Added support for files to the notice framework.

scripts/base/frameworks/notice/main.bro

@@ -68,6 +68,19 @@ export {
 		## the notice policy.
 		iconn:          icmp_conn      &optional;
 
+		## A file record if the notice is relted to a file.  The
+		## reference to the actual fa_file record will be deleted after applying
+		## the notice policy.
+		f:              fa_file         &optional;
+
+		## A file unique ID if this notice is related to a file.  If the $f
+		## field is provided, this will be automatically filled out.
+		fuid:           string          &log &optional;
+
+		## A mime type if the notice is related to a file.  If the $f field
+		## is provided, this will be automatically filled out.
+		mime_type:      string          &log &optional;
+
 		## The transport protocol. Filled automatically when either conn, iconn
 		## or p is specified.
 		proto:          transport_proto &log &optional;
@@ -460,6 +473,19 @@ function apply_policy(n: Notice::Info)
 	if ( ! n?$ts )
 		n$ts = network_time();
 
+	if ( n?$f )
+		{
+		if ( ! n?$fuid )
+			n$fuid = n$f$id;
+		if ( ! n?$mime_type && n$f?$mime_type )
+			n$mime_type = n$f$mime_type;
+		if ( |n$f$conns| == 1 )
+			{
+			for ( id in n$f$conns )
+				n$conn = n$f$conns[id];
+			}
+		}
+
 	if ( n?$conn )
 		{
 		if ( ! n?$id )
@@ -513,13 +539,15 @@ function apply_policy(n: Notice::Info)
 	if ( ! n?$suppress_for )
 		n$suppress_for = default_suppression_interval;
 
-	# Delete the connection record if it's there so we aren't sending that
+	# Delete the connection and file records if they're there so we 
-	# to remote machines.  It can cause problems due to the size of the
+	# aren't sending that to remote machines.  It can cause problems 
-	# connection record.
+	# due to the size of those records.
 	if ( n?$conn )
 		delete n$conn;
 	if ( n?$iconn )
 		delete n$iconn;
+	if ( n?$f )
+		delete n$f;
 	}
 
 function internal_NOTICE(n: Notice::Info)