From 2d1f0071867357ccaa068c2ec394d61ec8e5f18f Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 25 Jan 2017 01:16:46 -0500
Subject: [PATCH] Extend file extraction log.

 - New fields: extracted_cutoff and extracted_size.
   These fields will be null if the file isn't extracted.

 - Extended the extraction test to test the files log too.
---
 scripts/base/files/extract/main.bro                | 14 ++++++++++++++
 .../scripts.base.files.extract.limit/files.log     | 10 ++++++++++
 testing/btest/scripts/base/files/extract/limit.bro |  1 +
 3 files changed, 25 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.files.extract.limit/files.log

diff --git a/scripts/base/files/extract/main.bro b/scripts/base/files/extract/main.bro
index 7f68a8bcce..22207000bf 100644
--- a/scripts/base/files/extract/main.bro
+++ b/scripts/base/files/extract/main.bro
@@ -14,6 +14,13 @@ export {
 	redef record Files::Info += {
 		## Local filename of extracted file.
 		extracted: string &optional &log;
+
+		## Set to true if the file being extracted was cut off
+		## so the whole file was not logged.
+		extracted_cutoff: bool &optional &log;
+
+		## The number of bytes extracted to disk.
+		extracted_size: count &optional &log;
 	};
 
 	redef record Files::AnalyzerArgs += {
@@ -58,9 +65,16 @@ function on_add(f: fa_file, args: Files::AnalyzerArgs)
 
 	f$info$extracted = args$extract_filename;
 	args$extract_filename = build_path_compressed(prefix, args$extract_filename);
+	f$info$extracted_cutoff = F;
 	mkdir(prefix);
 	}
 
+event file_extraction_limit(f: fa_file, args: Files::AnalyzerArgs, limit: count, len: count) &priority=10
+	{
+	f$info$extracted_cutoff = T;
+	f$info$extracted_size = limit;
+	}
+
 event bro_init() &priority=10
 	{
 	Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, on_add);
diff --git a/testing/btest/Baseline/scripts.base.files.extract.limit/files.log b/testing/btest/Baseline/scripts.base.files.extract.limit/files.log
new file mode 100644
index 0000000000..f9ab216124
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.extract.limit/files.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	files
+#open	2017-01-25-06-12-45
+#fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	extracted	extracted_cutoff	extracted_size	md5	sha1	sha256
+#types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	bool	count	string	string	string
+1363628702.262149	FGy9Oo9JLY8SFxMJ2	141.142.192.162	141.142.228.5	ClEkJM2Vm5giqnMf4h	FTP_DATA	0	EXTRACT	text/plain	-	0.001059	-	F	16557	-	0	0	F	-	2	T	6000	-	-	-
+#close	2017-01-25-06-12-45
diff --git a/testing/btest/scripts/base/files/extract/limit.bro b/testing/btest/scripts/base/files/extract/limit.bro
index 1ac5f20b6d..4deecd292d 100644
--- a/testing/btest/scripts/base/files/extract/limit.bro
+++ b/testing/btest/scripts/base/files/extract/limit.bro
@@ -4,6 +4,7 @@
 # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=3000 efname=2 double_it=T
 # @TEST-EXEC: btest-diff extract_files/2
 # @TEST-EXEC: btest-diff 2.out
+# @TEST-EXEC: btest-diff files.log
 # @TEST-EXEC: bro -b -r $TRACES/ftp/retr.trace %INPUT max_extract=7000 efname=3 unlimit_it=T
 # @TEST-EXEC: btest-diff extract_files/3
 # @TEST-EXEC: btest-diff 3.out