From 95161a920cfbcd94c9f4877b6afbeae4f5610ab2 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 12 Aug 2013 15:31:31 -0400
Subject: [PATCH] Fixed some tests.

---
 doc/scripts/DocSourcesList.cmake                      |  3 +++
 scripts/base/files/unified2/main.bro                  | 11 ++++++++++-
 scripts/base/init-bare.bro                            |  9 ++++++---
 scripts/base/utils/paths.bro                          |  5 +++--
 .../canonified_loaded_scripts.log                     |  6 ++++--
 .../canonified_loaded_scripts.log                     |  8 ++++++--
 .../files.log                                         |  6 +++---
 7 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/doc/scripts/DocSourcesList.cmake b/doc/scripts/DocSourcesList.cmake
index bd88f5cd54..56a27b18ac 100644
--- a/doc/scripts/DocSourcesList.cmake
+++ b/doc/scripts/DocSourcesList.cmake
@@ -70,6 +70,8 @@ rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_TCP.functions.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Teredo.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_UDP.events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Unified2.events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_Unified2.types.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/plugins/Bro_ZIP.events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/reporter.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/strings.bif.bro)
@@ -77,6 +79,7 @@ rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/top-k.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/scripts base/bif/types.bif.bro)
 rest_target(${psd} base/files/extract/main.bro)
 rest_target(${psd} base/files/hash/main.bro)
+rest_target(${psd} base/files/unified2/main.bro)
 rest_target(${psd} base/frameworks/analyzer/main.bro)
 rest_target(${psd} base/frameworks/cluster/main.bro)
 rest_target(${psd} base/frameworks/cluster/nodes/manager.bro)
diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro
index 25eef30d72..4d540cca3b 100644
--- a/scripts/base/files/unified2/main.bro
+++ b/scripts/base/files/unified2/main.bro
@@ -16,10 +16,14 @@ export {
 	global alert: event(f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet);
 
 	type Info: record {
+		## The last received IDS event.  This is primarily used 
+		## for tying together Unified2 events and packets.
 		current_event: Unified2::IDSEvent &optional;
 	};
 
 	redef record fa_file += {
+		## Add a field to store per-file state about Unified2
+		## files.
 		unified2: Info &optional;
 	};
 }
@@ -48,8 +52,13 @@ event bro_init()
 
 event file_new(f: fa_file)
 	{
+	local file_dir = "";
+	local parts = split_all(f$source, /\/[^\/]*$/);
+	if ( |parts| == 3 )
+		file_dir = parts[1];
+
 	if ( f$source in watch_file || 
-		compress_path(extract_path(f$source)) == compress_path(watch_dir) )
+		compress_path(watch_dir) == file_dir )
 		{
 		Files::add_analyzer(f, Files::ANALYZER_UNIFIED2);
 		f$unified2 = Info();
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 6d354c90bf..ac8f13f1f6 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2704,9 +2704,12 @@ export {
 		impact_flag:        count;
 		impact:             count;
 		blocked:            count;
-		mpls_label:         count  &optional; ## Not available in "legacy" IDS events.
-		vlan_id:            count  &optional; ## Not available in "legacy" IDS events.
-		packet_action:      count  &optional; ## Only available in "legacy" IDS events.
+		## Not available in "legacy" IDS events.
+		mpls_label:         count  &optional; 
+		## Not available in "legacy" IDS events.
+		vlan_id:            count  &optional; 
+		## Only available in "legacy" IDS events.
+		packet_action:      count  &optional; 
 	};
 
 	type Unified2::Packet: record {
diff --git a/scripts/base/utils/paths.bro b/scripts/base/utils/paths.bro
index 04976c2b2b..f8ad384ea7 100644
--- a/scripts/base/utils/paths.bro
+++ b/scripts/base/utils/paths.bro
@@ -9,12 +9,13 @@ const absolute_path_pat = /(\/|[A-Za-z]:[\\\/]).*/;
 ## Returns: the first absolute path found in input string, else an empty string
 function extract_path(input: string): string
 	{
-	local dir_pattern = /([^\\\/]+)$/;
+	const dir_pattern = /(\/|[A-Za-z]:[\\\/])([^\"\ ]|(\\\ ))*/;
 	local parts = split_all(input, dir_pattern);
+
 	if ( |parts| < 3 )
 		return "";
 
-	return parts[1];
+	return parts[2];
 	}
 
 ## Compresses a given path by removing '..'s and the parent directory it
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index ca22ba568c..32bd473b63 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-08-09-16-13-58
+#open	2013-08-12-19-04-42
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -61,6 +61,8 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
@@ -94,4 +96,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2013-08-09-16-13-58
+#close	2013-08-12-19-04-42
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index ab30771ef3..f237ebf027 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-08-09-16-13-37
+#open	2013-08-12-19-05-30
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -61,6 +61,8 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_Unified2.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_Unified2.types.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
@@ -206,6 +208,8 @@ scripts/base/init-default.bro
     scripts/base/files/hash/main.bro
   scripts/base/files/extract/__load__.bro
     scripts/base/files/extract/main.bro
+  scripts/base/files/unified2/__load__.bro
+    scripts/base/files/unified2/main.bro
   scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-08-09-16-13-37
+#close	2013-08-12-19-05-30
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
index 2663184b88..1e46209d46 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2013-07-25-16-57-31
+#open	2013-08-12-19-07-37
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
 #types	time	string	table[addr]	table[addr]	table[string]	string	count	table[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1362692527.009721	G75mcAsU764	192.150.187.43	141.142.228.5	UWkUyAuUGXf	HTTP	0	SHA256,DATA_EVENT,MD5,EXTRACT,SHA1	text/plain	-	0.000054	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	G75mcAsU764-file
-#close	2013-07-25-16-57-31
+1362692527.009721	G75mcAsU764	192.150.187.43	141.142.228.5	UWkUyAuUGXf	HTTP	0	UNIFIED2,SHA256,DATA_EVENT,MD5,EXTRACT,SHA1	text/plain	-	0.000054	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	G75mcAsU764-file
+#close	2013-08-12-19-07-37