From b12d2c768e269e2c5494c380c977358228a5c41e Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 14 Nov 2011 15:24:15 -0500
Subject: [PATCH] Tiny bugfix for http file extraction along with test.

---
 scripts/base/protocols/http/file-extract.bro  |   2 +-
 ...64.125:56730-125.190.109.199:80_resp_1.dat | 304 ++++++++++++++++++
 .../http.log                                  |   5 +
 .../protocols/http/http-extract-files.bro     |   5 +
 4 files changed, 315 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
 create mode 100644 testing/btest/scripts/base/protocols/http/http-extract-files.bro

diff --git a/scripts/base/protocols/http/file-extract.bro b/scripts/base/protocols/http/file-extract.bro
index d36d95e475..4bf036fab8 100644
--- a/scripts/base/protocols/http/file-extract.bro
+++ b/scripts/base/protocols/http/file-extract.bro
@@ -33,7 +33,7 @@ export {
 event http_entity_data(c: connection, is_orig: bool, length: count, data: string) &priority=5
 	{
 	# Client body extraction is not currently supported in this script.
-	if ( is_orig || ! c$http$first_chunk ) return;
+	if ( is_orig ) return;
 	
 	if ( c$http$first_chunk )
 		{
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
new file mode 100644
index 0000000000..73c369dd14
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
@@ -0,0 +1,304 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+"http://www.w3.org/TR/REC-html40/loose.dtd">
+<HEAD><TITLE>ICIR</TITLE></HEAD>
+<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">
+<img src=icir.gif alt="ICIR"><br>
+<p>
+ICIR (The ICSI Center for Internet Research)
+is a 
+non-profit
+research institute at
+<a href="http://www.icsi.berkeley.edu">ICSI</a>
+in 
+<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, 
+California.<br>
+For the three years from 1999 to 2001 we were named
+ACIRI, the AT&T Center for Internet Research at ICSI, 
+and were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>
+
+The goals of ICIR are to:
+<ul>
+<li>Pursue research on the Internet architecture and related networking issues,
+<li>
+Participate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and
+standards (<a href="http://www.ietf.org/">IETF</a>) communities,
+<li> Bridge the gap between the Internet research community and commercial 
+interests by providing a neutral forum where topics of mutual technical 
+interest can be addressed.
+</ul>
+<p>
+<!--
+ICIR is now 
+<a href="jobs.html">
+hiring</a> for both postdoctoral positions and summer interns.
+-->
+<hr>
+
+<DIV ALIGN="CENTER">
+
+<table width="100%" cellspacing=16 cellpadding=0>
+
+<tr>
+<td width="35%" valign=top>
+
+<h2>
+People
+</h2>
+<ul>
+<li>
+<a href="./shenker/">
+Scott Shenker</a>, Group Leader<br> 
+<li><a href="http://www.icir.org/mallman/">Mark Allman</a>
+<li>
+<a href="./floyd/">Sally Floyd</a>
+<!--
+<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>
+-->
+<li>
+<a href="./karp/papers.html">
+Richard Karp</a>  
+<!-- (also with the 
+<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, 
+<a href="http://www.msri.org/">MSRI</a>, and
+<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->
+<li>
+<a href="./vern/">
+Vern Paxson</a>  
+<li>
+<a href="http://www.icir.org/robin/">
+Robin Sommer</a>
+<li>
+<a href="http://www.cs.berkeley.edu/~nweaver/">
+Nicholas Weaver</a>
+<li>
+<a href="http://www.icsi.berkeley.edu/~zhao/">
+Jerry Zhao</a>
+<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->
+<li><b><a href="pastvisitors.html">Past Group Members</a></b>,
+<br>including:
+<ul>
+<li>
+<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">
+Mark Handley</a> (UCL)
+<li><a href="./kohler/">Eddie Kohler</a> (UCLA)
+</ul>
+<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>
+Researchers</b>:
+  <ul>
+  <li><a href="./jcardona/">Javier Cardona</a>
+  <li><a href="./atanu/">Atanu Ghosh</a> 
+  <li><a href="./hodson/">Orion Hodson</a>
+  <li><a href="./pavlin/">Pavlin Radoslavov</a> 
+  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>
+  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>
+</ul>
+<li><b>Affiliated UCB Researchers</b>:
+  <ul>
+  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>
+  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>
+  </ul>
+<li><b>Visitors</b>:
+  <ul>
+  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>
+<!--
+  from Shanghai Jiaotong University
+-->
+  <li>Teemu Koponen
+<!--
+  , Helsinki Institute for Information Technology
+-->
+  </ul>
+<!--
+<li><a href="pastvisitors.html">Other researchers</a>
+-->
+<a name=Visitors></a>
+<li><b>Interns:</b>
+<ul>
+<li>Juan Caballero
+<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>
+<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>
+<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>
+<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>
+<li>Halldor Isak Gylfason
+<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>
+<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>
+<!--
+<li><a href="newinterns.html">New Interns:</a> 
+-->
+</ul>
+<li><b>Undergraduate Interns:</b>
+<ul>
+<li>Michael Hoisie
+<li>Arthur Wayne Liao
+<li>Christopher Portka
+</ul>
+<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>
+</ul>
+
+</td>
+<td width="30%" valign=top>
+
+<h2>
+Publications
+</h2>
+<ul>
+<li><a href="./rfcs.html">
+RFCs</a> with ICIR authors.
+<li>
+<a href="./internetdrafts.html">
+Internet drafts</a> with ICIR authors, 3/2004 
+(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>
+the current list).
+<!--
+for "Shenker OR Floyd OR Allman OR Paxson".
+(or the 
+<a
+href="
+http://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)
+
+http://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).
+-->
+<!--
+from the 
+<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">
+Internet-Drafts Search Engine</a>).
+-->
+<li>Papers by 
+<a href="./shenker/papers.html">Scott Shenker</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),
+
+<a href="./mallman/papers/">Mark Allman</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),
+
+<a href="./floyd/papers.html">Sally Floyd</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),
+
+<a href="./karp/papers.html">Richard Karp</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),
+<a href="./kohler/pubs/">Eddie Kohler</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),
+<a href="./vern/papers.html">Vern Paxson</a>
+(<a
+href="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).
+<li>The <a href="http://citeseer.ist.psu.edu/">
+ResearchIndex</a> (RI) and the 
+<a href="http://citeseer.ist.psu.edu/cs">Search</a>
+and 
+<a href="http://citeseer.ist.psu.edu/Networking/">
+Networking</a> pages. 
+</ul>
+
+<h2>
+Projects 
+</h2>
+<ul>
+<li>
+<a href="./vern/bro-info.html">Bro</a>
+(detecting network intruders). 
+<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:
+Future-Generation Internet Architecture.
+<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>
+network simulator.
+<li> <a href="./tbit/">TBIT</a>
+(TCP Behavior Identification Tool).
+<li> <a href="http://www.xorp.org/">Xorp</a>
+(Extensible Open Router Platform).
+<li>
+<a href="./funded_projects.html">
+Other Funded Projects</a>.
+<li>
+<a href="./research.html">
+Additional Research Links</a>.
+</ul>
+
+
+</td>
+
+<td width="35%" valign=top>
+    
+<h2>Research</h2>
+&nbsp; &nbsp;<b>Transport and Congestion</b>
+<ul>
+<li>
+<a href="./kohler/dcp/">DCCP</a>
+(Datagram Congestion Control Protocol).
+<li>
+<a href="./floyd/ecn.html">ECN</a>
+(Explicit Congestion Notification).
+<li>
+<a href="http://www.ietf.org/html.charters/intserv-charter.html">
+Integrated services</a>.
+<li>
+<a href="./floyd/red.html">RED</a> 
+queue management, and
+<a href="./red-pd/">RED-PD</a>.
+<li>
+<a href="./floyd/hstcp.html">HighSpeed TCP</a>.
+<li>
+<a
+href="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">
+TCP Implementation</a>.
+<li>
+Reordering-Robust TCP 
+(<a href="./bkarp/RR-TCP/">RR-TCP</a>).
+<li>TCP
+<a href="./floyd/sacks.html">SACK</a> 
+(Selective Acknowledgment).
+<li>
+<a href="./tfrc/">TFRC</a> 
+(TCP-Friendly Rate Control).
+</ul>
+
+&nbsp; &nbsp;<b>Traffic and Topology</b>
+<ul>
+<LI>
+<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> 
+(Internet Distance Mapping).
+<LI>The <a href="http://www.acm.org/sigcomm/ITA/">
+Internet Traffic Archive</a>.
+<li>
+<a href="http://www-net.cs.umass.edu/minc/">MINC</a>
+(Multicast-based Inference of Network-internal Characteristics).
+<li>
+<a href="http://www.psc.edu/networking/nimi/">NIMI</a>
+(National Internet Measurement Infrastructure).
+</ul>
+
+<h2>
+<a href="./collaborators.html">
+Collaborators</a>
+</h2>
+
+<!--
+&nbsp; &nbsp;<b>Multicast and Multimedia</b>
+<ul>
+<LI><A href="/malloc/">MALLOC</a>
+(Multicast Address Allocation).
+<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>
+(Session Initiation Protocol).
+<li> <a href="yoid"> Yoid</a> (host-based content distribution). 
+</ul>
+-->
+
+</td>
+
+</tr>
+</table>
+</DIV>
+
+<hr>
+<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>
+<hr>
+Last modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.
+<a href="http://web.archive.org/web/*/http://www.aciri.org/">
+Older versions</a> of this web page, in its ACIRI incarnation..
+<BR>
+For more information about this server, mail <I>www@aciri.org</I>.  
+<BR>
+To report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.
+</BODY>
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
new file mode 100644
index 0000000000..386eaf8901
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
@@ -0,0 +1,5 @@
+#separator \x09
+#path	http
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table	string	string	table	string	string	file
+1128727435.634189	arKYeMETxOg	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	Wget/1.10	0	9130	200	OK	-	-	-	-	-	-	-	text/html	-	http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
diff --git a/testing/btest/scripts/base/protocols/http/http-extract-files.bro b/testing/btest/scripts/base/protocols/http/http-extract-files.bro
new file mode 100644
index 0000000000..4338cddb47
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-extract-files.bro
@@ -0,0 +1,5 @@
+# @TEST-EXEC: bro -C -r $TRACES/web.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff http-item_141.42.64.125:56730-125.190.109.199:80_resp_1.dat
+
+redef HTTP::extract_file_types += /text\/html/;
\ No newline at end of file