:tocdepth: 3

base/frameworks/files/main.bro
==============================
.. bro:namespace:: Files

An interface for driving the analysis of files, possibly independent of
any network protocol over which they're transported.

:Namespace: Files
:Imports: :doc:`base/bif/file_analysis.bif.bro </scripts/base/bif/file_analysis.bif.bro>`, :doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`, :doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`, :doc:`base/utils/site.bro </scripts/base/utils/site.bro>`
:Source File: :download:`/scripts/base/frameworks/files/main.bro`

Summary
~~~~~~~
Options
#######
============================================================== ================================================================
:bro:id:`Files::disable`: :bro:type:`table` :bro:attr:`&redef` A table that can be used to disable file analysis completely for
                                                               any files transferred over given network protocol analyzers.
:bro:id:`Files::salt`: :bro:type:`string` :bro:attr:`&redef`   The salt concatenated to unique file handle strings generated by
                                                               :bro:see:`get_file_handle` before hashing them in to a file id
                                                               (the *id* field of :bro:see:`fa_file`).
============================================================== ================================================================

Types
#####
====================================================================== ==============================================================
:bro:type:`Files::AnalyzerArgs`: :bro:type:`record` :bro:attr:`&redef` A structure which parameterizes a type of file analysis.
:bro:type:`Files::Info`: :bro:type:`record` :bro:attr:`&redef`         Contains all metadata related to the analysis of a given file.
:bro:type:`Files::ProtoRegistration`: :bro:type:`record`               
====================================================================== ==============================================================

Redefinitions
#############
========================================================== =
:bro:type:`Log::ID`: :bro:type:`enum`                      
:bro:type:`fa_file`: :bro:type:`record` :bro:attr:`&redef` 
========================================================== =

Events
######
============================================= ====================================================================
:bro:id:`Files::log_files`: :bro:type:`event` Event that can be handled to access the Info record as it is sent on
                                              to the logging framework.
============================================= ====================================================================

Functions
#########
===================================================================== =====================================================================
:bro:id:`Files::add_analyzer`: :bro:type:`function`                   Adds an analyzer to the analysis of a given file.
:bro:id:`Files::analyzer_name`: :bro:type:`function`                  Translates a file analyzer enum value to a string with the
                                                                      analyzer's name.
:bro:id:`Files::describe`: :bro:type:`function`                       Provides a text description regarding metadata of the file.
:bro:id:`Files::register_analyzer_add_callback`: :bro:type:`function` Register a callback for file analyzers to use if they need to do some
                                                                      manipulation when they are being added to a file before the core code
                                                                      takes over.
:bro:id:`Files::register_protocol`: :bro:type:`function`              Register callbacks for protocols that work with the Files framework.
:bro:id:`Files::remove_analyzer`: :bro:type:`function`                Removes an analyzer from the analysis of a given file.
:bro:id:`Files::set_timeout_interval`: :bro:type:`function`           Sets the *timeout_interval* field of :bro:see:`fa_file`, which is
                                                                      used to determine the length of inactivity that is allowed for a file
                                                                      before internal state related to it is cleaned up.
:bro:id:`Files::stop`: :bro:type:`function`                           Stops/ignores any further analysis of a given file.
===================================================================== =====================================================================


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: Files::disable

   :Type: :bro:type:`table` [:bro:type:`Files::Tag`] of :bro:type:`bool`
   :Attributes: :bro:attr:`&redef`
   :Default: ``{}``

   A table that can be used to disable file analysis completely for
   any files transferred over given network protocol analyzers.

.. bro:id:: Files::salt

   :Type: :bro:type:`string`
   :Attributes: :bro:attr:`&redef`
   :Default: ``"I recommend changing this."``

   The salt concatenated to unique file handle strings generated by
   :bro:see:`get_file_handle` before hashing them in to a file id
   (the *id* field of :bro:see:`fa_file`).
   Provided to help mitigate the possibility of manipulating parts of
   network connections that factor in to the file handle in order to
   generate two handles that would hash to the same file id.

Types
#####
.. bro:type:: Files::AnalyzerArgs

   :Type: :bro:type:`record`

      chunk_event: :bro:type:`event` (f: :bro:type:`fa_file`, data: :bro:type:`string`, off: :bro:type:`count`) :bro:attr:`&optional`
         An event which will be generated for all new file contents,
         chunk-wise.  Used when *tag* (in the
         :bro:see:`Files::add_analyzer` function) is
         :bro:see:`Files::ANALYZER_DATA_EVENT`.

      stream_event: :bro:type:`event` (f: :bro:type:`fa_file`, data: :bro:type:`string`) :bro:attr:`&optional`
         An event which will be generated for all new file contents,
         stream-wise.  Used when *tag* is
         :bro:see:`Files::ANALYZER_DATA_EVENT`.

      extract_filename: :bro:type:`string` :bro:attr:`&optional`
         (present if :doc:`/scripts/base/files/extract/main.bro` is loaded)

         The local filename to which to write an extracted file.
         This field is used in the core by the extraction plugin
         to know where to write the file to.  If not specified, then
         a filename in the format "extract-<source>-<id>" is
         automatically assigned (using the *source* and *id*
         fields of :bro:see:`fa_file`).

      extract_limit: :bro:type:`count` :bro:attr:`&default` = :bro:see:`FileExtract::default_limit` :bro:attr:`&optional`
         (present if :doc:`/scripts/base/files/extract/main.bro` is loaded)

         The maximum allowed file size in bytes of *extract_filename*.
         Once reached, a :bro:see:`file_extraction_limit` event is
         raised and the analyzer will be removed unless
         :bro:see:`FileExtract::set_limit` is called to increase the
         limit.  A value of zero means "no limit".
   :Attributes: :bro:attr:`&redef`

   A structure which parameterizes a type of file analysis.

.. bro:type:: Files::Info

   :Type: :bro:type:`record`

      ts: :bro:type:`time` :bro:attr:`&log`
         The time when the file was first seen.

      fuid: :bro:type:`string` :bro:attr:`&log`
         An identifier associated with a single file.

      tx_hosts: :bro:type:`set` [:bro:type:`addr`] :bro:attr:`&default` = ``set()`` :bro:attr:`&optional` :bro:attr:`&log`
         If this file was transferred over a network
         connection this should show the host or hosts that
         the data sourced from.

      rx_hosts: :bro:type:`set` [:bro:type:`addr`] :bro:attr:`&default` = ``set()`` :bro:attr:`&optional` :bro:attr:`&log`
         If this file was transferred over a network
         connection this should show the host or hosts that
         the data traveled to.

      conn_uids: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&default` = ``set()`` :bro:attr:`&optional` :bro:attr:`&log`
         Connection UIDs over which the file was transferred.

      source: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         An identification of the source of the file data.  E.g. it
         may be a network protocol over which it was transferred, or a
         local file path which was read, or some other input source.

      depth: :bro:type:`count` :bro:attr:`&default` = ``0`` :bro:attr:`&optional` :bro:attr:`&log`
         A value to represent the depth of this file in relation 
         to its source.  In SMTP, it is the depth of the MIME
         attachment on the message.  In HTTP, it is the depth of the
         request within the TCP connection.

      analyzers: :bro:type:`set` [:bro:type:`string`] :bro:attr:`&default` = ``set()`` :bro:attr:`&optional` :bro:attr:`&log`
         A set of analysis types done during the file analysis.

      mime_type: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         A mime type provided by the strongest file magic signature
         match against the *bof_buffer* field of :bro:see:`fa_file`,
         or in the cases where no buffering of the beginning of file
         occurs, an initial guess of the mime type based on the first
         data seen.

      filename: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         A filename for the file if one is available from the source
         for the file.  These will frequently come from 
         "Content-Disposition" headers in network protocols.

      duration: :bro:type:`interval` :bro:attr:`&log` :bro:attr:`&default` = ``0 secs`` :bro:attr:`&optional`
         The duration the file was analyzed for.

      local_orig: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
         If the source of this file is a network connection, this field
         indicates if the data originated from the local network or not as
         determined by the configured :bro:see:`Site::local_nets`.

      is_orig: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&optional`
         If the source of this file is a network connection, this field
         indicates if the file is being sent by the originator of the
         connection or the responder.

      seen_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
         Number of bytes provided to the file analysis engine for the file.

      total_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&optional`
         Total number of bytes that are supposed to comprise the full file.

      missing_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
         The number of bytes in the file stream that were completely missed
         during the process of analysis e.g. due to dropped packets.

      overflow_bytes: :bro:type:`count` :bro:attr:`&log` :bro:attr:`&default` = ``0`` :bro:attr:`&optional`
         The number of not all-in-sequence bytes in the file stream that
         were delivered to file analyzers due to reassembly buffer overflow.

      timedout: :bro:type:`bool` :bro:attr:`&log` :bro:attr:`&default` = ``F`` :bro:attr:`&optional`
         Whether the file analysis timed out at least once for the file.

      parent_fuid: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         Identifier associated with a container file from which this one was
         extracted as part of the file analysis.

      md5: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         (present if :doc:`/scripts/base/files/hash/main.bro` is loaded)

         An MD5 digest of the file contents.

      sha1: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         (present if :doc:`/scripts/base/files/hash/main.bro` is loaded)

         A SHA1 digest of the file contents.

      sha256: :bro:type:`string` :bro:attr:`&log` :bro:attr:`&optional`
         (present if :doc:`/scripts/base/files/hash/main.bro` is loaded)

         A SHA256 digest of the file contents.

      x509: :bro:type:`X509::Info` :bro:attr:`&optional`
         (present if :doc:`/scripts/base/files/x509/main.bro` is loaded)

         Information about X509 certificates. This is used to keep
         certificate information until all events have been received.

      extracted: :bro:type:`string` :bro:attr:`&optional` :bro:attr:`&log`
         (present if :doc:`/scripts/base/files/extract/main.bro` is loaded)

         Local filename of extracted file.
   :Attributes: :bro:attr:`&redef`

   Contains all metadata related to the analysis of a given file.
   For the most part, fields here are derived from ones of the same name
   in :bro:see:`fa_file`.

.. bro:type:: Files::ProtoRegistration

   :Type: :bro:type:`record`

      get_file_handle: :bro:type:`function` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`) : :bro:type:`string`
         A callback to generate a file handle on demand when
         one is needed by the core.

      describe: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string` :bro:attr:`&default` = :bro:type:`function` :bro:attr:`&optional`
         A callback to "describe" a file.  In the case of an HTTP
         transfer the most obvious description would be the URL.
         It's like an extremely compressed version of the normal log.


Events
######
.. bro:id:: Files::log_files

   :Type: :bro:type:`event` (rec: :bro:type:`Files::Info`)

   Event that can be handled to access the Info record as it is sent on
   to the logging framework.

Functions
#########
.. bro:id:: Files::add_analyzer

   :Type: :bro:type:`function` (f: :bro:type:`fa_file`, tag: :bro:type:`Files::Tag`, args: :bro:type:`Files::AnalyzerArgs` :bro:attr:`&default` = ``(coerce [] to record { chunk_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string; off:count;); stream_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string;); extract_filename:string; extract_limit:count; })`` :bro:attr:`&optional`) : :bro:type:`bool`

   Adds an analyzer to the analysis of a given file.
   

   :f: the file.
   

   :tag: the analyzer type.
   

   :args: any parameters the analyzer takes.
   

   :returns: true if the analyzer will be added, or false if analysis
            for the file isn't currently active or the *args*
            were invalid for the analyzer type.

.. bro:id:: Files::analyzer_name

   :Type: :bro:type:`function` (tag: :bro:type:`Files::Tag`) : :bro:type:`string`

   Translates a file analyzer enum value to a string with the
   analyzer's name.
   

   :tag: The analyzer tag.
   

   :returns: The analyzer name corresponding to the tag.

.. bro:id:: Files::describe

   :Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`string`

   Provides a text description regarding metadata of the file.
   For example, with HTTP it would return a URL.
   

   :f: The file to be described.
   

   :returns: a text description regarding metadata of the file.

.. bro:id:: Files::register_analyzer_add_callback

   :Type: :bro:type:`function` (tag: :bro:type:`Files::Tag`, callback: :bro:type:`function` (f: :bro:type:`fa_file`, args: :bro:type:`Files::AnalyzerArgs`) : :bro:type:`void`) : :bro:type:`void`

   Register a callback for file analyzers to use if they need to do some
   manipulation when they are being added to a file before the core code
   takes over.  This is unlikely to be interesting for users and should
   only be called by file analyzer authors but is *not required*.
   

   :tag: Tag for the file analyzer.
   

   :callback: Function to execute when the given file analyzer is being added.

.. bro:id:: Files::register_protocol

   :Type: :bro:type:`function` (tag: :bro:type:`Analyzer::Tag`, reg: :bro:type:`Files::ProtoRegistration`) : :bro:type:`bool`

   Register callbacks for protocols that work with the Files framework.
   The callbacks must uniquely identify a file and each protocol can 
   only have a single callback registered for it.
   

   :tag: Tag for the protocol analyzer having a callback being registered.
   

   :reg: A :bro:see:`Files::ProtoRegistration` record.
   

   :returns: true if the protocol being registered was not previously registered.

.. bro:id:: Files::remove_analyzer

   :Type: :bro:type:`function` (f: :bro:type:`fa_file`, tag: :bro:type:`Files::Tag`, args: :bro:type:`Files::AnalyzerArgs` :bro:attr:`&default` = ``(coerce [] to record { chunk_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string; off:count;); stream_event:event(f:record { id:string; parent_id:string; source:string; is_orig:bool; conns:table[record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }] of record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; resp:record { size:count; state:count; num_pkts:count; num_bytes_ip:count; flow_label:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; uid:string; tunnel:vector of record { cid:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; tunnel_type:enum; uid:string; }; dpd:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; analyzer:string; failure_reason:string; disabled_aids:set[count]; packet_segment:string; }; conn:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; service:string; duration:interval; orig_bytes:count; resp_bytes:count; conn_state:string; local_orig:bool; missed_bytes:count; history:string; orig_pkts:count; orig_ip_bytes:count; resp_pkts:count; resp_ip_bytes:count; tunnel_parents:set[string]; }; extract_orig:bool; extract_resp:bool; dhcp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; mac:string; assigned_ip:addr; lease_time:interval; trans_id:count; }; dnp3:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; fc_request:string; fc_reply:string; iin:count; }; dns:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; trans_id:count; query:string; qclass:count; qclass_name:string; qtype:count; qtype_name:string; rcode:count; rcode_name:string; AA:bool; TC:bool; RD:bool; RA:bool; Z:count; answers:vector of string; TTLs:vector of interval; rejected:bool; total_answers:count; total_replies:count; saw_query:bool; saw_reply:bool; auth:set[string]; addl:set[string]; }; dns_state:record { pending_queries:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; pending_replies:table[count] of record { initialized:bool; vals:table[count] of any; settings:record { max_len:count; }; top:count; bottom:count; size:count; }; }; ftp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; user:string; password:string; command:string; arg:string; mime_type:string; file_size:count; reply_code:count; reply_msg:string; data_channel:record { passive:bool; orig_h:addr; resp_h:addr; resp_p:port; }; cwd:string; cmdarg:record { ts:time; cmd:string; arg:string; seq:count; }; pending_commands:table[count] of record { ts:time; cmd:string; arg:string; seq:count; }; passive:bool; capture_password:bool; fuid:string; last_auth_requested:string; }; ftp_data_reuse:bool; ssl:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:string; cipher:string; curve:string; server_name:string; session_id:string; last_alert:string; analyzer_id:count; established:bool; logged:bool; delay_tokens:set[string]; cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; cert_chain_fuids:vector of string; client_cert_chain:vector of record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; client_cert_chain_fuids:vector of string; subject:string; issuer:string; client_subject:string; client_issuer:string; server_depth:count; client_depth:count; last_originator_heartbeat_request_size:count; last_responder_heartbeat_request_size:count; originator_heartbeats:count; responder_heartbeats:count; heartbleed_detected:bool; enc_appdata_packages:count; enc_appdata_bytes:count; validation_status:string; ocsp_status:string; ocsp_response:string; notary:record { first_seen:count; last_seen:count; times_seen:count; valid:bool; }; }; http:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; http_state:record { pending:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; method:string; host:string; uri:string; referrer:string; user_agent:string; request_body_len:count; response_body_len:count; status_code:count; status_msg:string; info_code:count; info_msg:string; filename:string; tags:set[enum]; username:string; password:string; capture_password:bool; proxied:set[string]; range_request:bool; orig_fuids:vector of string; orig_mime_types:vector of string; resp_fuids:vector of string; resp_mime_types:vector of string; current_entity:record { filename:string; }; orig_mime_depth:count; resp_mime_depth:count; client_header_names:vector of string; server_header_names:vector of string; omniture:bool; cookie_vars:vector of string; uri_vars:vector of string; }; current_request:count; current_response:count; }; irc:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; nick:string; user:string; command:string; value:string; addl:string; dcc_file_name:string; dcc_file_size:count; dcc_mime_type:string; fuid:string; }; modbus:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; func:string; exception:string; track_address:count; }; radius:table[count] of record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; username:string; mac:string; remote_ip:addr; connect_info:string; result:string; logged:bool; }; snmp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; duration:interval; version:string; community:string; get_requests:count; get_bulk_requests:count; get_responses:count; set_requests:count; display_string:string; up_since:time; }; smtp:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }; smtp_state:record { helo:string; messages_transferred:count; pending_messages:set[record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; trans_depth:count; helo:string; mailfrom:string; rcptto:set[string]; date:string; from:string; to:set[string]; reply_to:string; msg_id:string; in_reply_to:string; subject:string; x_originating_ip:addr; first_received:string; second_received:string; last_reply:string; path:vector of addr; user_agent:string; tls:bool; process_received_from:bool; has_client_activity:bool; entity:record { filename:string; excerpt:string; }; fuids:vector of string; is_webmail:bool; }]; mime_depth:count; }; socks:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; version:count; user:string; status:string; request:record { host:addr; name:string; }; request_p:port; bound:record { host:addr; name:string; }; bound_p:port; }; ssh:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; status:string; direction:enum; client:string; server:string; done:bool; remote_location:record { country_code:string; region:string; city:string; latitude:double; longitude:double; }; }; syslog:record { ts:time; uid:string; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; proto:enum; facility:string; severity:string; message:string; }; resp_hostname:string; known_services_done:bool; }; last_active:time; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timeout_interval:interval; bof_buffer_size:count; bof_buffer:string; mime_type:string; mime_types:vector of record { strength:int; mime:string; }; info:record { ts:time; fuid:string; tx_hosts:set[addr]; rx_hosts:set[addr]; conn_uids:set[string]; source:string; depth:count; analyzers:set[string]; mime_type:string; filename:string; duration:interval; local_orig:bool; is_orig:bool; seen_bytes:count; total_bytes:count; missing_bytes:count; overflow_bytes:count; timedout:bool; parent_fuid:string; md5:string; sha1:string; sha256:string; x509:record { ts:time; id:string; certificate:record { version:count; serial:string; subject:string; issuer:string; not_valid_before:time; not_valid_after:time; key_alg:string; sig_alg:string; key_type:string; key_length:count; exponent:string; curve:string; }; handle:opaque of x509; extensions:vector of record { name:string; short_name:string; oid:string; critical:bool; value:string; }; san:record { dns:vector of string; uri:vector of string; email:vector of string; ip:vector of addr; other_fields:bool; }; basic_constraints:record { ca:bool; path_len:count; }; logcert:bool; }; extracted:string; }; u2_events:table[count] of record { sensor_id:count; event_id:count; ts:time; signature_id:count; generator_id:count; signature_revision:count; classification_id:count; priority_id:count; src_ip:addr; dst_ip:addr; src_p:port; dst_p:port; impact_flag:count; impact:count; blocked:count; mpls_label:count; vlan_id:count; packet_action:count; }; logcert:bool; }; data:string;); extract_filename:string; extract_limit:count; })`` :bro:attr:`&optional`) : :bro:type:`bool`

   Removes an analyzer from the analysis of a given file.
   

   :f: the file.
   

   :tag: the analyzer type.
   

   :args: the analyzer (type and args) to remove.
   

   :returns: true if the analyzer will be removed, or false if analysis
            for the file isn't currently active.

.. bro:id:: Files::set_timeout_interval

   :Type: :bro:type:`function` (f: :bro:type:`fa_file`, t: :bro:type:`interval`) : :bro:type:`bool`

   Sets the *timeout_interval* field of :bro:see:`fa_file`, which is
   used to determine the length of inactivity that is allowed for a file
   before internal state related to it is cleaned up.  When used within
   a :bro:see:`file_timeout` handler, the analysis will delay timing out
   again for the period specified by *t*.
   

   :f: the file.
   

   :t: the amount of time the file can remain inactive before discarding.
   

   :returns: true if the timeout interval was set, or false if analysis
            for the file isn't currently active.

.. bro:id:: Files::stop

   :Type: :bro:type:`function` (f: :bro:type:`fa_file`) : :bro:type:`bool`

   Stops/ignores any further analysis of a given file.
   

   :f: the file.
   

   :returns: true if analysis for the given file will be ignored for the
            rest of its contents, or false if analysis for the file
            isn't currently active.


