From ecfac31de0b5d69254b590939c3a56be4038e0d6 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 9 Jul 2013 11:51:23 -0400
Subject: [PATCH] Fixed SMTP URL extraction for the Intel framework with Files
 updates.

---
 .../frameworks/intel/smtp-url-extraction.bro       | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/scripts/policy/frameworks/intel/smtp-url-extraction.bro b/scripts/policy/frameworks/intel/smtp-url-extraction.bro
index b4ab32a915..2478eba9f8 100644
--- a/scripts/policy/frameworks/intel/smtp-url-extraction.bro
+++ b/scripts/policy/frameworks/intel/smtp-url-extraction.bro
@@ -1,11 +1,12 @@
 @load base/frameworks/intel
-@load base/protocols/smtp/file-analysis
+@load base/protocols/smtp
 @load base/utils/urls
 @load ./where-locations
 
 event intel_mime_data(f: fa_file, data: string)
 	{
-	if ( ! f?$conns ) return;
+	if ( ! f?$conns ) 
+		return;
 
 	for ( cid in f$conns )
 		{
@@ -21,11 +22,8 @@ event intel_mime_data(f: fa_file, data: string)
 		}
 	}
 
-event file_new(f: fa_file) &priority=5
+event file_new(f: fa_file)
 	{
-	if ( ! f?$source ) return;
-	if ( f$source != "SMTP" ) return;
-
-	Files::add_analyzer(f, [$tag=Files::ANALYZER_DATA_EVENT,
-	                               $stream_event=intel_mime_data]);
+	if ( f$source == "SMTP" )
+		Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
 	}