Remove the Stepping Stone analyzer

This commit removes the stepping stone analyzer. It has been deactivated
by default since at least Zeek 2.0, is dysfunctional in cluster settings
and has a bunch of other issued.

Relates to GH-1573

scripts/base/frameworks/analyzer/main.zeek

@@ -124,7 +124,6 @@ export {
 	## A set of analyzers to disable by default at startup. The default set
 	## contains legacy analyzers that are no longer supported.
 	global disabled_analyzers: set[Analyzer::Tag] = {
-		ANALYZER_STEPPINGSTONE,
 		ANALYZER_TCPSTATS,
 	} &redef;
 }

scripts/base/init-bare.zeek

@@ -4118,15 +4118,6 @@ type PE::SectionHeader: record {
 }
 module GLOBAL;
 
-## Internal to the stepping stone detector.
-const stp_delta: interval &redef;
-
-## Internal to the stepping stone detector.
-const stp_idle_min: interval &redef;
-
-## Internal to the stepping stone detector.
-global stp_skip_src: set[addr] &redef;
-
 ## Description of a signature match.
 ##
 ## .. zeek:see:: signature_match

src/NetVar.cc

@@ -157,9 +157,6 @@ int dns_skip_all_auth;
 int dns_skip_all_addl;
 int dns_max_queries;
 
-double stp_delta;
-double stp_idle_min;
-
 double table_expire_interval;
 double table_expire_delay;
 int table_incremental_step;
@@ -312,11 +309,6 @@ void init_net_var()
 	dns_skip_all_addl = id::find_val("dns_skip_all_addl")->AsBool();
 	dns_max_queries = id::find_val("dns_max_queries")->AsCount();
 
-	stp_delta = 0.0;
-	if ( const auto& v = id::find_val("stp_delta") ) stp_delta = v->AsInterval();
-	stp_idle_min = 0.0;
-	if ( const auto& v = id::find_val("stp_idle_min") ) stp_delta = v->AsInterval();
-
 	orig_addr_anonymization = 0;
 	if ( const auto& id = id::find("orig_addr_anonymization") )
 		if ( const auto& v = id->GetVal() )

src/NetVar.h

@@ -59,8 +59,6 @@ extern int dns_skip_all_auth;
 extern int dns_skip_all_addl;
 extern int dns_max_queries;
 
-extern double stp_delta;
-extern double stp_idle_min;
 extern double table_expire_interval;
 extern double table_expire_delay;
 extern int table_incremental_step;

src/RunState.cc

@@ -37,7 +37,6 @@ extern "C" {
 #include "zeek/plugin/Manager.h"
 #include "zeek/broker/Manager.h"
 #include "zeek/packet_analysis/Manager.h"
-#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
 
 extern "C" {
 extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
@@ -46,8 +45,6 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
 static double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
 extern int signal_val;
 
-using namespace zeek::analyzer::stepping_stone;
-
 namespace zeek::run_state {
 namespace detail {
 
@@ -197,9 +194,6 @@ void init_run(const std::optional<std::string>& interface,
 
 	session_mgr = new session::Manager();
 
-	// Initialize the stepping stone manager. We intentionally throw away the result here.
-	SteppingStoneManager::Get();
-
 	if ( do_watchdog )
 		{
 		// Set up the watchdog to make sure we don't wedge.
@@ -414,7 +408,6 @@ void delete_run()
 	util::detail::set_processing_status("TERMINATING", "delete_run");
 
 	delete session_mgr;
-	delete SteppingStoneManager::Get();
 
 	for ( int i = 0; i < zeek::detail::NUM_ADDR_ANONYMIZATION_METHODS; ++i )
 		delete zeek::detail::ip_anonymizer[i];

src/analyzer/Manager.cc

@@ -9,7 +9,6 @@
 
 #include "zeek/analyzer/protocol/conn-size/ConnSize.h"
 #include "zeek/analyzer/protocol/pia/PIA.h"
-#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
 #include "zeek/analyzer/protocol/tcp/TCP.h"
 #include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
 #include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"

src/analyzer/protocol/CMakeLists.txt

@@ -40,7 +40,6 @@ add_subdirectory(snmp)
 add_subdirectory(socks)
 add_subdirectory(ssh)
 add_subdirectory(ssl)
-add_subdirectory(stepping-stone)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(teredo)

src/analyzer/protocol/stepping-stone/CMakeLists.txt

@@ -1,9 +0,0 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek SteppingStone)
-zeek_plugin_cc(SteppingStone.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_end()

src/analyzer/protocol/stepping-stone/Plugin.cc

@@ -1,22 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/plugin/Plugin.h"
-#include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
-
-namespace zeek::plugin::detail::Zeek_SteppingStone {
-
-class Plugin : public zeek::plugin::Plugin {
-public:
-	zeek::plugin::Configuration Configure() override
-		{
-		AddComponent(new zeek::analyzer::Component("SteppingStone", zeek::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate));
-
-		zeek::plugin::Configuration config;
-		config.name = "Zeek::SteppingStone";
-		config.description = "Stepping stone analyzer";
-		return config;
-		}
-} plugin;
-
-} // namespace zeek::plugin::detail::Zeek_SteppingStone

src/analyzer/protocol/stepping-stone/SteppingStone.cc

@@ -1,227 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/zeek-config.h"
-#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
-
-#include <stdlib.h>
-
-#include "zeek/Event.h"
-#include "zeek/RunState.h"
-#include "zeek/NetVar.h"
-#include "zeek/analyzer/protocol/tcp/TCP.h"
-#include "zeek/util.h"
-
-#include "zeek/analyzer/protocol/stepping-stone/events.bif.h"
-
-namespace zeek::analyzer::stepping_stone {
-
-SteppingStoneManager* SteppingStoneManager::instance = nullptr;
-
-SteppingStoneEndpoint::SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m)
-	{
-	endp = e;
-	stp_max_top_seq = 0;
-	stp_last_time = stp_resume_time = 0.0;
-	stp_manager = m;
-	stp_id = stp_manager->NextID();
-
-	CreateEndpEvent(e->IsOrig());
-
-	// Make sure the connection does not get deleted.
-	Ref(endp->TCP()->Conn());
-	}
-
-SteppingStoneEndpoint::~SteppingStoneEndpoint()
-	{
-	Unref(endp->TCP()->Conn());
-	}
-
-void SteppingStoneEndpoint::Done()
-	{
-	if ( RefCnt() > 1 )
-		return;
-
-	SteppingStoneEndpoint* ep;
-
-	for ( const auto& entry : stp_inbound_endps )
-		{
-		ep = entry.second;
-		ep->stp_outbound_endps.erase(stp_id);
-		Event(stp_remove_pair, ep->stp_id, stp_id);
-		Unref(ep);
-		}
-
-	for ( const auto& entry : stp_outbound_endps )
-		{
-		ep = entry.second;
-		ep->stp_inbound_endps.erase(stp_id);
-		Event(stp_remove_pair, stp_id, ep->stp_id);
-		Unref(ep);
-		}
-
-	Event(stp_remove_endp, stp_id);
-	}
-
-bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen,
-                                     const u_char* data, const IP_Hdr* /* ip */,
-                                     const struct tcphdr* tp)
-	{
-	if ( caplen < len )
-		len = caplen;
-
-	if ( len <= 0 )
-		return false;
-
-	double tmin = t - zeek::detail::stp_delta;
-
-	while ( ! stp_manager->OrderedEndpoints().empty() )
-		{
-	    auto e = stp_manager->OrderedEndpoints().front();
-
-		if ( e->stp_resume_time < tmin )
-			{
-			stp_manager->OrderedEndpoints().pop_front();
-			e->Done();
-			Unref(e);
-			}
-		else
-			break;
-		}
-
-	uint64_t ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
-	uint64_t top_seq = seq + len;
-
-	if ( top_seq <= ack || top_seq <= stp_max_top_seq )
-		// There is no new data in this packet
-		return false;
-
-	stp_max_top_seq = top_seq;
-
-	if ( stp_last_time && t <= stp_last_time + zeek::detail::stp_idle_min )
-		{
-		stp_last_time = t;
-		return true;
-		}
-
-	// Either just starts, or resumes from an idle period.
-	stp_last_time = stp_resume_time = t;
-
-	Event(stp_resume_endp, stp_id);
-	for ( auto ep : stp_manager->OrderedEndpoints() )
-		{
-		if ( ep->endp->TCP() != endp->TCP() )
-			{
-			Ref(ep);
-			Ref(this);
-
-			stp_inbound_endps[ep->stp_id] = ep;
-			ep->stp_outbound_endps[stp_id] = this;
-
-			Event(stp_correlate_pair, ep->stp_id, stp_id);
-			}
-
-		else
-			{ // ep and this belong to same connection
-			}
-		}
-
-	stp_manager->OrderedEndpoints().push_back(this);
-	Ref(this);
-
-	return true;
-	}
-
-void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
-	{
-	if ( ! f )
-		return;
-
-	if ( id2 >= 0 )
-		endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1), val_mgr->Int(id2));
-	else
-		endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1));
-	}
-
-void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig)
-	{
-	if ( ! stp_create_endp )
-		return;
-
-	endp->TCP()->EnqueueConnEvent(stp_create_endp,
-		endp->TCP()->ConnVal(),
-		val_mgr->Int(stp_id),
-		val_mgr->Bool(is_orig)
-	);
-	}
-
-SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
-	: analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c)
-	{
-	stp_manager = SteppingStoneManager::Get();
-
-	orig_endp = resp_endp = nullptr;
-	orig_stream_pos = resp_stream_pos = 1;
-	}
-
-void SteppingStone_Analyzer::Init()
-	{
-	analyzer::tcp::TCP_ApplicationAnalyzer::Init();
-
-	assert(TCP());
-	orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager);
-	resp_endp = new SteppingStoneEndpoint(TCP()->Resp(), stp_manager);
-	}
-
-void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
-                                           bool is_orig, uint64_t seq,
-                                           const IP_Hdr* ip, int caplen)
-	{
-	analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
-	                                                            ip, caplen);
-
-	if ( is_orig )
-		orig_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr);
-	else
-		resp_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr);
-	}
-
-void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data,
-                                           bool is_orig)
-	{
-	analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
-
-	if ( is_orig )
-		{
-		orig_endp->DataSent(run_state::network_time, orig_stream_pos, len, len,
-		                    data, nullptr, nullptr);
-		orig_stream_pos += len;
-		}
-
-	else
-		{
-		resp_endp->DataSent(run_state::network_time, resp_stream_pos, len, len,
-		                    data, nullptr, nullptr);
-		resp_stream_pos += len;
-		}
-	}
-
-void SteppingStone_Analyzer::Done()
-	{
-	analyzer::tcp::TCP_ApplicationAnalyzer::Done();
-
-	orig_endp->Done();
-	resp_endp->Done();
-
-	Unref(orig_endp);
-	Unref(resp_endp);
-	}
-
-SteppingStoneManager* SteppingStoneManager::Get()
-	{
-	if ( ! instance && stp_correlate_pair )
-		instance = new SteppingStoneManager();
-
-	return instance;
-	}
-
-} // namespace zeek::analyzer::stepping_stone

src/analyzer/protocol/stepping-stone/SteppingStone.h

@@ -1,91 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#pragma once
-
-#include <deque>
-
-#include "zeek/analyzer/protocol/tcp/TCP.h"
-
-namespace zeek {
-
-namespace analyzer::stepping_stone {
-
-class SteppingStoneEndpoint;
-class SteppingStoneManager;
-
-class SteppingStoneEndpoint : public Obj {
-public:
-	SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m);
-	~SteppingStoneEndpoint() override;
-	void Done();
-
-	bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data,
-	              const IP_Hdr* ip, const struct tcphdr* tp);
-
-protected:
-	void Event(EventHandlerPtr f, int id1, int id2 = -1);
-	void CreateEndpEvent(bool is_orig);
-
-	analyzer::tcp::TCP_Endpoint* endp;
-	uint64_t stp_max_top_seq;
-	double stp_last_time;
-	double stp_resume_time;
-	SteppingStoneManager* stp_manager;
-
-	// Hashes for inbound/outbound endpoints that are correlated
-	// at least once with this endpoint.  They are necessary for
-	// removing correlated endpoint pairs in Bro, since there is
-	// no LOOP in Bro language.
-	int stp_id;
-	std::map<int, SteppingStoneEndpoint*> stp_inbound_endps;
-	std::map<int, SteppingStoneEndpoint*> stp_outbound_endps;
-};
-
-class SteppingStone_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
-public:
-	explicit SteppingStone_Analyzer(Connection* c);
-	~SteppingStone_Analyzer() override {};
-
-	void Init() override;
-	void Done() override;
-
-	static analyzer::Analyzer* Instantiate(Connection* conn)
-		{ return new SteppingStone_Analyzer(conn); }
-
-protected:
-	// We support both packet and stream input and can be put in place even
-	// if the TCP analyzer is not yet reassebmling.
-	void DeliverPacket(int len, const u_char* data, bool is_orig,
-	                   uint64_t seq, const IP_Hdr* ip, int caplen) override;
-	void DeliverStream(int len, const u_char* data, bool is_orig) override;
-
-	int orig_stream_pos;
-	int resp_stream_pos;
-
-	SteppingStoneManager* stp_manager;
-	SteppingStoneEndpoint* orig_endp;
-	SteppingStoneEndpoint* resp_endp;
-};
-
-// Manages ids for the possible stepping stone connections.
-class SteppingStoneManager {
-public:
-
-	using EndpointQueue = std::deque<SteppingStoneEndpoint*>;
-
-	EndpointQueue& OrderedEndpoints()	{ return ordered_endps; }
-
-	// Use postfix ++, since the first ID needs to be even.
-	int NextID()	{ return endp_cnt++; }
-
-	static SteppingStoneManager* Get();
-
-protected:
-	EndpointQueue ordered_endps;
-	int endp_cnt = 0;
-
-	static SteppingStoneManager* instance;
-};
-
-} // namespace analyzer::stepping_stone
-} // namespace zeek

src/analyzer/protocol/stepping-stone/events.bif

@@ -1,17 +0,0 @@
-## Deprecated. Will be removed.
-event stp_create_endp%(c: connection, e: int, is_orig: bool%);
-
-# ##### Internal events. Not further documented.
-
-## Event internal to the stepping stone detector.
-event stp_resume_endp%(e: int%);
-
-## Event internal to the stepping stone detector.
-event stp_correlate_pair%(e1: int, e2: int%);
-
-## Event internal to the stepping stone detector.
-event stp_remove_pair%(e1: int, e2: int%);
-
-## Event internal to the stepping stone detector.
-event stp_remove_endp%(e: int%);
-

src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc

@@ -10,7 +10,6 @@
 #include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
 #include "zeek/analyzer/protocol/pia/PIA.h"
-#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
 #include "zeek/analyzer/protocol/conn-size/ConnSize.h"
 #include "zeek/packet_analysis/protocol/tcp/TCP.h"
 
@@ -1604,7 +1603,6 @@ bool TCPSessionAdapter::IsReuse(double t, const u_char* pkt)
 void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn)
 	{
 	static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
-	static analyzer::Tag analyzer_stepping = analyzer_mgr->GetComponentTag("STEPPINGSTONE");
 	static analyzer::Tag analyzer_tcpstats = analyzer_mgr->GetComponentTag("TCPSTATS");
 
 	// We have to decide whether to reassamble the stream.
@@ -1634,24 +1632,6 @@ void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn)
 	if ( reass )
 		EnableReassembly();
 
-	if ( analyzer_mgr->IsEnabled(analyzer_stepping) )
-		{
-		// Add a SteppingStone analyzer if requested.  The port
-		// should really not be hardcoded here, but as it can
-		// handle non-reassembled data, it doesn't really fit into
-		// our general framing ...  Better would be to turn it
-		// on *after* we discover we have interactive traffic.
-		uint16_t resp_port = ntohs(Conn()->RespPort());
-		if ( resp_port == 22 || resp_port == 23 || resp_port == 513 )
-			{
-			static auto stp_skip_src = id::find_val<TableVal>("stp_skip_src");
-			auto src = make_intrusive<AddrVal>(Conn()->OrigAddr());
-
-			if ( ! stp_skip_src->FindOrDefault(src) )
-				AddChildAnalyzer(new analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
-			}
-		}
-
 	if ( analyzer_mgr->IsEnabled(analyzer_tcpstats) )
 		// Add TCPStats analyzer. This needs to see packets so
 		// we cannot add it as a normal child.

src/session/Manager.cc

@@ -26,8 +26,6 @@
 #include "zeek/iosource/IOSource.h"
 #include "zeek/packet_analysis/Manager.h"
 
-#include "zeek/analyzer/protocol/stepping-stone/events.bif.h"
-
 zeek::session::Manager* zeek::session_mgr = nullptr;
 zeek::session::Manager*& zeek::sessions = zeek::session_mgr;
 

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -200,7 +200,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -200,7 +200,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -1,5 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
@@ -66,7 +65,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
@@ -776,7 +774,6 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
@@ -1032,7 +1029,6 @@
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
@@ -1099,7 +1095,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
@@ -1809,7 +1804,6 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
@@ -2065,7 +2059,6 @@
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000   MetaHookPre   QueueEvent(zeek_init())
-0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
@@ -2132,7 +2125,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
-0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
@@ -2841,7 +2833,6 @@
 0.000000 | HookLoadFile  ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SteppingStone.events.bif.zeek <...>/Zeek_SteppingStone.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek