From f97f58e9db319a6a993e1c11157ea9bf6b44e955 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 10 Sep 2014 13:20:47 -0500
Subject: [PATCH] Raise http_entity_data in line with data arrival.

As opposed to delaying until a certain-sized-buffer fills, which is
problematic because then the event becomes out of sync with the "rest of
the world".  E.g. content_gap handlers being called sooner than
expected.

Addresses BIT-1240.
---
 scripts/base/init-bare.bro                    |   3 +-
 src/analyzer/protocol/http/HTTP.cc            | 131 ++----------------
 src/analyzer/protocol/http/HTTP.h             |  13 +-
 .../out                                       |  22 +--
 .../entity_data                               |   4 +
 .../extract_files.file0                       | Bin 0 -> 4705 bytes
 testing/btest/Traces/http/entity_gap.trace    | Bin 0 -> 4805 bytes
 .../base/protocols/http/entity-gap.bro        |  24 ++++
 8 files changed, 46 insertions(+), 151 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.entity-gap/entity_data
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.entity-gap/extract_files.file0
 create mode 100644 testing/btest/Traces/http/entity_gap.trace
 create mode 100644 testing/btest/scripts/base/protocols/http/entity-gap.bro

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 1199bdd7bc..efce524fc5 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2485,8 +2485,7 @@ type http_message_stat: record {
 	header_length: count;
 };
 
-## Maximum number of HTTP entity data delivered to events. The amount of data
-## can be limited for better performance, zero disables truncation.
+## Maximum number of HTTP entity data delivered to events.
 ##
 ## .. bro:see:: http_entity_data skip_http_entity_data skip_http_data
 global http_entity_data_delivery_size = 1500 &redef;
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 02b6947b9f..744a0aac76 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -542,12 +542,9 @@ HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
 
 	current_entity = 0;
 	top_level = new HTTP_Entity(this, 0, expect_body);
+	entity_data_buffer = new char[http_entity_data_delivery_size];
 	BeginEntity(top_level);
 
-	buffer_offset = buffer_size = 0;
-	data_buffer = 0;
-	total_buffer_size = 0;
-
 	start_time = network_time;
 	body_length = 0;
 	content_gap_length = 0;
@@ -557,6 +554,7 @@ HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
 HTTP_Message::~HTTP_Message()
 	{
 	delete top_level;
+	delete [] entity_data_buffer;
 	}
 
 Val* HTTP_Message::BuildMessageStat(const int interrupted, const char* msg)
@@ -604,14 +602,6 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 		}
 
 	MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
-
-	delete_strings(buffers);
-
-	if ( data_buffer )
-		{
-		delete data_buffer;
-		data_buffer = 0;
-		}
 	}
 
 int HTTP_Message::Undelivered(int64_t len)
@@ -652,8 +642,6 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 	body_length += ((HTTP_Entity*) entity)->BodyLength();
 	header_length += ((HTTP_Entity*) entity)->HeaderLength();
 
-	DeliverEntityData();
-
 	if ( http_end_entity )
 		{
 		val_list* vl = new val_list();
@@ -720,31 +708,15 @@ void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */)
 
 void HTTP_Message::SubmitData(int len, const char* buf)
 	{
-	if ( buf != (const char*) data_buffer->Bytes() + buffer_offset ||
-	     buffer_offset + len > buffer_size )
-		{
-		reporter->AnalyzerError(MyHTTP_Analyzer(),
-		                                "HTTP message buffer misalignment");
-		return;
-		}
-
-	buffer_offset += len;
-	if ( buffer_offset >= buffer_size )
-		{
-		buffers.push_back(data_buffer);
-		data_buffer = 0;
-		}
+	if ( http_entity_data )
+		MyHTTP_Analyzer()->HTTP_EntityData(is_orig,
+		        new BroString(reinterpret_cast<const u_char*>(buf), len, 0));
 	}
 
 int HTTP_Message::RequestBuffer(int* plen, char** pbuf)
 	{
-	if ( ! data_buffer )
-		if ( ! InitBuffer(mime_segment_length) )
-			return 0;
-
-	*plen = data_buffer->Len() - buffer_offset;
-	*pbuf = (char*) data_buffer->Bytes() + buffer_offset;
-
+	*plen = http_entity_data_delivery_size;
+	*pbuf = entity_data_buffer;
 	return 1;
 	}
 
@@ -785,9 +757,6 @@ void HTTP_Message::SetPlainDelivery(int64_t length)
 
 	if ( length > 0 && BifConst::skip_http_data )
 		content_line->SkipBytesAfterThisLine(length);
-
-	if ( ! data_buffer )
-		InitBuffer(length);
 	}
 
 void HTTP_Message::SkipEntityData()
@@ -796,87 +765,6 @@ void HTTP_Message::SkipEntityData()
 		current_entity->SkipBody();
 	}
 
-void HTTP_Message::DeliverEntityData()
-	{
-	if ( http_entity_data )
-		{
-		const BroString* entity_data = 0;
-
-		if ( data_buffer && buffer_offset > 0 )
-			{
-			if ( buffer_offset < buffer_size )
-				{
-				entity_data = new BroString(data_buffer->Bytes(), buffer_offset, 0);
-				delete data_buffer;
-				}
-			else
-				entity_data = data_buffer;
-
-			data_buffer = 0;
-
-			if ( buffers.empty() )
-				MyHTTP_Analyzer()->HTTP_EntityData(is_orig,
-								entity_data);
-			else
-				buffers.push_back(entity_data);
-
-			entity_data = 0;
-			}
-
-		if ( ! buffers.empty() )
-			{
-			if ( buffers.size() == 1 )
-				{
-				entity_data = buffers[0];
-				buffers.clear();
-				}
-			else
-				{
-				entity_data = concatenate(buffers);
-				delete_strings(buffers);
-				}
-
-			MyHTTP_Analyzer()->HTTP_EntityData(is_orig, entity_data);
-			}
-		}
-	else
-		{
-		delete_strings(buffers);
-
-		if ( data_buffer )
-			delete data_buffer;
-
-		data_buffer = 0;
-		}
-
-	total_buffer_size = 0;
-	}
-
-int HTTP_Message::InitBuffer(int64_t length)
-	{
-	if ( length <= 0 )
-		return 0;
-
-	if ( total_buffer_size >= http_entity_data_delivery_size )
-		DeliverEntityData();
-
-	if ( total_buffer_size + length > http_entity_data_delivery_size )
-		{
-		length = http_entity_data_delivery_size - total_buffer_size;
-		if ( length <= 0 )
-			return 0;
-		}
-
-	u_char* b = new u_char[length];
-	data_buffer = new BroString(0, b, length);
-
-	buffer_size = length;
-	total_buffer_size += length;
-	buffer_offset = 0;
-
-	return 1;
-	}
-
 void HTTP_Message::Weird(const char* msg)
 	{
 	analyzer->Weird(msg);
@@ -1823,7 +1711,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
 		}
 	}
 
-void HTTP_Analyzer::HTTP_EntityData(int is_orig, const BroString* entity_data)
+void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
 	{
 	if ( http_entity_data )
 		{
@@ -1831,8 +1719,7 @@ void HTTP_Analyzer::HTTP_EntityData(int is_orig, const BroString* entity_data)
 		vl->append(BuildConnVal());
 		vl->append(new Val(is_orig, TYPE_BOOL));
 		vl->append(new Val(entity_data->Len(), TYPE_COUNT));
-		// FIXME: Make sure that removing the const here is indeed ok...
-		vl->append(new StringVal(const_cast<BroString*>(entity_data)));
+		vl->append(new StringVal(entity_data));
 		ConnectionEvent(http_entity_data, vl);
 		}
 	else
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 5785d93198..876bcfe5aa 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -132,13 +132,7 @@ protected:
 	tcp::ContentLine_Analyzer* content_line;
 	bool is_orig;
 
-	vector<const BroString*> buffers;
-
-	// Controls the total buffer size within http_entity_data_delivery_size.
-	int total_buffer_size;
-
-	int buffer_offset, buffer_size;
-	BroString* data_buffer;
+	char* entity_data_buffer;
 
 	double start_time;
 
@@ -151,9 +145,6 @@ protected:
 
 	HTTP_Entity* current_entity;
 
-	int InitBuffer(int64_t length);
-	void DeliverEntityData();
-
 	Val* BuildMessageStat(const int interrupted, const char* msg);
 };
 
@@ -165,7 +156,7 @@ public:
 	void Undelivered(tcp::TCP_Endpoint* sender, uint64 seq, int len);
 
 	void HTTP_Header(int is_orig, mime::MIME_Header* h);
-	void HTTP_EntityData(int is_orig, const BroString* entity_data);
+	void HTTP_EntityData(int is_orig, BroString* entity_data);
 	void HTTP_MessageDone(int is_orig, HTTP_Message* message);
 	void HTTP_Event(const char* category, const char* detail);
 	void HTTP_Event(const char* category, StringVal *detail);
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
index bc0ccff221..d1cc77944c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.actions.data_event/out
@@ -7,22 +7,12 @@ text/plain
 FILE_OVER_NEW_CONNECTION
 file_stream, file #0, 1146, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J   
 file_chunk, file #0, 1146, 0, ^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J   
-file_stream, file #0, 354,    rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea
-file_chunk, file #0, 354, 1146,    rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-relea
-file_stream, file #0, 1024, se script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices f
-file_chunk, file #0, 1024, 1500, se script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices f
-file_stream, file #0, 70, ormat for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tool
-file_chunk, file #0, 70, 2524, ormat for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tool
-file_stream, file #0, 406, s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the 
-file_chunk, file #0, 406, 2594, s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the 
-file_stream, file #0, 1024, copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP
-file_chunk, file #0, 1024, 3000, copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP
-file_stream, file #0, 18,  now links against
-file_chunk, file #0, 18, 4024,  now links against
-file_stream, file #0, 458,  thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J
-file_chunk, file #0, 458, 4042,  thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J
-file_stream, file #0, 205, ^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
-file_chunk, file #0, 205, 4500, ^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
+file_stream, file #0, 1448,    rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-release script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices format for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tool
+file_chunk, file #0, 1448, 1146,    rather than all. (Robin Sommer)^J^J  * Fix parallel make portability. (Jon Siwek)^J^J0.21-9 | 2011-11-07 05:44:14 -0800^J^J  * Fixing compiler warnings. Addresses #388. (Jon Siwek)^J^J0.21-2 | 2011-11-02 18:12:13 -0700^J^J  * Fix for misnaming temp file in update-changes script. (Robin Sommer)^J^J0.21-1 | 2011-11-02 18:10:39 -0700^J^J  * Little fix for make-release script, which could pick out the wrong^J    tag. (Robin Sommer)^J^J0.21 | 2011-10-27 17:40:45 -0700^J^J  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)^J^J  * Bugfix in update-changes script. (Robin Sommer)^J^J  * update-changes now ignores commits it did itself. (Robin Sommer)^J^J  * Fix a bug in the update-changes script. (Robin Sommer)^J^J  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)^J^J  * Options to adjust time format for bro-cut. (Robin Sommer)^J^J    The default with -d is now ISO format. The new option "-D <fmt>"^J    specifies a custom strftime()-style format string. Alternatively,^J    the environment variable BRO_CUT_TIMEFMT can set the format as^J    well.^J^J  * bro-cut now understands the field separator header. (Robin Sommer)^J^J  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.^J^J0.2 | 2011-10-25 19:53:57 -0700^J^J  * Adding support for replacing version string in a setup.py. (Robin^J    Sommer)^J^J  * Change generated root cert DN indices format for RFC2253^J    compliance. (Jon Siwek)^J^J  * New tool devel-tool
+file_stream, file #0, 1448, s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP now links against
+file_chunk, file #0, 1448, 2594, s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP now links against
+file_stream, file #0, 663,  thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
+file_chunk, file #0, 663, 4042,  thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
 FILE_STATE_REMOVE
 file #0, 4705, 0
 [orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.entity-gap/entity_data b/testing/btest/Baseline/scripts.base.protocols.http.entity-gap/entity_data
new file mode 100644
index 0000000000..37d10fb294
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.entity-gap/entity_data
@@ -0,0 +1,4 @@
+^J0.26 | 2012-08-24 15:10:04 -0700^J^J  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)^J^J  * Fixing GPG signing script. (Robin Sommer)^J^J0.25 | 2012-08-01 13:55:46 -0500^J^J  * Fix configure script to exit with non-zero status on error (Jon Siwek)^J^J0.24 | 2012-07-05 12:50:43 -0700^J^J  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)^J^J  * Adding script to delete old fully-merged branches. (Robin Sommer)^J^J0.23-2 | 2012-01-25 13:24:01 -0800^J^J  * Fix a bro-cut error message. (Daniel Thayer)^J^J0.23 | 2012-01-11 12:16:11 -0800^J^J  * Tweaks to release scripts, plus a new one for signing files.^J    (Robin Sommer)^J^J0.22 | 2012-01-10 16:45:19 -0800^J^J  * Tweaks for OpenBSD support. (Jon Siwek)^J^J  * bro-cut extensions and fixes.  (Robin Sommer)^J    ^J    - If no field names are given on the command line, we now pass through^J      all fields. Adresses #657.^J^J    - Removing some GNUism from awk script. Addresses #653.^J^J    - Added option for time output in UTC. Addresses #668.^J^J    - Added output field separator option -F. Addresses #649.^J^J    - Fixing option -c: only some header lines were passed through^J   
+<1448 byte gap>
+s/check-release to run before making releases.^J    (Robin Sommer)^J^J  * devel-tools/update-changes gets a new option -a to amend to^J    previous commit if possible. Default is now not to (used to be the^J    opposite). (Robin Sommer)^J^J  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)^J^J  * Change distclean to only remove build dir. (Jon Siwek)^J^J  * Make dist now cleans the copied source (Jon Siwek)^J^J  * Small tweak to make-release for forced git-clean. (Jon Siwek)^J^J  * Fix to not let updates scripts loose their executable permissions.^J    (Robin Sommer)^J^J  * devel-tools/update-changes now looks for a 'release' tag to^J    idenfify the stable version, and 'beta' for the beta versions.^J    (Robin Sommer).^J^J  * Distribution cleanup. (Robin Sommer)^J^J  * New script devel-tools/make-release to create source tar balls.^J    (Robin Sommer)^J^J  * Removing bdcat. With the new log format, this isn't very useful^J    anymore. (Robin Sommer)^J^J  * Adding script that shows all pending git fastpath commits. (Robin^J    Sommer)^J^J  * Script to measure CPU time by loading an increasing set of^J    scripts. (Robin Sommer)^J^J  * extract-conn script now deals wit *.gz files. (Robin Sommer)^J^J  * Tiny update to output a valid CA list file for SSL cert^J    validation. (Seth Hall)^J^J  * Adding "install-aux" target. Addresses #622. (Jon Siwek)^J^J  * Distribution cleanup. (Jon Siwek and Robin Sommer)^J^J  * FindPCAP now links against
+ thread library when necessary (e.g.^J    PF_RING's libpcap) (Jon Siwek)^J^J  * Install binaries with an RPATH (Jon Siwek)^J^J  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)^J^J  * Rewrite of the update-changes script. (Robin Sommer)^J^J0.1-1 | 2011-06-14 21:12:41 -0700^J^J  * Add a script for generating Mozilla's CA list for the SSL analyzer.^J    (Seth Hall)^J^J0.1 | 2011-04-01 16:28:22 -0700^J^J  * Converting build process to CMake. (Jon Siwek)^J^J  * Removing cf/hf/ca-* from distribution. The README has a note where^J    to find them now. (Robin Sommer)^J^J  * General cleanup. (Robin Sommer)^J^J  * Initial import of bro/aux from SVN r7088. (Jon Siwek)^J
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.entity-gap/extract_files.file0 b/testing/btest/Baseline/scripts.base.protocols.http.entity-gap/extract_files.file0
new file mode 100644
index 0000000000000000000000000000000000000000..f032ec61d39be7a16daf2850074151dcf7597cd8
GIT binary patch
literal 4705
zcmeHL!BQJX5Y5?N(d8V#lvhYX2&@}{fJw!KLO4FAM!T)mgx#6V%q#*|K0dE!S8EB$
z$u$RDMHR?1-94}0Ouwf${oZg)f77r(7$*JGWH_S1@nq1S^hcERPx}2gZ-@@)Qa@>v
zQ(a{$aFQ;R$=ScB<wB<mN^M<aRO$4A!h&h(ES9F$1ZNAH>w<f<e`jaf(A1VCyLTHg
zuWql%>)c3upE_NI?d2%)c&*6(fCfjC<KxL_j3STMij=f-o!5@rSQISrlMb}hVL`^4
z<SRQ%KB!Q8vWD0>>uCQM{5sW3en4@^HtMpSAOQ`AljHtmbhHl1ozkAE)JB(eNsj-j
zwd0J=KdA?%M|NH#B(e{C<KEF`0zvdF%f6jh)@599V6uR6UKho40;F;ToH=FE1^b<-
z93{i9(m?`{fXi?+0YGTxIxY%vY?9WYJ#fk1t6VyBp^WB&?icDgwg#s^T8lXV*2BqQ
zJi#w(G4GeG9=z1;P`3gSP47U8ssOTz3@?E%(;V=w`YUAcJur&47=g6wM;Y`9IY*%4
zhaG7p=5H07pQab&>#DL&NVDEUfw(*IQ(z<QKv@Rp>L)?-Wd%}HtSq7HIhcZVj9wT8
zs7QfOxqf6Llo67rV6p@&v|-!>#)c(T$^(*xvvt0Rp@>u=R{(*K@ho#d9npRqAD{H(
z5)dVH$EAIYRInw})y-$^OPV`dl3G4=Hv)9|w)v>rjE_MPTLmGTpb|8K*g90`G%nod
z`*X?rZSVN><=$p(b6C%naw;HB8#1}v+&=oyZEv51)xvZFXo_d@a*743j9moB0~~-S
z(4f*aaDI6G_lm$P0<Q?XBJjUPz#l?=qz}nz&dbQJ4b2$i2Kq-m$n0wW^E<O$hH=J^
zTqMET!XIwRNXj{Mf}xpYi4tXj$%_daY#fx8<40|wEM)RR&*?c;)_Xk@d3nKeRTucs
z$2n|lkp260961)X%FK>oEX0D>f!}S*DXH>2DqH$wzv`ku5w7-uoJG8x4P!L6qE4HP
zpD1OA%4ZmQ_3Teh16|zgkRff%O#6^RDn(HkN2Qa=&orwwbVjD#j=fP#%FcMMxLp*6
z=#NTco_brml((hNv=reHM5GB4=n{7g6q$gZ6x(whk{EPHYRq@pDp*38w$k6PWF8gP
zLiC{&?I5rj%2J^fRIw{H+5)k)Tj%`;7eq!OG^C}Jsc5fd)*c0wuehKyhRUBmM<gKS
zC2^~`-$#kJH{+o88bJiG<ge9&on=K)b3hjW+UZ#xyBu+;tKB@gfw*l1?*_3qa0Ym(
zWB8?2mx6LMLtl25(0HOw49>DtLDPN_*CPEEHC@<Tj#R4f9-o2h+MB%~2YV(^9j+l#
zT$$$*S95paFKov`1@a5K#Qg(bps1rM0WD~*e5e$%H}|cxA2G#-kDEr*7HI|}AlB>r
z_H!ddaWx97VodN}8^OaztqVrkd5qQihTY}zQ*bH;Nv$y}z=a|is{+arbsqHcuhC?7
z6>hrBdu@PD^sQ22D~&-1RcN@iGl*2&E-@yNF4O6+@mj~y;+lBpQQedQ#z(-^+SeAz
zx7vV#MUklb=`BbK&xXFOOYY$iyI*>f?@+B<7HPcGG@I=9{OmTq2QVMFC@NP{11JG>
z#gV`<f)UFF+=}5;j2`~n=U(32$lJ?5?yhgH_Pi{uQdPa%F7LWI6v4DBr(s#5eMS%O
zZqM#NZm<7h-GhSf5qpJud+C_Pn>A)w>=}$QUIk2wjAu1yT&Ub{hq>dW!{ZEUMAE;Q
z6Ae?giPG;4l0jox2T6aN3`R5@OyF8aVp+TIFwhe`DDAD4DpyZBs%js6VA3%H3*_Pn
zA(T<YGrl)yU$k{5Aa|E}l*kto<H_)J0x!Fk`P>>@(jdog9{b8!>5C9DLbQV*-Aj<p
z4;S;pR3!(EE0k%ldZc==?M!z+pIv<VnHDNeQ49Rgd)Lf6WSC=E$x%w-%r<)RAYaAd
lR?xq`dDlh<tqRg*Y$$pJgMA3vH+4;azae+hKRw+%%s)TI0u2BF

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/http/entity_gap.trace b/testing/btest/Traces/http/entity_gap.trace
new file mode 100644
index 0000000000000000000000000000000000000000..e4c5e2624d55a6e2e9832e944b4c3c0c326c210a
GIT binary patch
literal 4805
zcmai2U2Ggz6`r_G8x}dF2%$ce(?E&ic=pfhpR602jsKF=c8$GG#0&K9%-!9KXJ>|)
zS+8v&)sG-Tiv(1Hm!ySAJfH+2-pE6w6e)s`{s0dVpb`nGDiT8K18)$%b7yz6e+iaW
z+FjrK-E+V5o$s94Ki>M~n?uI1(fWJvz%UNr!?jPG{PN%CMvPUw=a+Hh&)<6gU$<}E
ze&hWshl~ZoIQ_wEr;XE3*8cF_*ZzL+<{Q60@zJ}++JB$R=6Ufih8{eay=fRj!v}wL
z;E5-O4;(m@`0V+=68~>_C`Ml{9yZS7GrwZo_zaEy0uC@zPkyz`$b5pa_R+gnuiyO=
zPME#&>6z~(*JAYHp+kw(x6gcq(Q(pK9CxsJ*f;}Je)YwjyK|Z2-oM)u_bkv~+&@Am
z>a$=Vj<?LnjQG@r!^Up`#;-oa8|Qz_h(pT*5uc$G!~5NcOAAFx*<QnSJYlEi&K6de
z7B-Tlz%xaCCmHQTbhcPrOJ$Ook;G;w1G7+(Zj`5s6&dljIU2P^&`@qBo6IKD$43$c
z%aT4;jHSj#5@)>-ZvmI|g33r@&U0O9MapyY^pcdmS#Z?097&8MuH$B>o{M>6uKKc&
zyL5%K@ZRrxvhX6ZaBKgFvG;>#<C}q}%g8{P5l5dljDH-AU%iM2|8nU~M!fTdM<M?6
zJKcyaCMcUu)5|Z7B<4jV^Hi+X$0<EcD<Z&uG82@|<Z}~we6zGt97$}*U|R-xD)_>x
z%2YO)OHR<}qO`q0fUac`M&^oVtFn?dc$M}zWlvI}USY5-Whe5vllg2DY@sMBc{-ZO
zPG!uTH8Y)_n4A$)Wh;HOMZCE#+=>iA`femcO?iZjnak3xMAbayrqh!niHGFpDN;4*
z)uU6B<5Uwnr!wjEqZ5S$YP906kDEtwCrbH_Q0^>QRS|?TI<;9`G-o)YiF7hMMc>r7
zFw-+;Hb<Gsd?uYw=g3S?r_+f9(HJeN9pzT2?%N>K1PVt#PK~Ovs$_X}$0lD{TNG6#
zH3APyEyNIb4waQ7lQg>Sm6S^xUacmB<6W3bYfBWWip%(+6(~RIUydLrJAzDSC^M0t
zoXqE@5aeV>kbG=eRqBCkVo~Ig+))uVR8%F`bIm;&coaq=s)yvcB!j>UX!JbZZm5Rb
zLU1@O*FJ3;2T&%PpG-q8os_H#6-ufpSJmn@3gkEHDv&nKt%xm2&{Bx{;nTCpDV9>_
z0nBK@wjbV@*V)pMkt7dPmg|nQYl5i?084>zA<1wcD-&k69cjh{N#G@$%Yz^!vy&IW
z<!xH^sCnU<3`0@j%*+c{NeA^Ic6DlS`-u+B47kqbGgEoI>A);Dq}U2M?f`KMFcIet
zqVOFsE69}%@GGeddRzHrF@#Adiux3RV>_>sNfXY@L5e2_9Ltz5`_etLF;8LL_q~8c
z(@Syt#yhA6P6xtr!LHh2HhUxBpmby=ohw5rSSOJSSAZ%K5L5*w=(1#3<QA07V2*Mn
z>Of*cgM1N!l4{`9D^(3eBpfaQ0O7=f9e{P9eST_kI>|*qWYW5<dD~hFUQN={>ZS^7
zR1UlviN;pDA|RKCn<v_v@iipk`E1sjX|@T1Px#0*3U0GF$LBuWJ2lh0H(ncGHk7^y
zL<Dx5kmh3d_T0(#_NFDY7Fu~w<Lpw%x2Q^C%RrM8f*g>?)F9Fha@hHw|Kekv|0mk{
zk9Ir%z1Lg4WdHl!&L5^wC)SqPQY4GB?ovrYE~r$o#Vj}f`3MzqW!iFEI%ec~PMGR8
zJVHBdOFQP=6kG$)2(%D+I;DOfx0Qz)V2!|eRGEA)3{{DZa9);0-NBckR*dUKynnQ=
z$?*^?t4qUpkaegcdAz^yIm$Wh!L;J-DaSz&K|PEp@PLQbFOkHi{V3O#J7mcKk(ZF3
zdg<%v?KHnSpkSJqwhAK)MXl{iCpBP=N-EVAD#BL5fW6xGc&EOX-p;kamExmkLKpSG
zlKn-xQR5Pc*iM)UWJ$IY$YqX~h3yp;nHqG!(NH39WiDZ%%_bGL42c}igFPV>6`&PJ
zc%VQk$d^G)AuX_l!H)EQw7>-qXqX^}Dd<>JS;r_6m6jHiEzyt4yP63!9X`0(8^*O6
z9V^L59E(dAWbvogf`MV_@*AUh5FMyeU1wSIQuhbzWED0XTXUDNyLbk9Rv^*YTUm-Q
zB$betfg!}*yKP$~+Y)f!i`-v1-|YL2SK%wwL^O`?pmi0x$0EMiE<x((Z(8EQ-L0WC
z2M6BMAgdyxu<A8Xf6xoOU$;-lg36f9e1X&BdTTdIeMHy9v7yHcEi<$%9unr(HuYr1
zrNOf`I|OvET;?Oxt_($aWsTMBaD&6ekQE3EBE|6BBAg{+OX0u+5$9O4vZu$Pc7)yY
zP*J&HM^9KBV$;MS2jM8p6$RKSs*78wmdnP*vMy^KnqH%89?@+`kZ~3?H3zLGlSh>c
z1v(BtGaQ9TF<l^Uoy{Se#qQoN`Ut7DmuVRf9PeCvZLYAU{Qzweg(4~#Lc@riKLzK%
zHx$2mXa1qzUHU0I|2x@k=l@_@JO4Ar-qq1==ZDCUFYd;emY}gl6`dN-Fg)bo<ETtl
z;u>FD{M!1t)um%0FZC_qAMd~LxtJ!xz$yZTcCAN8sA7GsP(0he{-PIb3G{p(E#L%;
zfs{O##DgG@CKwXoGf<W-OL$-?JE9Wy!>r3j0K13SbQ$$@o>+VR(n}{ZW+oojGG=<p
z#G@V_Y%sCqcwB4G@5nMNs_6q9WvfXbs%8rTCvA;k0hcmMOt`|?#mwCF$WCqH?Doky
zlZW!De0C;}Ij-YmJd2?0BffszKK#Jrys*SIMFS+)_7<z0s+LohFvsGFi2F;+_L3M`
zC9N+M=2sS|Ds*4=z#noS#2pkTl+ph9Dm7MNKYMKPOS)Y;^jH@?=c-5vhg3}`6gk3h
znL;7Oacx{!rC>TeGt+$;7W%6YIzKA&tM7+^+`oUrKLlL(S<epvx2|5l_xk>k&uyzq
zvC#3T{BwR}X2i>nMf}tqMm+UaKjQtn`$wMrSiIMdxR`ugj5GHb@iRXhi1;)auiR`S
zUTej8WA;G%*1hFz<St#+KN8&TF7NwyQQmLwKW*&2`k!`re~6o3<6AGk@DQ<|$HI>|
c#!vpKC&st0Ucdhiexfm6nP|uOF=G7ie+z~P4*&oF

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/entity-gap.bro b/testing/btest/scripts/base/protocols/http/entity-gap.bro
new file mode 100644
index 0000000000..95d3e52759
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/entity-gap.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro -r $TRACES/http/entity_gap.trace %INPUT
+# @TEST-EXEC: btest-diff entity_data
+# @TEST-EXEC: btest-diff extract_files/file0
+
+global f = open("entity_data");
+global fn = 0;
+
+event http_entity_data(c: connection, is_orig: bool, length: count,
+                       data: string)
+	{
+	print f, data;
+	}
+
+event content_gap(c: connection, is_orig: bool, seq: count, length: count)
+	{
+	print f, fmt("<%d byte gap>", length);
+	}
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_EXTRACT,
+					   [$extract_filename=fmt("file%d", fn)]);
+	++fn;
+	}