FileAnalysis: add more unit tests.

2025-10-06 08:38:20 +00:00 · 2013-03-20 12:47:45 -05:00 · 2013-03-20 12:47:45 -05:00 · 1ef7465e30
commit 1ef7465e30
parent 661677d452
13 changed files with 521 additions and 5 deletions
--- a/src/file_analysis.bif
+++ b/src/file_analysis.bif
@ -94,13 +94,13 @@ function FileAnalysis::stop%(file_id: string%): bool
 	return new Val(result, TYPE_BOOL);
 	%}

-function FileAnalysis::input_data%(source: string, data: string%): any
+function FileAnalysis::data_stream%(source: string, data: string%): any
 	%{
 	file_mgr->DataIn(data->Bytes(), data->Len(), source->CheckString());
 	return 0;
 	%}

-function FileAnalysis::input_data_chunk%(source: string, data: string,
+function FileAnalysis::data_chunk%(source: string, data: string,
                                         offset: count%): any
 	%{
 	file_mgr->DataIn(data->Bytes(), data->Len(), offset, source->CheckString());
@ -119,7 +119,7 @@ function FileAnalysis::set_size%(source: string, size: count%): any
 	return 0;
 	%}

-function FileAnalysis::input_eof%(source: string%): any
+function FileAnalysis::eof%(source: string%): any
 	%{
 	file_mgr->EndOfFile(source->CheckString());
 	return 0;
--- a/src/file_analysis/InfoTimer.cc
+++ b/src/file_analysis/InfoTimer.cc
@ -3,6 +3,14 @@

 using namespace file_analysis;

+
+InfoTimer::InfoTimer(double t, const FileID& id, double interval)
+    : Timer(t + interval, TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id)
+	{
+	DBG_LOG(DBG_FILE_ANALYSIS, "New %f second timeout timer for %s",
+	        file_id.c_str(), interval);
+	}
+
 void InfoTimer::Dispatch(double t, int is_expire)
 	{
 	Info* info = file_mgr->Lookup(file_id);
--- a/src/file_analysis/InfoTimer.h
+++ b/src/file_analysis/InfoTimer.h
@ -13,8 +13,7 @@ namespace file_analysis {
 class InfoTimer : public Timer {
 public:

-	InfoTimer(double t, const FileID& id, double interval)
-	    : Timer(t + interval, TIMER_FILE_ANALYSIS_INACTIVITY), file_id(id) {}
+	InfoTimer(double t, const FileID& id, double interval);

 	/**
 	 * Check inactivity of file_analysis::Info corresponding to #file_id,
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
@ -0,0 +1,31 @@
+FileAnalysis::TRIGGER_NEW
+Cx92a0ym5R8, 0, 0
+T
+FileAnalysis::TRIGGER_BOF
+FileAnalysis::TRIGGER_BOF_BUFFER
+^J0.26 | 201
+FileAnalysis::TRIGGER_TYPE
+file type is set
+mime type is set
+file_stream, Cx92a0ym5R8, 1500, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea
+file_chunk, Cx92a0ym5R8, 1500, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J      rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea
+file_stream, Cx92a0ym5R8, 1024, se script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices f
+file_chunk, Cx92a0ym5R8, 1024, 1500, se script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices f
+file_stream, Cx92a0ym5R8, 476, ormat for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tools/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the 
+file_chunk, Cx92a0ym5R8, 476, 2524, ormat for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tools/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the 
+file_stream, Cx92a0ym5R8, 1024, copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP
+file_chunk, Cx92a0ym5R8, 1024, 3000, copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP
+FileAnalysis::TRIGGER_DONE
+Cx92a0ym5R8, 4705, 0
+{
+UWkUyAuUGXf
+}
+{
+[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
+}
+total bytes: 4705
+source: HTTP
+file_stream, Cx92a0ym5R8, 476,  now links against thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J
+file_chunk, Cx92a0ym5R8, 476, 4024,  now links against thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J
+file_stream, Cx92a0ym5R8, 205, ^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
+file_chunk, Cx92a0ym5R8, 205, 4500, ^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.postpone_timeout/bro..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.postpone_timeout/bro..stdout
@ -0,0 +1,26 @@
+FileAnalysis::TRIGGER_NEW
+oDwT1BbzjM1, 0, 0
+FileAnalysis::TRIGGER_DONE
+oDwT1BbzjM1, 1022920, 0
+{
+UWkUyAuUGXf
+}
+{
+[orig_h=192.168.72.14, orig_p=3254/tcp, resp_h=65.54.95.206, resp_p=80/tcp]
+}
+total bytes: 1022920
+source: HTTP
+FileAnalysis::TRIGGER_NEW
+oDwT1BbzjM1, 0, 0
+FileAnalysis::TRIGGER_TIMEOUT
+FileAnalysis::TRIGGER_TIMEOUT
+FileAnalysis::TRIGGER_EOF
+oDwT1BbzjM1, 206024, 0
+{
+arKYeMETxOg
+}
+{
+[orig_h=192.168.72.14, orig_p=3257/tcp, resp_h=65.54.95.14, resp_p=80/tcp]
+}
+total bytes: 1022920
+source: HTTP
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.remove_action/get.out
@ -0,0 +1,18 @@
+FileAnalysis::TRIGGER_NEW
+Cx92a0ym5R8, 0, 0
+FileAnalysis::TRIGGER_BOF
+FileAnalysis::TRIGGER_BOF_BUFFER
+^J0.26 | 201
+FileAnalysis::TRIGGER_TYPE
+file type is set
+mime type is set
+FileAnalysis::TRIGGER_DONE
+Cx92a0ym5R8, 4705, 0
+{
+UWkUyAuUGXf
+}
+{
+[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
+}
+total bytes: 4705
+source: HTTP
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.stop/get.out
@ -0,0 +1,2 @@
+FileAnalysis::TRIGGER_NEW
+Cx92a0ym5R8, 0, 0
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.input.basic/bro..stdout
@ -0,0 +1,14 @@
+FileAnalysis::TRIGGER_NEW
+nYgPNGLrZf9, 0, 0
+FileAnalysis::TRIGGER_BOF
+FileAnalysis::TRIGGER_BOF_BUFFER
+#separator 
+FileAnalysis::TRIGGER_TYPE
+file type is set
+mime type is set
+FileAnalysis::TRIGGER_EOF
+nYgPNGLrZf9, 311, 0
+source: ../input.log
+SHA1: 0a0f20de89c86d7bce1301af6548d6e9ae87b0f1
+MD5: bf4dfa6169b74146da5236e918743599
+SHA256: 4e573192c5ea75da72494812fe24dae53a577837b2079df012fd464903d68a6f
--- a/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro
+++ b/testing/btest/scripts/base/frameworks/file-analysis/actions/data_event.bro
@ -0,0 +1,55 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event file_chunk(info: FileAnalysis::Info, data: string, off: count)
+    {
+    print "file_chunk", info$file_id, |data|, off, data;
+    }
+
+event file_stream(info: FileAnalysis::Info, data: string)
+    {
+    print "file_stream", info$file_id, |data|, data;
+    }
+
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	{
+	print trig;
+
+	switch ( trig ) {
+	case FileAnalysis::TRIGGER_NEW:
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+
+		print FileAnalysis::add_action(info$file_id,
+		                               [$act=FileAnalysis::ACTION_DATA_EVENT,
+		                                $chunk_event=file_chunk,
+		                                $stream_event=file_stream]);
+		break;
+
+	case FileAnalysis::TRIGGER_BOF_BUFFER:
+		if ( info?$bof_buffer )
+			print info$bof_buffer[0:10];
+		break;
+
+	case FileAnalysis::TRIGGER_TYPE:
+		# not actually printing the values due to libmagic variances
+		if ( info?$file_type )
+			print "file type is set";
+		if ( info?$mime_type )
+			print "mime type is set";
+		break;
+
+	case FileAnalysis::TRIGGER_EOF:
+		fallthrough;
+	case FileAnalysis::TRIGGER_DONE:
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+		print info$conn_uids;
+		print info$conn_ids;
+
+		if ( info?$total_bytes )
+			print "total bytes: " + fmt("%s", info$total_bytes);
+		if ( info?$source )
+			print "source: " + info$source;
+		break;
+	}
+	}
--- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/postpone_timeout.bro
@ -0,0 +1,90 @@
+# @TEST-EXEC: btest-bg-run bro bro -r $TRACES/http/206_example_b.pcap %INPUT
+# @TEST-EXEC: btest-bg-wait 8
+# @TEST-EXEC: btest-diff bro/.stdout
+
+global actions: set[FileAnalysis::ActionArgs];
+global cnt: count = 0;
+global timeout_cnt: count = 0;
+
+redef exit_only_after_terminate = T;
+
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	{
+	print trig;
+
+	switch ( trig ) {
+    case FileAnalysis::TRIGGER_TIMEOUT:
+		if ( timeout_cnt < 1 )
+			FileAnalysis::postpone_timeout(info$file_id);
+		else
+			terminate();
+		++timeout_cnt;
+		break;
+	case FileAnalysis::TRIGGER_NEW:
+		info$timeout_interval=2sec;
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+
+		if ( info$source == "HTTP" )
+			{
+			for ( act in actions )
+				FileAnalysis::add_action(info$file_id, act);
+			local filename: string = fmt("%s-file%d", info$file_id, cnt);
+			++cnt;
+			FileAnalysis::add_action(info$file_id,
+			                         [$act=FileAnalysis::ACTION_EXTRACT,
+			                          $extract_filename=filename]);
+			}
+		break;
+
+	case FileAnalysis::TRIGGER_BOF_BUFFER:
+		if ( info?$bof_buffer )
+			print info$bof_buffer[0:10];
+		break;
+
+	case FileAnalysis::TRIGGER_TYPE:
+		# not actually printing the values due to libmagic variances
+		if ( info?$file_type )
+			print "file type is set";
+		if ( info?$mime_type )
+			print "mime type is set";
+		break;
+
+	case FileAnalysis::TRIGGER_EOF:
+		fallthrough;
+	case FileAnalysis::TRIGGER_DONE:
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+		print info$conn_uids;
+		print info$conn_ids;
+
+		if ( info?$total_bytes )
+			print "total bytes: " + fmt("%s", info$total_bytes);
+		if ( info?$source )
+			print "source: " + info$source;
+
+		for ( act in info$actions )
+			switch ( act$act ) {
+			case FileAnalysis::ACTION_MD5:
+				if ( info$actions[act]?$md5 )
+					print fmt("MD5: %s", info$actions[act]$md5);
+				break;
+			case FileAnalysis::ACTION_SHA1:
+				if ( info$actions[act]?$sha1 )
+					print fmt("SHA1: %s", info$actions[act]$sha1);
+				break;
+			case FileAnalysis::ACTION_SHA256:
+				if ( info$actions[act]?$sha256 )
+					print fmt("SHA256: %s", info$actions[act]$sha256);
+				break;
+			}
+		break;
+	}
+	}
+
+event bro_init()
+	{
+	add actions[[$act=FileAnalysis::ACTION_MD5]];
+	add actions[[$act=FileAnalysis::ACTION_SHA1]];
+	add actions[[$act=FileAnalysis::ACTION_SHA256]];
+	}
--- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro
@ -0,0 +1,83 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
+# @TEST-EXEC: btest-diff get.out
+
+global actions: set[FileAnalysis::ActionArgs];
+
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	{
+	local filename: string;
+	print trig;
+
+	switch ( trig ) {
+	case FileAnalysis::TRIGGER_NEW:
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+
+		if ( info$source == "HTTP" )
+			{
+			for ( act in actions )
+				FileAnalysis::add_action(info$file_id, act);
+			filename = fmt("%s-file", info$file_id);
+			FileAnalysis::add_action(info$file_id,
+			                         [$act=FileAnalysis::ACTION_EXTRACT,
+			                          $extract_filename=filename]);
+			}
+		break;
+
+	case FileAnalysis::TRIGGER_BOF_BUFFER:
+		if ( info?$bof_buffer )
+			print info$bof_buffer[0:10];
+		break;
+
+	case FileAnalysis::TRIGGER_TYPE:
+		for ( act in actions )
+			FileAnalysis::remove_action(info$file_id, act);
+		filename = fmt("%s-file", info$file_id);
+		FileAnalysis::remove_action(info$file_id,
+			                         [$act=FileAnalysis::ACTION_EXTRACT,
+			                          $extract_filename=filename]);
+		# not actually printing the values due to libmagic variances
+		if ( info?$file_type )
+			print "file type is set";
+		if ( info?$mime_type )
+			print "mime type is set";
+		break;
+
+	case FileAnalysis::TRIGGER_EOF:
+		fallthrough;
+	case FileAnalysis::TRIGGER_DONE:
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+		print info$conn_uids;
+		print info$conn_ids;
+
+		if ( info?$total_bytes )
+			print "total bytes: " + fmt("%s", info$total_bytes);
+		if ( info?$source )
+			print "source: " + info$source;
+
+		for ( act in info$actions )
+			switch ( act$act ) {
+			case FileAnalysis::ACTION_MD5:
+				if ( info$actions[act]?$md5 )
+					print fmt("MD5: %s", info$actions[act]$md5);
+				break;
+			case FileAnalysis::ACTION_SHA1:
+				if ( info$actions[act]?$sha1 )
+					print fmt("SHA1: %s", info$actions[act]$sha1);
+				break;
+			case FileAnalysis::ACTION_SHA256:
+				if ( info$actions[act]?$sha256 )
+					print fmt("SHA256: %s", info$actions[act]$sha256);
+				break;
+			}
+		break;
+	}
+	}
+
+event bro_init()
+	{
+	add actions[[$act=FileAnalysis::ACTION_MD5]];
+	add actions[[$act=FileAnalysis::ACTION_SHA1]];
+	add actions[[$act=FileAnalysis::ACTION_SHA256]];
+	}
--- a/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro
@ -0,0 +1,75 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT >get.out
+# @TEST-EXEC: btest-diff get.out
+# @TEST-EXEC: test ! -s Cx92a0ym5R8-file
+
+global actions: set[FileAnalysis::ActionArgs];
+
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	{
+	print trig;
+
+	switch ( trig ) {
+	case FileAnalysis::TRIGGER_NEW:
+		FileAnalysis::stop(info$file_id);
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+
+		if ( info$source == "HTTP" )
+			{
+			for ( act in actions )
+				FileAnalysis::add_action(info$file_id, act);
+			local filename: string = fmt("%s-file", info$file_id);
+			FileAnalysis::add_action(info$file_id,
+			                         [$act=FileAnalysis::ACTION_EXTRACT,
+			                          $extract_filename=filename]);
+			}
+		break;
+
+	case FileAnalysis::TRIGGER_BOF_BUFFER:
+		if ( info?$bof_buffer )
+			print info$bof_buffer[0:10];
+		break;
+
+	case FileAnalysis::TRIGGER_TYPE:
+		# not actually printing the values due to libmagic variances
+		if ( info?$file_type )
+			print "file type is set";
+		if ( info?$mime_type )
+			print "mime type is set";
+		break;
+
+	case FileAnalysis::TRIGGER_EOF:
+		fallthrough;
+	case FileAnalysis::TRIGGER_DONE:
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+		print info$conn_uids;
+		print info$conn_ids;
+
+		if ( info?$total_bytes )
+			print "total bytes: " + fmt("%s", info$total_bytes);
+		if ( info?$source )
+			print "source: " + info$source;
+
+		for ( act in info$actions )
+			switch ( act$act ) {
+			case FileAnalysis::ACTION_MD5:
+				print fmt("MD5: %s", info$actions[act]$md5);
+				break;
+			case FileAnalysis::ACTION_SHA1:
+				print fmt("SHA1: %s", info$actions[act]$sha1);
+				break;
+			case FileAnalysis::ACTION_SHA256:
+				print fmt("SHA256: %s", info$actions[act]$sha256);
+				break;
+			}
+		break;
+	}
+	}
+
+event bro_init()
+	{
+	add actions[[$act=FileAnalysis::ACTION_MD5]];
+	add actions[[$act=FileAnalysis::ACTION_SHA1]];
+	add actions[[$act=FileAnalysis::ACTION_SHA256]];
+	}
--- a/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro
+++ b/testing/btest/scripts/base/frameworks/file-analysis/input/basic.bro
@ -0,0 +1,115 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 8
+# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: diff -q bro/nYgPNGLrZf9-file input.log
+
+redef exit_only_after_terminate = T;
+
+@TEST-START-FILE input.log
+#separator \x09
+#path	ssh
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+@TEST-END-FILE
+
+module A;
+
+type Val: record {
+	s: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	FileAnalysis::data_stream(description$source, s);
+	}
+
+event Input::end_of_data(name: string, source: string) 
+	{
+	FileAnalysis::eof(source);
+	}
+
+event bro_init()
+	{
+	Input::add_event([$source="../input.log", $reader=Input::READER_BINARY,
+	                  $mode=Input::MANUAL, $name="input", $fields=Val,
+	                  $ev=line, $want_record=F]);
+	Input::remove("input");
+	}
+
+global actions: set[FileAnalysis::ActionArgs];
+
+hook FileAnalysis::policy(trig: FileAnalysis::Trigger, info: FileAnalysis::Info)
+	{
+	local filename: string;
+	print trig;
+
+	switch ( trig ) {
+	case FileAnalysis::TRIGGER_NEW:
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+
+		for ( act in actions )
+			FileAnalysis::add_action(info$file_id, act);
+		filename = fmt("%s-file", info$file_id);
+		FileAnalysis::add_action(info$file_id,
+		                         [$act=FileAnalysis::ACTION_EXTRACT,
+		                          $extract_filename=filename]);
+		break;
+
+	case FileAnalysis::TRIGGER_BOF_BUFFER:
+		if ( info?$bof_buffer )
+			print info$bof_buffer[0:10];
+		break;
+
+	case FileAnalysis::TRIGGER_TYPE:
+		for ( act in actions )
+			FileAnalysis::remove_action(info$file_id, act);
+		filename = fmt("%s-file", info$file_id);
+		FileAnalysis::remove_action(info$file_id,
+			                         [$act=FileAnalysis::ACTION_EXTRACT,
+			                          $extract_filename=filename]);
+		# not actually printing the values due to libmagic variances
+		if ( info?$file_type )
+			print "file type is set";
+		if ( info?$mime_type )
+			print "mime type is set";
+		break;
+
+	case FileAnalysis::TRIGGER_EOF:
+		fallthrough;
+	case FileAnalysis::TRIGGER_DONE:
+
+		print info$file_id, info$seen_bytes, info$missing_bytes;
+
+		if ( info?$total_bytes )
+			print "total bytes: " + fmt("%s", info$total_bytes);
+		if ( info?$source )
+			print "source: " + info$source;
+
+		for ( act in info$actions )
+			switch ( act$act ) {
+			case FileAnalysis::ACTION_MD5:
+				if ( info$actions[act]?$md5 )
+					print fmt("MD5: %s", info$actions[act]$md5);
+				break;
+			case FileAnalysis::ACTION_SHA1:
+				if ( info$actions[act]?$sha1 )
+					print fmt("SHA1: %s", info$actions[act]$sha1);
+				break;
+			case FileAnalysis::ACTION_SHA256:
+				if ( info$actions[act]?$sha256 )
+					print fmt("SHA256: %s", info$actions[act]$sha256);
+				break;
+			}
+		terminate();
+		break;
+	}
+	}
+
+event bro_init()
+	{
+	add actions[[$act=FileAnalysis::ACTION_MD5]];
+	add actions[[$act=FileAnalysis::ACTION_SHA1]];
+	add actions[[$act=FileAnalysis::ACTION_SHA256]];
+	}