Merge remote-tracking branch 'origin/master' into topic/bernhard/hyperloglog

testing/btest/scripts/base/frameworks/file-analysis/bifs/remove_action.bro

@@ -11,8 +11,8 @@ redef test_get_file_name = function(f: fa_file): string
 event file_new(f: fa_file) &priority=-10
 	{
 	for ( tag in test_file_analyzers )
-		FileAnalysis::remove_analyzer(f, tag);
+		Files::remove_analyzer(f, tag);
 	local filename = test_get_file_name(f);
-	FileAnalysis::remove_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
-	                                $extract_filename=filename]);
+	Files::remove_analyzer(f, Files::ANALYZER_EXTRACT,
+	                       [$extract_filename=filename]);
 	}

testing/btest/scripts/base/frameworks/file-analysis/bifs/set_timeout_interval.bro

@@ -20,7 +20,7 @@ redef default_file_timeout_interval = 2sec;
 event file_timeout(f: fa_file)
 	{
 	if ( timeout_cnt < 1 )
-		FileAnalysis::set_timeout_interval(f, f$timeout_interval);
+		Files::set_timeout_interval(f, f$timeout_interval);
 	else
 		terminate();
 	++timeout_cnt;

testing/btest/scripts/base/frameworks/file-analysis/bifs/stop.bro

@@ -4,5 +4,5 @@
 
 event file_new(f: fa_file)
 	{
-	FileAnalysis::stop(f);
+	Files::stop(f);
 	}

testing/btest/scripts/base/frameworks/file-analysis/irc.bro

@@ -4,7 +4,17 @@
 
 redef test_file_analysis_source = "IRC_DATA";
 
-redef test_get_file_name = function(f: fa_file): string
+global first: bool = T;
+
+function myfile(f: fa_file): string
 	{
-	return "thefile";
-	};
+	if ( first )
+		{
+		first = F;
+		return "thefile";
+		}
+	else
+		return "";
+	}
+
+redef test_get_file_name = myfile;

testing/btest/scripts/base/frameworks/file-analysis/logging.bro

@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT
-# @TEST-EXEC: btest-diff file_analysis.log
+# @TEST-EXEC: btest-diff files.log
 
 redef test_file_analysis_source = "HTTP";
 

testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro

@@ -28,7 +28,7 @@ event remote_connection_handshake_done(p: event_peer)
 	# Insert the data once both workers are connected.
 	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 2 )
 		{
-		Intel::insert([$host=1.2.3.4,$meta=[$source="manager"]]);
+		Intel::insert([$indicator="1.2.3.4", $indicator_type=Intel::ADDR, $meta=[$source="manager"]]);
 		}
 	}
 
@@ -39,7 +39,7 @@ event Intel::cluster_new_item(item: Intel::Item)
 	if ( ! is_remote_event() )
 		return;
 
-	print fmt("cluster_new_item: %s inserted by %s (from peer: %s)", item$host, item$meta$source, get_event_peer()$descr);
+	print fmt("cluster_new_item: %s inserted by %s (from peer: %s)", item$indicator, item$meta$source, get_event_peer()$descr);
 
 	if ( ! sent_data )
 		{
@@ -47,9 +47,9 @@ event Intel::cluster_new_item(item: Intel::Item)
 		# full cluster is constructed.
 		sent_data = T;
 		if ( Cluster::node == "worker-1" )
-			Intel::insert([$host=123.123.123.123,$meta=[$source="worker-1"]]);
+			Intel::insert([$indicator="123.123.123.123", $indicator_type=Intel::ADDR, $meta=[$source="worker-1"]]);
 		if ( Cluster::node == "worker-2" )
-			Intel::insert([$host=4.3.2.1,$meta=[$source="worker-2"]]);
+			Intel::insert([$indicator="4.3.2.1", $indicator_type=Intel::ADDR, $meta=[$source="worker-2"]]);
 		}
 
 	# We're forcing worker-2 to do a lookup when it has three intelligence items

testing/btest/scripts/base/frameworks/intel/input-and-match.bro

@@ -5,10 +5,10 @@
 # @TEST-EXEC: btest-diff broproc/intel.log
 
 @TEST-START-FILE intel.dat
-#fields	host	net	str	str_type	meta.source	meta.desc	meta.url
-1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
-1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
--	-	e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+1.2.3.4	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+1.2.3.4	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
 @TEST-END-FILE
 
 @load frameworks/communication/listen
@@ -18,8 +18,8 @@ redef enum Intel::Where += { SOMEWHERE };
 
 event do_it()
 	{
-	Intel::seen([$str="e@mail.com",
-	             $str_type=Intel::EMAIL,
+	Intel::seen([$indicator="e@mail.com",
+	             $indicator_type=Intel::EMAIL,
 	             $where=SOMEWHERE]);
 
 	Intel::seen([$host=1.2.3.4,

testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro

@@ -19,10 +19,10 @@ redef Cluster::nodes = {
 @TEST-END-FILE
 
 @TEST-START-FILE intel.dat
-#fields	host	net	str	str_type	meta.source	meta.desc	meta.url
-1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
-1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
--	-	e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+1.2.3.4	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+1.2.3.4	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
 @TEST-END-FILE
 
 @load base/frameworks/control
@@ -41,7 +41,7 @@ redef enum Intel::Where += {
 event do_it()
 	{
 	Intel::seen([$host=1.2.3.4, $where=Intel::IN_A_TEST]);
-	Intel::seen([$str="e@mail.com", $str_type=Intel::EMAIL, $where=Intel::IN_A_TEST]);
+	Intel::seen([$indicator="e@mail.com", $indicator_type=Intel::EMAIL, $where=Intel::IN_A_TEST]);
 	}
 
 event bro_init()