intel/seen/file-names: Use file_over_new_connection()

The seen/file-names script relies on f$info$filename to be populated.
For HTTP and other network protocols, however, this field is only
populated during file_over_new_connection() that's running after
file_new().

Use the file_new() event only for files without connections and
file_over_new_connection() implies that f$conns is populated, anyway.

Special case SMB to avoid finding files twice, because there's a
custom implementation in seen/smb-filenames.zeek.

Fixes #2647

testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-get-response.zeek

@@ -0,0 +1,24 @@
+# @TEST-EXEC: zeek -b -r $TRACES/http/http-filename.pcap %INPUT
+# @TEST-EXEC: btest-diff intel.log
+
+@load base/frameworks/intel
+@load frameworks/intel/seen
+@load base/protocols/http
+
+redef Intel::read_files = { "./intel.dat" };
+
+@TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+test.json	Intel::FILE_NAME	source1	A JSON file	https://www.json.org/json-en.html
+@TEST-END-FILE
+
+event zeek_init()
+	{
+	suspend_processing();
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	if ( /intel.dat/ in source )
+		continue_processing();
+	}

testing/btest/scripts/policy/frameworks/intel/seen/filename-in-http-post.zeek

@@ -0,0 +1,25 @@
+# @TEST-EXEC: zeek -b -r $TRACES/http/putty-upload.pcap %INPUT
+# @TEST-EXEC: btest-diff intel.log
+
+@load base/frameworks/intel
+@load frameworks/intel/seen
+@load base/protocols/http
+
+redef Intel::read_files = { "./intel.dat" };
+
+@TEST-START-FILE intel.dat
+#fields	indicator	indicator_type	meta.source	meta.desc	meta.url
+putty.exe	Intel::FILE_NAME	source1	SSH utility	https://www.putty.org
+zeek.exe	Intel::FILE_NAME	source1	A network monitor	https://zeek.org
+@TEST-END-FILE
+
+event zeek_init()
+	{
+	suspend_processing();
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	if ( /intel.dat/ in source )
+		continue_processing();
+	}