FileAnalysis: separating IRC/FTP data analyzers.

It simplifies the file handle string callbacks.

scripts/base/frameworks/file-analysis/main.bro

@@ -107,28 +107,7 @@ export {
 
 	const handle_callbacks: table[AnalyzerTag] of HandleCallback = {} &redef;
 
-	const service_handle_callbacks: table[string] of HandleCallback = {} &redef;
-
 	global get_handle: function(c: connection, is_orig: bool): string &redef;
 
 	# TODO: wrapper functions for BiFs ?
 }
-
-function get_file_handle_by_service(c: connection, is_orig: bool): string
-	{
-	local handle: string = "";
-
-	for ( serv in c$service )
-		{
-		if ( serv in service_handle_callbacks )
-			{
-			handle = service_handle_callbacks[serv](c, is_orig);
-			if ( handle != "" ) return handle;
-			}
-		}
-	return handle;
-	}
-
-redef FileAnalysis::handle_callbacks += {
-	[ANALYZER_FILE] = get_file_handle_by_service,
-};

scripts/base/protocols/ftp/file-analysis.bro

@@ -2,10 +2,11 @@
 @load base/utils/conn-ids
 @load base/frameworks/file-analysis/main
 
-redef FileAnalysis::service_handle_callbacks += {
-	["ftp-data"] = function(c: connection, is_orig: bool): string
+redef FileAnalysis::handle_callbacks += {
+	[ANALYZER_FTP_DATA] = function(c: connection, is_orig: bool): string
 		{
 		if ( is_orig ) return "";
-		return fmt("%s ftp-data: %s", c$start_time, id_string(c$id));
+		return fmt("%s %s %s", ANALYZER_FTP_DATA, c$start_time,
+		           id_string(c$id));
 		},
 };

scripts/base/protocols/ftp/main.bro

@@ -228,7 +228,8 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 			{
 			c$ftp$passive=F;
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$resp_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			expect_connection(id$resp_h, data$h, data$p, ANALYZER_FTP_DATA,
+			                  5mins);
 			}
 		else
 			{
@@ -281,7 +282,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 				data$h = id$resp_h;
 			
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FTP_DATA,
+			                  5mins);
 			}
 		else
 			{

scripts/base/protocols/http/file-analysis.bro

@@ -10,10 +10,10 @@ function get_file_handle(c: connection, is_orig: bool): string
 	if ( ! c?$http ) return "";
 
 	if ( c$http$range_request )
-		return fmt("http(%s): %s: %s", is_orig, c$id$orig_h,
+		return fmt("%s %s %s %s", ANALYZER_HTTP, is_orig, c$id$orig_h,
 		           build_url(c$http));
 
-	return fmt("%s http(%s, %s): %s", c$start_time, is_orig,
+	return fmt("%s %s %s %s %s", ANALYZER_HTTP, c$start_time, is_orig,
 	           c$http$trans_depth, id_string(c$id));
 	}
 

scripts/base/protocols/irc/dcc-send.bro

@@ -104,7 +104,7 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	c$irc$dcc_file_name = argument;
 	c$irc$dcc_file_size = size;
 	local p = count_to_port(dest_port, tcp);
-	expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min);
+	expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_IRC_DATA, 5 min);
 	dcc_expected_transfers[address, p] = c$irc;
 	}
 

scripts/base/protocols/irc/file-analysis.bro

@@ -2,10 +2,11 @@
 @load base/utils/conn-ids
 @load base/frameworks/file-analysis/main
 
-redef FileAnalysis::service_handle_callbacks += {
-	["irc-dcc-data"] = function(c: connection, is_orig: bool): string
+redef FileAnalysis::handle_callbacks += {
+	[ANALYZER_IRC_DATA] = function(c: connection, is_orig: bool): string
 		{
 		if ( is_orig ) return "";
-		return fmt("%s irc-dcc-data: %s", c$start_time, id_string(c$id));
+		return fmt("%s %s %s", ANALYZER_IRC_DATA, c$start_time,
+		           id_string(c$id));
 		},
 };

scripts/base/protocols/smtp/file-analysis.bro

@@ -9,7 +9,7 @@ function get_file_handle(c: connection, is_orig: bool): string
 	{
 	if ( ! c?$smtp ) return "";
 
-	return fmt("%s smtp(%s, %s)", c$start_time, c$smtp$trans_depth,
+	return fmt("%s %s %s %s", ANALYZER_SMTP, c$start_time, c$smtp$trans_depth,
 	           c$smtp_state$mime_level);
 	}