Fix file_over_new_connection event to trigger when entire file is missed.

If a file is nothing but gaps (e.g. due to missing/dropped packets), Bro can sometimes detect a file is supposed to have been present and never saw any of its content, but failed to raise file_over_new_connection events for it. This was mostly apparent because the tx_hosts/rx_hosts fields in files.log would not be populated in such cases (but are now with this change).
2025-10-02 22:58:20 +00:00 · 2014-01-24 16:47:00 -06:00 · 2014-01-24 16:47:00 -06:00 · e09763e061
commit e09763e061
parent 6d46144c3b
1 changed files with 14 additions and 8 deletions
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -103,7 +103,6 @@ File::~File()
 	DBG_LOG(DBG_FILE_ANALYSIS, "Destroying File object %s", id.c_str());
 	Unref(val);

-	// Queue may not be empty in the case where only content gaps were seen.
 	while ( ! fonc_queue.empty() )
 		{
 		delete_vals(fonc_queue.front().second);
@ -460,20 +459,27 @@ void File::FileEvent(EventHandlerPtr h)
 	FileEvent(h, vl);
 	}

+static void flush_file_event_queue(queue<pair<EventHandlerPtr, val_list*> >& q)
+	{
+	while ( ! q.empty() )
+		{
+		pair<EventHandlerPtr, val_list*> p = q.front();
+		mgr.QueueEvent(p.first, p.second);
+		q.pop();
+		}
+	}
+
 void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	{
+	if ( h == file_state_remove )
+		flush_file_event_queue(fonc_queue);
+
 	mgr.QueueEvent(h, vl);

 	if ( h == file_new )
 		{
 		did_file_new_event = true;
-
-		while ( ! fonc_queue.empty() )
-			{
-			pair<EventHandlerPtr, val_list*> p = fonc_queue.front();
-			mgr.QueueEvent(p.first, p.second);
-			fonc_queue.pop();
-			}
+		flush_file_event_queue(fonc_queue);
 		}

 	if ( h == file_new || h == file_timeout || h == file_extraction_limit )