Merge branch 'topic/amazingpp/irc-fuid-missing' of github.com:AmazingPP/zeek

* 'topic/amazingpp/irc-fuid-missing' of github.com:AmazingPP/zeek:
  Add irc_dcc_send_ack event and fix missing fields

I've moved IRC_Data back into the zeek::analyzer::file namespace, but
we did move the declaration from protocol/file/File.h to protocol/irc/IRC.h.
But, if someone actually customized IRC_Data and didn't include protocol/irc/IRC.h
for other reasons, I'll be surprised (and also just suggest to update the include).

CHANGES

@@ -1,3 +1,7 @@
+6.0.0-dev.416 | 2023-04-24 18:22:27 +0200
+
+  * Add irc_dcc_send_ack event and fix missing fields (Fupeng Zhao)
+
 6.0.0-dev.414 | 2023-04-24 14:36:32 +0200
 
   * cmake: Fixup BRO_PLUGIN_INSTALL_PATH references (Arne Welzel, Corelight)

NEWS

@@ -73,6 +73,8 @@ Breaking Changes
   depending on the functionality included in the plugin, may trigger subsequent
   errors during configuration or build.
 
+- The IRC_Data analyzer declaration has been moved to protocols/irc/IRC.h.
+
 New Functionality
 -----------------
 
@@ -268,6 +270,13 @@ Changed Functionality
   CMake features. Plugin authors should raise their minimum required CMake
   version to 3.15, to match Zeek's.
 
+- The IRC data analyzer does not extract DCC acknowledgements to files anymore.
+  Instead, ``irc_dcc_send_ack`` is raised with the bytes acknowledged by the
+  recipient.
+
+- The IRC base script now use ``file_sniff()`` instead of ``file_new()`` for
+  DCC file transfers to capture ``fuid`` and inferred MIME type in irc.log.
+
 Removed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-6.0.0-dev.414
+6.0.0-dev.416

scripts/base/protocols/irc/dcc-send.zeek

@@ -97,7 +97,7 @@ function log_dcc(f: fa_file)
 		}
 	}
 
-event file_new(f: fa_file) &priority=-5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=-5
 	{
 	if ( f$source == "IRC_DATA" )
 		log_dcc(f);

src/analyzer/protocol/file/File.h

@@ -33,14 +33,6 @@ protected:
 	std::string file_id_resp;
 	};
 
-class IRC_Data : public File_Analyzer
-	{
-public:
-	explicit IRC_Data(Connection* conn) : File_Analyzer("IRC_Data", conn) { }
-
-	static Analyzer* Instantiate(Connection* conn) { return new IRC_Data(conn); }
-	};
-
 class FTP_Data : public File_Analyzer
 	{
 public:

src/analyzer/protocol/file/Plugin.cc

@@ -15,8 +15,6 @@ public:
 		{
 		AddComponent(
 			new zeek::analyzer::Component("FTP_Data", zeek::analyzer::file::FTP_Data::Instantiate));
-		AddComponent(
-			new zeek::analyzer::Component("IRC_Data", zeek::analyzer::file::IRC_Data::Instantiate));
 
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::File";

src/analyzer/protocol/irc/IRC.cc

@@ -12,7 +12,10 @@
 
 using namespace std;
 
-namespace zeek::analyzer::irc
+namespace zeek::analyzer
+	{
+
+namespace irc
 	{
 
 IRC_Analyzer::IRC_Analyzer(Connection* conn) : analyzer::tcp::TCP_ApplicationAnalyzer("IRC", conn)
@@ -1128,4 +1131,44 @@ vector<string> IRC_Analyzer::SplitWords(const string& input, char split)
 	return words;
 	}
 
-	} // namespace zeek::analyzer::irc
+	} // namespace irc
+
+namespace file
+	{
+
+void IRC_Data::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	// Bytes from originator are acknowledgements
+	if ( ! orig )
+		File_Analyzer::DeliverStream(len, data, orig);
+	else
+		{
+		constexpr auto ack_len = sizeof(uint32_t);
+
+		if ( len % ack_len != 0 )
+			{
+			Weird("irc_invalid_dcc_send_ack");
+			return;
+			}
+
+		if ( irc_dcc_send_ack )
+			{
+			for ( int i = 0; i < len; i += ack_len )
+				{
+				EnqueueConnEvent(
+					irc_dcc_send_ack, ConnVal(),
+					val_mgr->Count(ntohl(*reinterpret_cast<const uint32_t*>(data + i))));
+				}
+			}
+		}
+	}
+
+void IRC_Data::Undelivered(uint64_t seq, int len, bool orig)
+	{
+	if ( ! orig )
+		File_Analyzer::Undelivered(seq, len, orig);
+	}
+
+	} // namespace file
+
+	} // namespace zeek::analyzer

src/analyzer/protocol/irc/IRC.h

@@ -2,10 +2,14 @@
 
 #pragma once
 
+#include "zeek/analyzer/protocol/file/File.h"
 #include "zeek/analyzer/protocol/tcp/ContentLine.h"
 #include "zeek/analyzer/protocol/tcp/TCP.h"
 
-namespace zeek::analyzer::irc
+namespace zeek::analyzer
+	{
+
+namespace irc
 	{
 
 /**
@@ -79,4 +83,22 @@ private:
 	bool starttls; // if true, connection has been upgraded to tls
 	};
 
-	} // namespace zeek::analyzer::irc
+	} // namespace irc
+
+namespace file
+	{
+
+class IRC_Data : public analyzer::file::File_Analyzer
+	{
+public:
+	explicit IRC_Data(Connection* conn) : analyzer::file::File_Analyzer("IRC_Data", conn) { }
+
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+
+	void Undelivered(uint64_t seq, int len, bool orig) override;
+
+	static Analyzer* Instantiate(Connection* conn) { return new IRC_Data(conn); }
+	};
+	}
+
+	} // namespace zeek::analyzer

src/analyzer/protocol/irc/Plugin.cc

@@ -15,6 +15,8 @@ public:
 		{
 		AddComponent(
 			new zeek::analyzer::Component("IRC", zeek::analyzer::irc::IRC_Analyzer::Instantiate));
+		AddComponent(
+			new zeek::analyzer::Component("IRC_Data", zeek::analyzer::file::IRC_Data::Instantiate));
 
 		zeek::plugin::Configuration config;
 		config.name = "Zeek::IRC";

src/analyzer/protocol/irc/events.bif

@@ -19,7 +19,7 @@
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 ##
 ## .. note:: This event is generated only for messages that originate
 ##    at the client-side. Commands coming in from remote trigger
@@ -49,7 +49,7 @@ event irc_request%(c: connection, is_orig: bool, prefix: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_reply%(c: connection, is_orig: bool, prefix: string,
 			code: count, params: string%);
 
@@ -73,7 +73,7 @@ event irc_reply%(c: connection, is_orig: bool, prefix: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message  irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 ##
 ## .. note::
 ##
@@ -102,7 +102,7 @@ event irc_message%(c: connection, is_orig: bool, prefix: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%);
 
 ## Generated for IRC messages of type *privmsg*. This event is generated for
@@ -126,7 +126,7 @@ event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: str
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
 				target: string, message: string%);
 
@@ -151,7 +151,7 @@ event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message  irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_notice_message%(c: connection, is_orig: bool, source: string,
 				target: string, message: string%);
 
@@ -176,7 +176,7 @@ event irc_notice_message%(c: connection, is_orig: bool, source: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_squery_message%(c: connection, is_orig: bool, source: string,
 				target: string, message: string%);
 
@@ -197,7 +197,7 @@ event irc_squery_message%(c: connection, is_orig: bool, source: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%);
 
 ## Generated for IRC messages of type *part*. This event is generated for
@@ -221,7 +221,7 @@ event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%)
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_part_message%(c: connection, is_orig: bool, nick: string,
 				chans: string_set, message: string%);
 
@@ -244,7 +244,7 @@ event irc_part_message%(c: connection, is_orig: bool, nick: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%);
 
 ## Generated when a server rejects an IRC nickname.
@@ -261,7 +261,7 @@ event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: stri
 ##    irc_global_users  irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_invalid_nick%(c: connection, is_orig: bool%);
 
 ## Generated for an IRC reply of type *luserclient*.
@@ -284,7 +284,7 @@ event irc_invalid_nick%(c: connection, is_orig: bool%);
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_network_info%(c: connection, is_orig: bool, users: count,
 				services: count, servers: count%);
 
@@ -308,7 +308,7 @@ event irc_network_info%(c: connection, is_orig: bool, users: count,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_server_info%(c: connection, is_orig: bool, users: count,
 				services: count, servers: count%);
 
@@ -328,7 +328,7 @@ event irc_server_info%(c: connection, is_orig: bool, users: count,
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
 
 ## Generated for an IRC reply of type *whoreply*.
@@ -363,7 +363,7 @@ event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
 				channel: string, user: string, host: string,
 				server: string, nick: string, params: string,
@@ -390,7 +390,7 @@ event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message  irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_names_info%(c: connection, is_orig: bool, c_type: string,
 				channel: string, users: string_set%);
 
@@ -410,7 +410,7 @@ event irc_names_info%(c: connection, is_orig: bool, c_type: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
 
 ## Generated for an IRC reply of type *whoischannels*.
@@ -431,7 +431,7 @@ event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
 				chans: string_set%);
 
@@ -457,7 +457,7 @@ event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
 				user: string, host: string, real_name: string%);
 
@@ -478,7 +478,7 @@ event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
 
 ## Generated for an IRC reply of type *globalusers*.
@@ -500,7 +500,7 @@ event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%);
 
 ## Generated for an IRC reply of type *topic*.
@@ -521,7 +521,7 @@ event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: strin
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%);
 
 ## Generated for IRC messages of type *who*. This event is generated for
@@ -543,7 +543,7 @@ event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: s
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
 
 ## Generated for IRC messages of type *whois*. This event is generated for
@@ -565,7 +565,7 @@ event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%);
 
 ## Generated for IRC messages of type *oper*. This event is generated for
@@ -587,7 +587,7 @@ event irc_whois_message%(c: connection, is_orig: bool, server: string, users: st
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message  irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%);
 
 ## Generated for IRC messages of type *kick*. This event is generated for
@@ -614,7 +614,7 @@ event irc_oper_message%(c: connection, is_orig: bool, user: string, password: st
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
 			chans: string, users: string, comment: string%);
 
@@ -638,7 +638,7 @@ event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%);
 
 ## Generated for IRC messages of type *invite*. This event is generated for
@@ -663,7 +663,7 @@ event irc_error_message%(c: connection, is_orig: bool, prefix: string, message:
 ##    irc_global_users irc_invalid_nick  irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
 				nickname: string, channel: string%);
 
@@ -687,7 +687,7 @@ event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message  irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%);
 
 ## Generated for IRC messages of type *squit*. This event is generated for
@@ -712,7 +712,7 @@ event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: st
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
 				server: string, message: string%);
 
@@ -722,6 +722,9 @@ event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
 ## information about the IRC protocol.
 ##
+## See `Wikipedia <https://en.wikipedia.org/wiki/Direct_Client-to-Client>`__ for more
+## information about the DCC.
+##
 ## c: The connection.
 ##
 ## is_orig: True if the command was sent by the originator of the TCP
@@ -746,12 +749,32 @@ event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
 ##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
 ##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
 ##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
-##    irc_password_message
+##    irc_password_message irc_dcc_send_ack
 event irc_dcc_message%(c: connection, is_orig: bool,
 				prefix: string, target: string,
 				dcc_type: string, argument: string,
 				address: addr, dest_port: count, size: count%);
 
+## Generated for IRC messages of type *dcc*. This event is generated for
+## DCC SEND acknowledge message.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## See `Wikipedia <https://en.wikipedia.org/wiki/Direct_Client-to-Client>`__ for more
+## information about the DCC.
+##
+## c: The connection.
+##
+## bytes_received: The number of bytes received as reported by the recipient.
+##
+## .. zeek:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_dcc_send_ack%(c: connection, bytes_received: count%);
+
 ## Generated for IRC messages of type *user*. This event is generated for
 ## messages coming from both the client and the server.
 ##
@@ -775,7 +798,7 @@ event irc_dcc_message%(c: connection, is_orig: bool,
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message irc_password_message
+##    irc_part_message irc_password_message irc_dcc_send_ack
 event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%);
 
 ## Generated for IRC messages of type *password*. This event is generated for
@@ -795,7 +818,7 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string
 ##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
 ##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
-##    irc_part_message
+##    irc_part_message irc_dcc_send_ack
 event irc_password_message%(c: connection, is_orig: bool, password: string%);
 
 ## Generated if an IRC connection switched to TLS using STARTTLS. After this

testing/btest/Baseline/scripts.base.frameworks.file-analysis.irc/out

@@ -2,18 +2,6 @@
 FILE_NEW
 file #0, 0, 0
 FILE_OVER_NEW_CONNECTION
-FILE_NEW
-file #1, 0, 0
-FILE_OVER_NEW_CONNECTION
-FILE_STATE_REMOVE
-file #1, 124, 0
-[orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]
-FILE_BOF_BUFFER
-\x00\x00\x05x\x00\x00\x0a\xf0\x00\x00\x10
-source: IRC_DATA
-MD5: 35288fd50a74c7d675909ff83424d7a1
-SHA1: 8a98f177cb47e6bf771bf57c2f7e94c4b5e79ffa
-SHA256: b24dde52b933a0d76e885ab418cb6d697b14a4e2fef45fce66e12ecc5a6a81aa
 FILE_STATE_REMOVE
 file #0, 42208, 0
 [orig_h=192.168.1.77, orig_p=57655/tcp, resp_h=209.197.168.151, resp_p=1024/tcp]

testing/btest/Baseline/scripts.base.protocols.irc.basic/irc.log

@@ -5,10 +5,10 @@
 #unset_field	-
 #path	irc
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	command	value	addl	dcc_file_name	dcc_file_size	fuid
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	nick	user	command	value	addl	dcc_file_name	dcc_file_size	dcc_mime_type	fuid
-#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	string
+#types	time	string	addr	port	addr	port	string	string	string	string	string	string	count	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	-	-	NICK	bloed	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	-	-	NICK	bloed	-	-	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	-	USER	sdkfje	sdkfje Montreal.QC.CA.Undernet.org dkdkrwq	-	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	JOIN	#easymovies	(empty)	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	JOIN	#easymovies	(empty)	-	-	-	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	DCC	#easymovies	(empty)	ladyvampress-default(2011-07-07)-OS.zip	42208	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	bloed	sdkfje	DCC	#easymovies	(empty)	ladyvampress-default(2011-07-07)-OS.zip	42208	application/zip	F2tE1m1WMORrNXXg7b
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.irc.basic/out

@@ -57,3 +57,34 @@ Nachos,
 dx3d51,
 TooFast
 }
+irc_dcc_send_ack, 1400
+irc_dcc_send_ack, 2800
+irc_dcc_send_ack, 4200
+irc_dcc_send_ack, 5600
+irc_dcc_send_ack, 7000
+irc_dcc_send_ack, 8400
+irc_dcc_send_ack, 9800
+irc_dcc_send_ack, 11200
+irc_dcc_send_ack, 12288
+irc_dcc_send_ack, 13688
+irc_dcc_send_ack, 15088
+irc_dcc_send_ack, 16384
+irc_dcc_send_ack, 17784
+irc_dcc_send_ack, 19184
+irc_dcc_send_ack, 20480
+irc_dcc_send_ack, 21880
+irc_dcc_send_ack, 23280
+irc_dcc_send_ack, 24576
+irc_dcc_send_ack, 25976
+irc_dcc_send_ack, 27376
+irc_dcc_send_ack, 28672
+irc_dcc_send_ack, 30072
+irc_dcc_send_ack, 31472
+irc_dcc_send_ack, 32768
+irc_dcc_send_ack, 34168
+irc_dcc_send_ack, 35568
+irc_dcc_send_ack, 36864
+irc_dcc_send_ack, 38264
+irc_dcc_send_ack, 39664
+irc_dcc_send_ack, 40960
+irc_dcc_send_ack, 42208

testing/btest/scripts/base/frameworks/file-analysis/irc.zeek

@@ -6,17 +6,9 @@
 
 redef test_file_analysis_source = "IRC_DATA";
 
-global first: bool = T;
-
 function myfile(f: fa_file): string
 	{
-	if ( first )
+	return "thefile";
-		{
-		first = F;
-		return "thefile";
-		}
-	else
-		return "";
 	}
 
 redef test_get_file_name = myfile;

testing/btest/scripts/base/protocols/irc/basic.test

@@ -9,14 +9,12 @@
 @load base/protocols/conn
 @load base/protocols/irc
 
-# dcc mime types are irrelevant to this test, so filter it out
-event zeek_init()
-	{
-	Log::remove_default_filter(IRC::LOG);
-	Log::add_filter(IRC::LOG, [$name="remove-mime", $exclude=set("dcc_mime_type")]);
-	}
-
 event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
 	{
 	print "irc_names_info", channel, users;
 	}
+
+event irc_dcc_send_ack(c: connection, bytes_received: count)
+	{
+	print "irc_dcc_send_ack", bytes_received;
+	}