fa_file): string
 	{
+	local tag = Analyzer::get_tag(f$source);
+	if ( tag !in registered_protocols )
+		return "";
+
 	local handler = registered_protocols[tag];
-	set_file_handle(handler(c, is_orig));
+	return handler$describe(f);
+	}
+
+event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool) &priority=5
+	{
+	if ( tag !in registered_protocols )
+		return;
+
+	local handler = registered_protocols[tag];
+	set_file_handle(handler$get_file_handle(c, is_orig));
 	}

scripts/base/frameworks/notice/main.bro

@@ -79,7 +79,13 @@ export {
 
 		## A mime type if the notice is related to a file.  If the $f field
 		## is provided, this will be automatically filled out.
-		mime_type:      string          &log &optional;
+		file_mime_type: string          &log &optional;
+
+		## Frequently files can be "described" to give a bit more context.
+		## This field will typically be automatically filled out from an
+		## fa_file record.  For example, if a notice was related to a 
+		## file over HTTP, the URL of the request would be shown.
+		file_desc:      string          &log &optional;
 
 		## The transport protocol. Filled automatically when either conn, iconn
 		## or p is specified.
@@ -477,9 +483,13 @@ function apply_policy(n: Notice::Info)
 		{
 		if ( ! n?$fuid )
 			n$fuid = n$f$id;
-		if ( ! n?$mime_type && n$f?$mime_type )
-			n$mime_type = n$f$mime_type;
-		if ( |n$f$conns| == 1 )
+		
+		if ( ! n?$file_mime_type && n$f?$mime_type )
+			n$file_mime_type = n$f$mime_type;
+
+		n$file_desc = Files::describe(n$f);
+		
+		if ( n$f?$conns && |n$f$conns| == 1 )
 			{
 			for ( id in n$f$conns )
 				n$conn = n$f$conns[id];
@@ -490,6 +500,7 @@ function apply_policy(n: Notice::Info)
 		{
 		if ( ! n?$id )
 			n$id = n$conn$id;
+
 		if ( ! n?$uid )
 			n$uid = n$conn$uid;
 		}