Fixing tests.

Part of this involves making the file-analysis tests independent of
specific hash values. I've done that only partially though.

scripts/base/protocols/ftp/main.bro

@@ -1,6 +1,6 @@
 ##! The logging this script does is primarily focused on logging FTP commands
 ##! along with metadata.  For example, if files are transferred, the argument
-##! will take on the full path that the client is at along with the requested 
+##! will take on the full path that the client is at along with the requested
 ##! file name.
 
 @load ./utils-commands
@@ -13,16 +13,16 @@ module FTP;
 export {
 	## The FTP protocol logging stream identifier.
 	redef enum Log::ID += { LOG };
-	
+
 	## List of commands that should have their command/response pairs logged.
 	const logged_commands = {
 		"APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT",
 		"EPSV"
 	} &redef;
-	
+
 	## This setting changes if passwords used in FTP sessions are captured or not.
 	const default_capture_password = F &redef;
-	
+
 	## User IDs that can be considered "anonymous".
 	const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
 
@@ -37,7 +37,7 @@ export {
 		## The port at which the acceptor is listening for the data connection.
 		resp_p: port &log;
 	};
-	
+
 	type Info: record {
 		## Time when the command was sent.
 		ts:               time        &log;
@@ -53,12 +53,12 @@ export {
 		command:          string      &log &optional;
 		## Argument for the command if one is given.
 		arg:              string      &log &optional;
-		
+
 		## Libmagic "sniffed" file type if the command indicates a file transfer.
 		mime_type:        string      &log &optional;
 		## Size of the file if the command indicates a file transfer.
 		file_size:        count       &log &optional;
-		
+
 		## Reply code from the server in response to the command.
 		reply_code:       count       &log &optional;
 		## Reply message from the server in response to the command.
@@ -74,31 +74,31 @@ export {
 		## more concrete is discovered that the existing but unknown
 		## directory is ok to use.
 		cwd:                string  &default=".";
-		
+
 		## Command that is currently waiting for a response.
 		cmdarg:             CmdArg  &optional;
-		## Queue for commands that have been sent but not yet responded to 
+		## Queue for commands that have been sent but not yet responded to
 		## are tracked here.
 		pending_commands:   PendingCmds;
-		
+
 		## Indicates if the session is in active or passive mode.
 		passive:            bool &default=F;
-		
+
 		## Determines if the password will be captured for this request.
 		capture_password:   bool &default=default_capture_password;
 	};
 
-	## This record is to hold a parsed FTP reply code.  For example, for the 
+	## This record is to hold a parsed FTP reply code.  For example, for the
 	## 201 status code, the digits would be parsed as: x->2, y->0, z=>1.
 	type ReplyCode: record {
 		x: count;
 		y: count;
 		z: count;
 	};
-	
+
 	## Parse FTP reply codes into the three constituent single digit values.
 	global parse_ftp_reply_code: function(code: count): ReplyCode;
-	
+
 	## Event that can be handled to access the :bro:type:`FTP::Info`
 	## record as it is sent on to the logging framework.
 	global log_ftp: event(rec: Info);
@@ -166,7 +166,7 @@ function set_ftp_session(c: connection)
 		s$uid=c$uid;
 		s$id=c$id;
 		c$ftp=s;
-		
+
 		# Add a shim command so the server can respond with some init response.
 		add_pending_cmd(c$ftp$pending_commands, "<init>", "");
 		}
@@ -178,13 +178,13 @@ function ftp_message(s: Info)
 	# or it's a deliberately logged command.
 	if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) )
 		{
-		if ( s?$password && 
-		     ! s$capture_password && 
+		if ( s?$password &&
+		     ! s$capture_password &&
 		     to_lower(s$user) !in guest_ids )
 			{
 			s$password = "<hidden>";
 			}
-		
+
 		local arg = s$cmdarg$arg;
 		if ( s$cmdarg$cmd in file_cmds )
 			{
@@ -194,7 +194,7 @@ function ftp_message(s: Info)
 
 			arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path);
 			}
-		
+
 		s$ts=s$cmdarg$ts;
 		s$command=s$cmdarg$cmd;
 		if ( arg == "" )
@@ -204,9 +204,9 @@ function ftp_message(s: Info)
 
 		Log::write(FTP::LOG, s);
 		}
-	
-	# The MIME and file_size fields are specific to file transfer commands 
-	# and may not be used in all commands so they need reset to "blank" 
+
+	# The MIME and file_size fields are specific to file transfer commands
+	# and may not be used in all commands so they need reset to "blank"
 	# values after logging.
 	delete s$mime_type;
 	delete s$file_size;
@@ -237,19 +237,19 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 		remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg);
 		ftp_message(c$ftp);
 		}
-	
+
 	local id = c$id;
 	set_ftp_session(c);
-		
+
 	# Queue up the new command and argument
 	add_pending_cmd(c$ftp$pending_commands, command, arg);
-	
+
 	if ( command == "USER" )
 		c$ftp$user = arg;
-	
+
 	else if ( command == "PASS" )
 		c$ftp$password = arg;
-	
+
 	else if ( command == "PORT" || command == "EPRT" )
 		{
 		local data = (command == "PORT") ?
@@ -277,7 +277,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 
 	# TODO: figure out what to do with continued FTP response (not used much)
 	if ( cont_resp ) return;
-	
+
 	# TODO: do some sort of generic clear text login processing here.
 	local response_xyz = parse_ftp_reply_code(code);
 	#if ( response_xyz$x == 2 &&  # successful
@@ -293,18 +293,20 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		#       if that's given as well which would be more correct.
 		c$ftp$file_size = extract_count(msg);
 		}
-		
+
 	# PASV and EPSV processing
 	else if ( (code == 227 || code == 229) &&
 	          (c$ftp$cmdarg$cmd == "PASV" || c$ftp$cmdarg$cmd == "EPSV") )
 		{
 		local data = (code == 227) ? parse_ftp_pasv(msg) : parse_ftp_epsv(msg);
-		
+
 		if ( data$valid )
 			{
 			c$ftp$passive=T;
-			
+
 			if ( code == 229 && data$h == [::] )
+				data$h = c$id$resp_h;
+
 			add_expected_data_channel(c$ftp, [$passive=T, $orig_h=c$id$orig_h,
 			                          $resp_h=data$h, $resp_p=data$p]);
 			}
@@ -325,9 +327,9 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" )
 			c$ftp$cwd = extract_path(msg);
 		}
-	
+
 	# In case there are multiple commands queued, go ahead and remove the
-	# command here and log because we can't do the normal processing pipeline 
+	# command here and log because we can't do the normal processing pipeline
 	# to wait for a new command before logging the command/response pair.
 	if ( |c$ftp$pending_commands| > 1 )
 		{
@@ -359,7 +361,7 @@ event connection_reused(c: connection) &priority=5
 	if ( "ftp-data" in c$service )
 		c$ftp_data_reuse = T;
 	}
-	
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c$ftp_data_reuse ) return;

scripts/base/protocols/irc/dcc-send.bro

@@ -179,7 +179,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	dcc_expected_transfers[address, p] = c$irc;
 	}
 
-event expected_connection_seen(c: connection, a: count) &priority=10
+event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10
 	{
 	local id = c$id;
 	if ( [id$resp_h, id$resp_p] in dcc_expected_transfers )