FileAnalysis: add is_orig field to fa_file & Info.

scripts/base/frameworks/file-analysis/main.bro

@@ -46,6 +46,10 @@ export {
 		## path which was read, or some other input source.
 		source: string &log &optional;
 
+		## If the source of this file is is a network connection, this field
+		## may be set to indicate the directionality.
+		is_orig: bool &log &optional;
+
 		## The time at which the last activity for the file was seen.
 		last_active: time &log;
 
@@ -236,6 +240,7 @@ function set_info(f: fa_file)
 	f$info$id = f$id;
 	if ( f?$parent_id ) f$info$parent_id = f$parent_id;
 	if ( f?$source ) f$info$source = f$source;
+	if ( f?$is_orig ) f$info$is_orig = f$is_orig;
 	f$info$last_active = f$last_active;
 	f$info$seen_bytes = f$seen_bytes;
 	if ( f?$total_bytes ) f$info$total_bytes = f$total_bytes;

scripts/base/init-bare.bro

@@ -341,6 +341,10 @@ type fa_file: record {
 	## path which was read, or some other input source.
 	source: string &optional;
 
+	## If the source of this file is is a network connection, this field
+	## may be set to indicate the directionality.
+	is_orig: bool &optional;
+
 	## The set of connections over which the file was transferred.
 	conns: table[conn_id] of connection &optional;
 

src/file_analysis/File.cc

@@ -37,6 +37,7 @@ static RecordVal* get_conn_id_val(const Connection* conn)
 int File::id_idx = -1;
 int File::parent_id_idx = -1;
 int File::source_idx = -1;
+int File::is_orig_idx = -1;
 int File::conns_idx = -1;
 int File::last_active_idx = -1;
 int File::seen_bytes_idx = -1;
@@ -59,6 +60,7 @@ void File::StaticInit()
 	id_idx = Idx("id");
 	parent_id_idx = Idx("parent_id");
 	source_idx = Idx("source");
+	is_orig_idx = Idx("is_orig");
 	conns_idx = Idx("conns");
 	last_active_idx = Idx("last_active");
 	seen_bytes_idx = Idx("seen_bytes");
@@ -75,7 +77,8 @@ void File::StaticInit()
 	salt = BifConst::FileAnalysis::salt->CheckString();
 	}
 
-File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag)
+File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag,
+           bool is_orig)
     : id(""), unique(unique), val(0), postpone_timeout(false),
       first_chunk(true), missed_bof(false), need_reassembly(false), done(false),
       analyzers(this)
@@ -98,8 +101,9 @@ File::File(const string& unique, Connection* conn, AnalyzerTag::Tag tag)
 
 	if ( conn )
 		{
-		// add source and connection fields
+		// add source, connection, is_orig fields
 		val->Assign(source_idx, new StringVal(::Analyzer::GetTagName(tag)));
+		val->Assign(is_orig_idx, new Val(is_orig, TYPE_BOOL));
 		UpdateConnectionFields(conn);
 		}
 	else

src/file_analysis/File.h

@@ -133,7 +133,7 @@ protected:
 	 * Constructor; only file_analysis::Manager should be creating these.
 	 */
 	File(const string& unique, Connection* conn = 0,
-	     AnalyzerTag::Tag tag = AnalyzerTag::Error);
+	     AnalyzerTag::Tag tag = AnalyzerTag::Error, bool is_orig = false);
 
 	/**
 	 * Updates the "conn_ids" and "conn_uids" fields in #val record with the
@@ -214,6 +214,7 @@ protected:
 	static int id_idx;
 	static int parent_id_idx;
 	static int source_idx;
+	static int is_orig_idx;
 	static int conns_idx;
 	static int last_active_idx;
 	static int seen_bytes_idx;

src/file_analysis/Manager.cc

@@ -40,7 +40,7 @@ void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	if ( IsDisabled(tag) ) return;
 
 	GetFileHandle(tag, conn, is_orig);
-	DataIn(data, len, offset, GetFile(current_handle, conn, tag));
+	DataIn(data, len, offset, GetFile(current_handle, conn, tag, is_orig));
 	}
 
 void Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
@@ -67,7 +67,7 @@ void Manager::DataIn(const u_char* data, uint64 len, AnalyzerTag::Tag tag,
 	GetFileHandle(tag, conn, is_orig);
 	// Sequential data input shouldn't be going over multiple conns, so don't
 	// do the check to update connection set.
-	DataIn(data, len, GetFile(current_handle, conn, tag, false));
+	DataIn(data, len, GetFile(current_handle, conn, tag, is_orig, false));
 	}
 
 void Manager::DataIn(const u_char* data, uint64 len, const string& unique)
@@ -110,7 +110,7 @@ void Manager::Gap(uint64 offset, uint64 len, AnalyzerTag::Tag tag,
 	if ( IsDisabled(tag) ) return;
 
 	GetFileHandle(tag, conn, is_orig);
-	Gap(offset, len, GetFile(current_handle, conn, tag));
+	Gap(offset, len, GetFile(current_handle, conn, tag, is_orig));
 	}
 
 void Manager::Gap(uint64 offset, uint64 len, const string& unique)
@@ -131,7 +131,7 @@ void Manager::SetSize(uint64 size, AnalyzerTag::Tag tag, Connection* conn,
 	if ( IsDisabled(tag) ) return;
 
 	GetFileHandle(tag, conn, is_orig);
-	SetSize(size, GetFile(current_handle, conn, tag));
+	SetSize(size, GetFile(current_handle, conn, tag, is_orig));
 	}
 
 void Manager::SetSize(uint64 size, const string& unique)
@@ -188,7 +188,7 @@ bool Manager::RemoveAnalyzer(const FileID& file_id, const RecordVal* args) const
 	}
 
 File* Manager::GetFile(const string& unique, Connection* conn,
-                       AnalyzerTag::Tag tag, bool update_conn)
+                       AnalyzerTag::Tag tag, bool is_orig, bool update_conn)
 	{
 	if ( unique.empty() ) return 0;
 	if ( IsIgnored(unique) ) return 0;
@@ -197,7 +197,7 @@ File* Manager::GetFile(const string& unique, Connection* conn,
 
 	if ( ! rval )
 		{
-		rval = str_map[unique] = new File(unique, conn, tag);
+		rval = str_map[unique] = new File(unique, conn, tag, is_orig);
 		FileID id = rval->GetID();
 
 		if ( id_map[id] )

src/file_analysis/Manager.h

@@ -135,7 +135,7 @@ protected:
 	 */
 	File* GetFile(const string& unique, Connection* conn = 0,
 	              AnalyzerTag::Tag tag = AnalyzerTag::Error,
-	              bool update_conn = true);
+	              bool is_orig = false, bool update_conn = true);
 
 	/**
 	 * @return the File object mapped to \a file_id, or a null pointer if no

testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	file_analysis
-#open	2013-04-12-14-46-48
-#fields	id	parent_id	source	last_active	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timeout_interval	bof_buffer_size	mime_type	timedout	conn_uids	analyzers	extracted_files	md5	sha1	sha256
-#types	string	string	string	time	count	count	count	count	interval	count	string	bool	table[string]	table[enum]	table[string]	string	string	string
-Cx92a0ym5R8	-	HTTP	1362692527.009775	4705	4705	0	0	120.000000	1024	text/plain	F	UWkUyAuUGXf	FileAnalysis::ANALYZER_SHA1,FileAnalysis::ANALYZER_EXTRACT,FileAnalysis::ANALYZER_DATA_EVENT,FileAnalysis::ANALYZER_MD5,FileAnalysis::ANALYZER_SHA256	Cx92a0ym5R8-file	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
-#close	2013-04-12-14-46-48
+#open	2013-04-23-15-41-01
+#fields	id	parent_id	source	is_orig	last_active	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timeout_interval	bof_buffer_size	mime_type	timedout	conn_uids	analyzers	extracted_files	md5	sha1	sha256
+#types	string	string	string	bool	time	count	count	count	count	interval	count	string	bool	table[string]	table[enum]	table[string]	string	string	string
+Cx92a0ym5R8	-	HTTP	F	1362692527.009775	4705	4705	0	0	120.000000	1024	text/plain	F	UWkUyAuUGXf	FileAnalysis::ANALYZER_SHA1,FileAnalysis::ANALYZER_EXTRACT,FileAnalysis::ANALYZER_DATA_EVENT,FileAnalysis::ANALYZER_MD5,FileAnalysis::ANALYZER_SHA256	Cx92a0ym5R8-file	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18
+#close	2013-04-23-15-41-01