FileAnalysis: finish switching hooks to events.

scripts/base/frameworks/file-analysis/main.bro

@@ -104,12 +104,6 @@ export {
 		sha256: string &log &optional;
 	} &redef;
 
-	## Evaluated every time a significant event occurs during the course of
-	## file analysis.  Fields of the *info* argument may be modified or
-	## other actions may be added or removed inside the body of any handlers
-	## of this hook.
-	global policy: hook(trig: Trigger, f: fa_file);
-
 	## A table that can be used to disable file analysis completely for
 	## any files transferred over given network protocol analyzers.
 	const disable: table[AnalyzerTag] of bool = table() &redef;
@@ -127,10 +121,9 @@ export {
 	const salt = "I recommend changing this." &redef;
 
 	## Postpones the timeout of file analysis for a given file.
-	## When used within a :bro:see:`FileAnalysis::policy` handler for
-	## :bro:see:`FileAnalysis::TRIGGER_TIMEOUT`, the analysis will delay
-	## timing out for the period of time indicated by the *timeout_interval*
-	## field of :bro:see:`fa_file`.
+	## When used within a :bro:see:`file_timeout` handler for, the analysis
+	## the analysis will delay timing out for the period of time indicated by
+	## the *timeout_interval* field of :bro:see:`fa_file`.
 	##
 	## f: the file.
 	##
@@ -309,10 +302,8 @@ event bro_init() &priority=5
 	                   [$columns=Info, $ev=log_file_analysis]);
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_timeout(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TIMEOUT ) return;
 	set_info(f);
 	f$info$timedout = T;
 	}

scripts/base/protocols/ftp/file-extract.bro

@@ -24,10 +24,8 @@ redef record Info += {
 	extract_file:          bool &default=F;
 };
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_new(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_NEW ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "FTP_DATA" ) return;
 	if ( ! f?$conns ) return;
@@ -56,10 +54,8 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
 		}
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_type(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
 	if ( ! f?$mime_type ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "FTP_DATA" ) return;

scripts/base/protocols/http/file-extract.bro

@@ -18,18 +18,15 @@ export {
 		extraction_file:  string &log &optional;
 		
 		## Indicates if the response body is to be extracted or not.  Must be 
-		## set before or by the first :bro:enum:`FileAnalysis::TRIGGER_NEW`
-		## for the file content.
+		## set before or by the first :bro:see:`file_new` for the file content.
 		extract_file:     bool &default=F;
 	};
 }
 
 global extract_count: count = 0;
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_type(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
 	if ( ! f?$mime_type ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "HTTP" ) return;
@@ -56,10 +53,8 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
 		}
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_new(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_NEW ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "HTTP" ) return;
 	if ( ! f?$conns ) return;

scripts/base/protocols/http/file-hash.bro

@@ -23,10 +23,8 @@ export {
 	                   &redef;
 }
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_type(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
 	if ( ! f?$mime_type ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "HTTP" ) return;

scripts/base/protocols/http/file-ident.bro

@@ -34,10 +34,8 @@ export {
 	const ignored_incorrect_file_type_urls = /^$/ &redef;
 }
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_type(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
 	if ( ! f?$mime_type ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "HTTP" ) return;
@@ -68,16 +66,14 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
 		}
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_over_new_connection(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_NEW_CONN ) return;
 	if ( ! f?$mime_type ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "HTTP" ) return;
 	if ( ! f?$conns ) return;
 
-	# Spread the mime around (e.g. for partial content, TRIGGER_TYPE only
+	# Spread the mime around (e.g. for partial content, file_type event only
 	# happens once for the first connection, but if there's subsequent
 	# connections to transfer the same file, they'll be lacking the mime_type
 	# field if we don't do this).

scripts/base/protocols/irc/dcc-send.bro

@@ -41,10 +41,8 @@ global dcc_expected_transfers: table[addr, port] of Info &read_expire=5mins;
 
 global extract_count: count = 0;
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_new(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_NEW ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "IRC_DATA" ) return;
 	if ( ! f?$conns ) return;
@@ -136,10 +134,8 @@ function log_dcc(f: fa_file)
 		}
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_type(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
 	if ( ! f?$mime_type ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "IRC_DATA" ) return;
@@ -159,10 +155,8 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
 	set_dcc_extraction_file(f, fname);
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=-5
+event file_type(f: fa_file) &priority=-5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "IRC_DATA" ) return;
 

scripts/base/protocols/smtp/entities-excerpt.bro

@@ -16,10 +16,8 @@ export {
 	const default_entity_excerpt_len = 0 &redef;
 }
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_new(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_NEW ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "SMTP" ) return;
 
@@ -27,10 +25,8 @@ hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
 		f$bof_buffer_size = default_entity_excerpt_len;
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_bof_buffer(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_BOF_BUFFER ) return;
 	if ( ! f?$bof_buffer ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "SMTP" ) return;

scripts/base/protocols/smtp/entities.bro

@@ -95,10 +95,8 @@ event mime_begin_entity(c: connection) &priority=10
 	set_session(c, T);
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_new(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_NEW ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "SMTP" ) return;
 	if ( ! f?$conns ) return;
@@ -165,10 +163,8 @@ function check_md5_by_type(f: fa_file)
 	FileAnalysis::add_action(f, [$act=FileAnalysis::ACTION_MD5]);
 	}
 
-hook FileAnalysis::policy(trig: FileAnalysis::Trigger, f: fa_file)
-	&priority=5
+event file_type(f: fa_file) &priority=5
 	{
-	if ( trig != FileAnalysis::TRIGGER_TYPE ) return;
 	if ( ! f?$mime_type ) return;
 	if ( ! f?$source ) return;
 	if ( f$source != "SMTP" ) return;