Large overhaul in name and appearance for file analysis.

scripts/base/protocols/ftp/__load__.bro

@@ -1,5 +1,4 @@
 @load ./utils-commands
 @load ./main
 @load ./file-analysis
-@load ./file-extract
 @load ./gridftp

scripts/base/protocols/ftp/file-analysis.bro

@@ -1,6 +1,6 @@
 @load ./main
 @load base/utils/conn-ids
-@load base/frameworks/file-analysis/main
+@load base/frameworks/files
 
 module FTP;
 
@@ -9,40 +9,15 @@ export {
 	global get_file_handle: function(c: connection, is_orig: bool): string;
 }
 
-function get_handle_string(c: connection): string
-	{
-	return cat(ANALYZER_FTP_DATA, " ", c$start_time, " ", id_string(c$id));
-	}
-
 function get_file_handle(c: connection, is_orig: bool): string
 	{
-	if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) return "";
+	if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) 
+		return "";
 
-	local info: FTP::Info = ftp_data_expected[c$id$resp_h, c$id$resp_p];
-
-	if ( info$passive )
-		# FTP client initiates data channel.
-		if ( is_orig )
-			# Don't care about FTP client data.
-			return "";
-		else
-			# Do care about FTP server data.
-			return get_handle_string(c);
-	else
-		# FTP server initiates dta channel.
-		if ( is_orig )
-			# Do care about FTP server data.
-			return get_handle_string(c);
-		else
-			# Don't care about FTP client data.
-			return "";
+	return cat(ANALYZER_FTP_DATA, c$start_time, c$id, is_orig);
 	}
 
-module GLOBAL;
-
-event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
-	&priority=5
+event bro_init() &priority=5
 	{
-	if ( tag != ANALYZER_FTP_DATA ) return;
-	set_file_handle(FTP::get_file_handle(c, is_orig));
+	Files::register_protocol(ANALYZER_FTP_DATA, FTP::get_file_handle);
 	}

scripts/base/protocols/ftp/file-extract.bro

@@ -1,90 +0,0 @@
-##! File extraction support for FTP.
-
-@load ./main
-@load base/utils/files
-
-module FTP;
-
-export {
-	## Pattern of file mime types to extract from FTP transfers.
-	const extract_file_types = /NO_DEFAULT/ &redef;
-
-	## The on-disk prefix for files to be extracted from FTP-data transfers.
-	const extraction_prefix = "ftp-item" &redef;
-}
-
-redef record Info += {
-	## On disk file where it was extracted to.
-	extraction_file:       string &log &optional;
-	
-	## Indicates if the current command/response pair should attempt to 
-	## extract the file if a file was transferred.
-	extract_file:          bool &default=F;
-};
-
-function get_extraction_name(f: fa_file): string
-	{
-	local r = fmt("%s-%s.dat", extraction_prefix, f$id);
-	return r;
-	}
-
-event file_new(f: fa_file) &priority=5
-	{
-	if ( ! f?$source ) return;
-	if ( f$source != "FTP_DATA" ) return;
-
-	if ( f?$mime_type && extract_file_types in f$mime_type )
-		{
-		FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
-		                           $extract_filename=get_extraction_name(f)]);
-		return;
-		}
-
-	if ( ! f?$conns ) return;
-
-	for ( cid in f$conns )
-		{
-		local c: connection = f$conns[cid];
-
-		if ( [cid$resp_h, cid$resp_p] !in ftp_data_expected ) next;
-
-		local s = ftp_data_expected[cid$resp_h, cid$resp_p];
-
-		if ( ! s$extract_file ) next;
-
-		FileAnalysis::add_analyzer(f, [$tag=FileAnalysis::ANALYZER_EXTRACT,
-		                           $extract_filename=get_extraction_name(f)]);
-		return;
-		}
-	}
-
-event file_state_remove(f: fa_file) &priority=4
-	{
-	if ( ! f?$source ) return;
-	if ( f$source != "FTP_DATA" ) return;
-	if ( ! f?$info ) return;
-
-	for ( filename in f$info$extracted_files )
-		{
-		local s: FTP::Info;
-		s$ts = network_time();
-		s$tags = set();
-		s$user = "<ftp-data>";
-		s$extraction_file = filename;
-
-		if ( f?$conns )
-			for ( cid in f$conns )
-				{
-				s$uid = f$conns[cid]$uid;
-				s$id = cid;
-				}
-
-		Log::write(FTP::LOG, s);
-		}
-	}
-
-event log_ftp(rec: Info) &priority=-10
-	{
-	delete rec$extraction_file;
-	delete rec$extract_file;
-	}