Merge pull request #1708 in SNORT/snort3 from ~KATHARVE/snort3:file_event to master

Squashed commit of the following:

commit ae5ed70fc70d303bea716effcd6d4a66fb6d05a8
Author: Katura Harvey <katharve@cisco.com>
Date:   Fri Aug 2 13:46:19 2019 -0400

    file_api: generate events each time file is seen, not just first time

diff --git a/src/file_api/file_cache.cc b/src/file_api/file_cache.cc
index 3d7a018452b08afa73efc4ce5ed261bd0b8e0044..ea25c488f8b8a231531f8c56273d75e842e2c7cd 100644 (file)
--- a/src/file_api/file_cache.cc
+++ b/src/file_api/file_cache.cc
@@ -350,7 +350,10 @@ bool FileCache::apply_verdict(Packet* p, FileContext* file_ctx, FileVerdict verd
     }
 
     if (resume)
+    {
+        file_ctx->log_file_event(flow, policy);
         policy->log_file_action(flow, file_ctx, FILE_RESUME_BLOCK);
+    }
     else
         store_verdict(flow, file_ctx, block_timeout);
 
@@ -375,6 +378,8 @@ FileVerdict FileCache::cached_verdict_lookup(Packet* p, FileInfo* file,
         /*Query the file policy in case verdict has been changed*/
         verdict = check_verdict(p, file_found, policy);
         apply_verdict(p, file_found, verdict, true, policy);
+        // Update the current file context from cached context
+        *file = *(FileInfo*)file_found;
     }
 
     return verdict;