Merge branch 'master' into topic/jsiwek/faf-cleanup

Conflicts:
	scripts/base/protocols/ftp/file-analysis.bro
	scripts/base/protocols/http/file-analysis.bro
	scripts/base/protocols/irc/file-analysis.bro
	scripts/base/protocols/smtp/file-analysis.bro
	src/file_analysis/File.cc
	src/file_analysis/File.h
	src/file_analysis/Manager.cc
	src/file_analysis/Manager.h
	testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/file_analysis.log
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-0.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-1.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-2.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-3.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7-1.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-BTsa70Ua9x7.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4-0.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-Rqjkzoroau4.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38-2.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-VLQvJybrm38.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk-3.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp-item-zrfwSs9K1yk.dat
	testing/btest/Baseline/scripts.base.protocols.ftp.ftp-extract/ftp.log
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3-0.dat
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item-BFymS6bFgT3.dat
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http-item.dat
	testing/btest/Baseline/scripts.base.protocols.http.http-extract-files/http.log
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb-0.dat
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item-wqKMAamJVSb.dat
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc-dcc-item.dat
	testing/btest/Baseline/scripts.base.protocols.irc.dcc-extract/irc.log
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-0.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-1.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3-1.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-Ltd7QO7jEv3.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb-0.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp-entity-cwR7l6Zctxb.dat
	testing/btest/Baseline/scripts.base.protocols.smtp.mime-extract/smtp_entities.log
	testing/btest/scripts/base/protocols/ftp/ftp-extract.bro
	testing/btest/scripts/base/protocols/http/http-extract-files.bro
	testing/btest/scripts/base/protocols/irc/dcc-extract.test
	testing/btest/scripts/base/protocols/smtp/mime-extract.test

testing/btest/scripts/base/frameworks/analyzer/disable-analyzer.bro

@@ -0,0 +1,14 @@
+#
+# @TEST-EXEC: bro -r ${TRACES}/var-services-std-ports.trace %INPUT
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -vq dns
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -vq ssh
+#
+
+redef Analyzer::disabled_analyzers += { Analyzer::ANALYZER_SSH };
+
+event bro_init()
+	{
+	Analyzer::disable_analyzer(Analyzer::ANALYZER_DNS);
+	}
+
+

testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.bro

@@ -0,0 +1,13 @@
+#
+# @TEST-EXEC: bro -r ${TRACES}/var-services-std-ports.trace %INPUT
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -q dns
+#
+
+redef Analyzer::disable_all = T;
+
+event bro_init()
+	{
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_DNS);
+	}
+
+

testing/btest/scripts/base/frameworks/analyzer/register-for-port.bro

@@ -0,0 +1,13 @@
+#
+# @TEST-EXEC: bro -r ${TRACES}/ssh-on-port-80.trace %INPUT dpd_buffer_size=0;
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -q ssh
+#
+# @TEST-EXEC: bro -r ${TRACES}/ssh-on-port-80.trace dpd_buffer_size=0;
+# @TEST-EXEC: cat conn.log | bro-cut service | grep -vq ssh
+
+event bro_init()
+	{
+	Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 80/tcp);
+	}
+
+

testing/btest/scripts/base/frameworks/analyzer/schedule-analyzer.bro

@@ -0,0 +1,36 @@
+#
+# @TEST-EXEC: bro -b  -r ${TRACES}/rotation.trace %INPUT | sort >output
+# @TEST-EXEC: btest-diff output
+
+global x = 0;
+
+event new_connection(c: connection)
+	{
+	# Make sure expiration executes.
+	Analyzer::schedule_analyzer(1.2.3.4, 1.2.3.4, 8/tcp, Analyzer::ANALYZER_MODBUS, 100hrs);
+	
+	if ( x > 0 )
+		return;
+
+	x = 1;
+
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_SSH, 100hrs);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_HTTP, 100hrs);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_DNS, 100hrs);
+	Analyzer::schedule_analyzer(0.0.0.0, 10.0.0.3, 6/tcp, Analyzer::ANALYZER_FTP, 100hrs);
+	
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 7/tcp, Analyzer::ANALYZER_SSH, 1sec);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_HTTP, 1sec);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 8/tcp, Analyzer::ANALYZER_DNS, 100hrs);
+	Analyzer::schedule_analyzer(10.0.0.2, 10.0.0.3, 9/tcp, Analyzer::ANALYZER_FTP, 1sec);
+	}
+
+event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag)
+	{
+	print "APPLIED:", network_time(), c$id, a;
+	}
+
+
+
+
+

testing/btest/scripts/base/frameworks/file-analysis/http/get.bro

@@ -1,13 +1,15 @@
-# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT >get.out
-# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT >get-gzip.out
+# @TEST-EXEC: bro -r $TRACES/http/get.trace $SCRIPTS/file-analysis-test.bro %INPUT c=1 >get.out
+# @TEST-EXEC: bro -r $TRACES/http/get-gzip.trace $SCRIPTS/file-analysis-test.bro %INPUT c=2 >get-gzip.out
 # @TEST-EXEC: btest-diff get.out
 # @TEST-EXEC: btest-diff get-gzip.out
-# @TEST-EXEC: btest-diff Cx92a0ym5R8-file
-# @TEST-EXEC: btest-diff kg59rqyYxN-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
 
 redef test_file_analysis_source = "HTTP";
 
+global c = 0 &redef;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	return fmt("%d-file", c);
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/multipart.bro

@@ -1,13 +1,16 @@
 # @TEST-EXEC: bro -r $TRACES/http/multipart.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
 # @TEST-EXEC: btest-diff out
-# @TEST-EXEC: btest-diff TJdltRTxco1-file
-# @TEST-EXEC: btest-diff QJO04kPdawk-file
-# @TEST-EXEC: btest-diff dDH5dHdsRH4-file
-# @TEST-EXEC: btest-diff TaUJcEIboHh-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
+# @TEST-EXEC: btest-diff 3-file
+# @TEST-EXEC: btest-diff 4-file
 
 redef test_file_analysis_source = "HTTP";
 
+global cnt: count = 0;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	++cnt;
+	return fmt("%d-file", cnt);
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/partial-content.bro

@@ -1,16 +1,16 @@
 # @TEST-EXEC: bro -r $TRACES/http/206_example_a.pcap $SCRIPTS/file-analysis-test.bro %INPUT >a.out
 # @TEST-EXEC: btest-diff a.out
-# @TEST-EXEC: wc -c 7gZBKVUgy4l-file0 | sed 's/^[ \t]* //g' >a.size
+# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >a.size
 # @TEST-EXEC: btest-diff a.size
 
 # @TEST-EXEC: bro -r $TRACES/http/206_example_b.pcap $SCRIPTS/file-analysis-test.bro %INPUT >b.out
 # @TEST-EXEC: btest-diff b.out
-# @TEST-EXEC: wc -c oDwT1BbzjM1-file0 | sed 's/^[ \t]* //g' >b.size
+# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >b.size
 # @TEST-EXEC: btest-diff b.size
 
 # @TEST-EXEC: bro -r $TRACES/http/206_example_c.pcap $SCRIPTS/file-analysis-test.bro %INPUT >c.out
 # @TEST-EXEC: btest-diff c.out
-# @TEST-EXEC: wc -c uHS14uhRKGe-file0 | sed 's/^[ \t]* //g' >c.size
+# @TEST-EXEC: wc -c file-0 | sed 's/^[ \t]* //g' >c.size
 # @TEST-EXEC: btest-diff c.size
 
 global cnt: count = 0;
@@ -19,7 +19,7 @@ redef test_file_analysis_source = "HTTP";
 
 redef test_get_file_name = function(f: fa_file): string
 	{
-	local rval: string = fmt("%s-file%d", f$id, cnt);
+	local rval: string = fmt("file-%d", cnt);
 	++cnt;
 	return rval;
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/pipeline.bro

@@ -1,14 +1,16 @@
 # @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
 # @TEST-EXEC: btest-diff out
-# @TEST-EXEC: btest-diff aFQKI8SPOL2-file
-# @TEST-EXEC: btest-diff CCU3vUEr06l-file
-# @TEST-EXEC: btest-diff HCzA0dVwDPj-file
-# @TEST-EXEC: btest-diff a1Zu1fteVEf-file
-# @TEST-EXEC: btest-diff xXlF7wFdsR-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
+# @TEST-EXEC: btest-diff 3-file
+# @TEST-EXEC: btest-diff 4-file
+# @TEST-EXEC: btest-diff 5-file
 
 redef test_file_analysis_source = "HTTP";
 
+global c = 0;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	return fmt("%d-file", ++c);
 	};

testing/btest/scripts/base/frameworks/file-analysis/http/post.bro

@@ -1,11 +1,13 @@
 # @TEST-EXEC: bro -r $TRACES/http/post.trace $SCRIPTS/file-analysis-test.bro %INPUT >out
 # @TEST-EXEC: btest-diff out
-# @TEST-EXEC: btest-diff v5HLI7MxPQh-file
-# @TEST-EXEC: btest-diff PZS1XGHkIf1-file
+# @TEST-EXEC: btest-diff 1-file
+# @TEST-EXEC: btest-diff 2-file
 
 redef test_file_analysis_source = "HTTP";
 
+global c = 0;
+
 redef test_get_file_name = function(f: fa_file): string
 	{
-	return fmt("%s-file", f$id);
+	return fmt("%d-file", ++c);
 	};