Merge remote-tracking branch 'origin/master' into topic/seth/faf-updates

Conflicts:
	scripts/base/frameworks/files/main.bro
	scripts/base/init-bare.bro
	scripts/base/protocols/ftp/file-analysis.bro
	scripts/base/protocols/http/file-analysis.bro
	scripts/base/protocols/irc/file-analysis.bro
	scripts/base/protocols/smtp/file-analysis.bro
	src/const.bif
	src/event.bif
	src/file_analysis/Analyzer.h
	src/file_analysis/file_analysis.bif

testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.bro

@@ -0,0 +1,14 @@
+#
+# @TEST-EXEC: bro -r ${TRACES}/var-services-std-ports.trace %INPUT
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -vq dns
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -vq ssh
+#
+
+redef Analyzer::disabled_analyzers += { Analyzer::ANALYZER_SSH };
+
+event bro_init()
+	{
+	Analyzer::disable_analyzer(Analyzer::ANALYZER_DNS);
+	}
+
+

testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.bro

@@ -0,0 +1,13 @@
+#
+# @TEST-EXEC: bro -r ${TRACES}/var-services-std-ports.trace %INPUT
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -q dns
+#
+
+redef Analyzer::disable_all = T;
+
+event bro_init()
+	{
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_DNS);
+	}
+
+

testing/btest/scripts/base/frameworks/analyzer/register-for-port.bro

@@ -0,0 +1,13 @@
+#
+# @TEST-EXEC: bro -r ${TRACES}/ssh-on-port-80.trace %INPUT dpd_buffer_size=0;
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -q ssh
+#
+# @TEST-EXEC: bro -r ${TRACES}/ssh-on-port-80.trace dpd_buffer_size=0;
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -vq ssh
+
+event bro_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 80/tcp);
+	}
+
+

testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro

@@ -0,0 +1,36 @@
+#
+# @TEST-EXEC: bro -b  -r ${TRACES}/rotation.trace %INPUT | sort >output
+# @TEST-EXEC: btest-diff output
+
+global x = 0;
+
+event new_connection(c: connection)
+	{
+	# Make sure expiration executes.
+	Analyzer::schedule_analyzer(1.2.3.4, 1.2.3.4, 8/tcp, Analyzer::ANALYZER_MODBUS, 100hrs);
+	
+	if ( x > 0 )
+		return;
+
+	x = 1;
+
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_SSH, 100hrs);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_HTTP, 100hrs);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_DNS, 100hrs);
+	Analyzer::schedule_analyzer(0.0.0.0, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_FTP, 100hrs);
+	
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 7/tcp, Analyzer::ANALYZER_SSH, 1sec);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_HTTP, 1sec);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_DNS, 100hrs);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 9/tcp, Analyzer::ANALYZER_FTP, 1sec);
+	}
+
+event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag)
+	{
+	print "APPLIED:", network_time(), c$id, a;
+	}
+
+
+
+
+

testing/btest/scripts/base/frameworks/file-analysis/http/get.bro

@@ -1,13 +1,15 @@
-# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
-# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out
+# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT c=1 >get.out
+# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT c=2 >get-gzip.out
 # @TEST-EXEC: btest-diff get.out
 # @TEST-EXEC: btest-diff get-gzip.out
-# @TEST-EXEC: btest-diff Cx92a0ym5R8-file
-# @TEST-EXEC: btest-diff kg59rqyYxN-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
 
 redef test_file_analysis_source = "HTTP";
 
+global c = 0 &redef;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	return fmt("%d-file", c);
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro

@@ -1,13 +1,16 @@
 # @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
 # @TEST-EXEC: btest-diff out
-# @TEST-EXEC: btest-diff TJdltRTxco1-file
-# @TEST-EXEC: btest-diff QJO04kPdawk-file
-# @TEST-EXEC: btest-diff dDH5dHdsRH4-file
-# @TEST-EXEC: btest-diff TaUJcEIboHh-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
+# @TEST-EXEC: btest-diff 3-file
+# @TEST-EXEC: btest-diff 4-file
 
 redef test_file_analysis_source = "HTTP";
 
+global cnt: count = 0;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	++cnt;
+	return fmt("%d-file", cnt);
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro

@@ -1,16 +1,16 @@
 # @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out
 # @TEST-EXEC: btest-diff a.out
-# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 | sed 's/^[ \t]* //g' >a.size
+# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size
 # @TEST-EXEC: btest-diff a.size
 
 # @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out
 # @TEST-EXEC: btest-diff b.out
-# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 | sed 's/^[ \t]* //g' >b.size
+# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size
 # @TEST-EXEC: btest-diff b.size
 
 # @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out
 # @TEST-EXEC: btest-diff c.out
-# @TEST-EXEC: wc -c uHS14uhRKGe-file0 | sed 's/^[ \t]* //g' >c.size
+# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size
 # @TEST-EXEC: btest-diff c.size
 
 global cnt: count = 0;
@@ -19,7 +19,7 @@ redef test_file_analysis_source = "HTTP";
 
 redef test_get_file_name = function(f: fa_file): string
 	{
-	local rval: string = fmt("%s-file%d", f$id, cnt);
+	local rval: string = fmt("file-%d", cnt);
 	++cnt;
 	return rval;
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro

@@ -1,14 +1,16 @@
 # @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
 # @TEST-EXEC: btest-diff out
-# @TEST-EXEC: btest-diff aFQKI8SPOL2-file
-# @TEST-EXEC: btest-diff CCU3vUEr06l-file
-# @TEST-EXEC: btest-diff HCzA0dVwDPj-file
-# @TEST-EXEC: btest-diff a1Zu1fteVEf-file
-# @TEST-EXEC: btest-diff xXlF7wFdsR-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
+# @TEST-EXEC: btest-diff 3-file
+# @TEST-EXEC: btest-diff 4-file
+# @TEST-EXEC: btest-diff 5-file
 
 redef test_file_analysis_source = "HTTP";
 
+global c = 0;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	return fmt("%d-file", ++c);
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/post.bro

@@ -1,11 +1,13 @@
 # @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
 # @TEST-EXEC: btest-diff out
-# @TEST-EXEC: btest-diff v5HLI7MxPQh-file
-# @TEST-EXEC: btest-diff PZS1XGHkIf1-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
 
 redef test_file_analysis_source = "HTTP";
 
+global c = 0;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	return fmt("%d-file", ++c);
 	};

testing/btest/scripts/base/frameworks/input/raw/executestdin.bro

@@ -0,0 +1,44 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff test.txt
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+@load base/frameworks/communication  # let network-time run. otherwise there are no heartbeats...
+
+global outfile: file;
+global try: count;
+
+module A;
+
+type Val: record {
+	s: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	print outfile, description;
+	print outfile, tpe;
+	print outfile, s;
+	try = try + 1;
+	if ( try == 2 )
+		{
+		Input::remove("input2");
+		close(outfile);
+		terminate();
+		}
+	}
+
+event bro_init()
+	{
+	local config_strings: table[string] of string = {
+		["stdin"] = "hello\nthere\1\2\3\4\5\1\2\3yay"
+		#["stdin"] = "yay"
+	};
+
+	try = 0;
+	outfile = open("../out");
+	Input::add_event([$source="cat > ../test.txt |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F, $config=config_strings]);
+	Input::remove("input");
+	Input::add_event([$source="cat |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input2", $fields=Val, $ev=line, $want_record=F, $config=config_strings]);
+	}

testing/btest/scripts/base/frameworks/input/raw/executestream.bro

@@ -0,0 +1,61 @@
+# @TEST-EXEC: cp input1.log input.log
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
+# @TEST-EXEC: sleep 3
+# @TEST-EXEC: cat input2.log >> input.log
+# @TEST-EXEC: sleep 3
+# @TEST-EXEC: cat input3.log >> input.log
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+
+@TEST-START-FILE input1.log
+sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
+@TEST-END-FILE
+
+@TEST-START-FILE input2.log
+DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
+q3r3057fdf
+@TEST-END-FILE
+
+@TEST-START-FILE input3.log
+sdfs\d
+
+dfsdf
+sdf
+3rw43wRRERLlL#RWERERERE.
+@TEST-END-FILE
+
+@load base/frameworks/communication  # let network-time run
+
+module A;
+
+type Val: record {
+	s: string;
+};
+
+global try: count;
+global outfile: file;
+
+event line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	print outfile, description;
+	print outfile, tpe;
+	print outfile, s;
+
+	try = try + 1;
+	if ( try == 8 )
+		{
+		print outfile, "done";
+		close(outfile);
+		Input::remove("input");
+		terminate();
+		}
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	try = 0;
+	Input::add_event([$source="tail -f ../input.log |", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F]);
+	}

testing/btest/scripts/base/frameworks/input/raw/long.bro

@@ -0,0 +1,37 @@
+# @TEST-EXEC: dd if=/dev/zero of=input.log bs=8193 count=1
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff out
+#
+# this test should be longer than one block-size. to test behavior of input-reader if it has to re-allocate stuff.
+
+redef exit_only_after_terminate = T;
+
+global outfile: file;
+global try: count;
+
+module A;
+
+type Val: record {
+	s: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, s: string)
+	{
+	print outfile, tpe;
+	print outfile, |s|;
+	try = try + 1;
+	if ( try == 1 )
+		{
+		close(outfile);
+		terminate();
+		}
+	}
+
+event bro_init()
+	{
+	try = 0;
+	outfile = open("../out");
+	Input::add_event([$source="../input.log", $reader=Input::READER_RAW, $mode=Input::STREAM, $name="input", $fields=Val, $ev=line, $want_record=F]);
+	Input::remove("input");
+	}

testing/btest/scripts/base/frameworks/input/raw/stderr.bro

@@ -0,0 +1,66 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+
+type Val: record {
+	s: string;
+	is_stderr: bool;
+};
+
+global try: count;
+global outfile: file;
+
+event line(description: Input::EventDescription, tpe: Input::Event, s: string, is_stderr: bool)
+	{
+	print outfile, tpe;
+	if ( is_stderr ) 
+		{
+		# work around localized error messages. and if some localization does not include the filename... well... that would be bad :)
+		if ( strstr(s, "nonexistant") > 0 ) 
+			{
+			print outfile, "stderr output contained nonexistant";
+			}
+		}
+	else
+		{
+		print outfile, s;
+		}
+	print outfile, is_stderr;
+
+	try = try + 1;
+	if ( try == 7 )
+		{
+		print outfile, "done";
+		Input::remove("input");
+		}
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, "End of Data event";
+	print outfile, name;
+	terminate(); # due to the current design, end_of_data will be called after process_finshed and all line events.
+	# this could potentially change
+	}
+
+event InputRaw::process_finished(name: string, source:string, exit_code:count, signal_exit:bool)
+	{
+	print outfile, "Process finished event";
+	print outfile, name;
+	if ( exit_code != 0 ) 
+		print outfile, "Exit code != 0";
+	}
+
+event bro_init()
+	{
+
+	local config_strings: table[string] of string = {
+		["read_stderr"] = "1"
+	};
+
+	outfile = open("../out");
+	try = 0;
+	Input::add_event([$source="ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |", $reader=Input::READER_RAW, $name="input", $fields=Val, $ev=line, $want_record=F, $config=config_strings]);
+	}