Fixed a problem where the Unified2 analyzer was attached to every file.

scripts/base/files/unified2/main.bro

@@ -136,7 +136,7 @@ event Unified2::read_classification_line(desc: Input::EventDescription, tpe: Inp
 		}
 	}
 
-event bro_init()
+event bro_init() &priority=5
 	{
 	Log::create_stream(Unified2::LOG, [$columns=Info, $ev=log_unified2]);
 
@@ -200,8 +200,8 @@ event file_new(f: fa_file)
 	if ( |parts| == 3 )
 		file_dir = parts[1];
 
-	if ( f$source in watch_file || 
+	if ( (watch_file != "" && f$source == watch_file) || 
-		compress_path(watch_dir) == file_dir )
+	     (watch_dir != "" && compress_path(watch_dir) == file_dir) )
 		{
 		Files::add_analyzer(f, Files::ANALYZER_UNIFIED2);
 		f$u2_events = table();

testing/btest/Baseline/scripts.base.frameworks.file-analysis.logging/files.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	files
-#open	2013-08-12-19-07-37
+#open	2013-08-14-04-50-17
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted
 #types	time	string	table[addr]	table[addr]	table[string]	string	count	table[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string
-1362692527.009721	G75mcAsU764	192.150.187.43	141.142.228.5	UWkUyAuUGXf	HTTP	0	UNIFIED2,SHA256,DATA_EVENT,MD5,EXTRACT,SHA1	text/plain	-	0.000054	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	G75mcAsU764-file
+1362692527.009721	G75mcAsU764	192.150.187.43	141.142.228.5	UWkUyAuUGXf	HTTP	0	SHA256,DATA_EVENT,MD5,EXTRACT,SHA1	text/plain	-	0.000054	-	F	4705	4705	0	0	F	-	397168fd09991a0e712254df7bc639ac	1dd7ac0398df6cbc0696445a91ec681facf4dc47	4e7c7ef0984119447e743e3ec77e1de52713e345cde03fe7df753a35849bed18	G75mcAsU764-file
-#close	2013-08-12-19-07-37
+#close	2013-08-14-04-50-17