diff --git a/CHANGES b/CHANGES
index e04b3b91d9..15d1ab96b3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
+2.6-164 | 2019-03-15 19:45:48 -0700
+
+ * Migrate table-based for-loops to key-value iteration (Jon Siwek, Corelight)
+
+ * GH-154: Extend for-loops to allow iteration over a table's key-value pairs (Zeke Medley)
+
2.6-161 | 2019-03-15 12:59:31 -0700
* Fix SSH remote_location geo-data not being logged for successful authNs. (Michael Dopheide)
diff --git a/NEWS b/NEWS
index e11423109e..e28c17b7dc 100644
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,17 @@ New Functionality
- Support for decapsulating VXLAN tunnels.
+- The for-loop syntax now allows for iterating over key-value pairs of tables.
+ Previously, a separate lookup within the loop was required to obtain the
+ value at a given index/key, but now this works::
+
+ local t: table[count] of string = table();
+ t[1] = "hello";
+ t[55] = "goodbye";
+
+ for ( key, value in t )
+ print key, value;
+
Changed Functionality
---------------------
diff --git a/VERSION b/VERSION
index b7ffe7a8c7..241ffcb800 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.6-161
+2.6-164
diff --git a/scripts/base/files/unified2/main.bro b/scripts/base/files/unified2/main.bro
index 9d9ef15d79..4670ff35c1 100644
--- a/scripts/base/files/unified2/main.bro
+++ b/scripts/base/files/unified2/main.bro
@@ -289,9 +289,9 @@ event file_state_remove(f: fa_file)
{
# In case any events never had matching packets, flush
# the extras to the log.
- for ( i in f$u2_events )
+ for ( i, ev in f$u2_events )
{
- Log::write(LOG, create_info(f$u2_events[i]));
+ Log::write(LOG, create_info(ev));
}
}
}
diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index c23a123cfd..2d492454d4 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -340,10 +340,8 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=
event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=10
{
- for ( node_name in nodes )
+ for ( node_name, n in nodes )
{
- local n = nodes[node_name];
-
if ( n?$id && n$id == endpoint$id )
{
Cluster::log(fmt("node down: %s", node_name));
diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro
index a027fac818..8f4e92b922 100644
--- a/scripts/base/frameworks/cluster/pools.bro
+++ b/scripts/base/frameworks/cluster/pools.bro
@@ -246,10 +246,8 @@ event Cluster::node_down(name: string, id: string) &priority=10
function site_id_in_pool(pool: Pool, site_id: count): bool
{
- for ( i in pool$nodes )
+ for ( i, pn in pool$nodes )
{
- local pn = pool$nodes[i];
-
if ( pn$site_id == site_id )
return T;
}
@@ -395,10 +393,8 @@ event bro_init() &priority=-5
pet$excluded += pool$spec$max_nodes;
}
- for ( nt in pool_eligibility )
+ for ( nt, pet in pool_eligibility )
{
- pet = pool_eligibility[nt];
-
if ( pet$excluded > |pet$eligible_nodes| )
Reporter::fatal(fmt("not enough %s nodes to satisfy pool exclusivity requirements: need %d nodes", nt, pet$excluded));
}
diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
index dc7e71ecdf..2f9dbfc720 100644
--- a/scripts/base/frameworks/config/main.bro
+++ b/scripts/base/frameworks/config/main.bro
@@ -159,9 +159,9 @@ event bro_init() &priority=10
# Iterate over all existing options and add ourselves as change handlers
# with a low priority so that we can log the changes.
local gids = global_ids();
- for ( i in gids )
+ for ( i, gid in gids )
{
- if ( ! gids[i]$option_value )
+ if ( ! gid$option_value )
next;
Option::set_change_handler(i, config_option_changed, -100);
diff --git a/scripts/base/frameworks/intel/files.bro b/scripts/base/frameworks/intel/files.bro
index 74fd156520..d292693d66 100644
--- a/scripts/base/frameworks/intel/files.bro
+++ b/scripts/base/frameworks/intel/files.bro
@@ -53,8 +53,8 @@ hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=6
if ( s$f?$conns && |s$f$conns| == 1 )
{
- for ( cid in s$f$conns )
- s$conn = s$f$conns[cid];
+ for ( cid, c in s$f$conns )
+ s$conn = c;
}
if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type )
diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index 1f4f7afe23..592d2b1027 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -235,8 +235,8 @@ function expire_host_data(data: table[addr] of MetaDataTable, idx: addr): interv
{
local meta_tbl: MetaDataTable = data[idx];
local metas: set[MetaData];
- for ( src in meta_tbl )
- add metas[meta_tbl[src]];
+ for ( src, md in meta_tbl )
+ add metas[md];
return expire_item(cat(idx), ADDR, metas);
}
@@ -245,8 +245,8 @@ function expire_subnet_data(data: table[subnet] of MetaDataTable, idx: subnet):
{
local meta_tbl: MetaDataTable = data[idx];
local metas: set[MetaData];
- for ( src in meta_tbl )
- add metas[meta_tbl[src]];
+ for ( src, md in meta_tbl )
+ add metas[md];
return expire_item(cat(idx), SUBNET, metas);
}
@@ -259,8 +259,8 @@ function expire_string_data(data: table[string, Type] of MetaDataTable, idx: any
local meta_tbl: MetaDataTable = data[indicator, indicator_type];
local metas: set[MetaData];
- for ( src in meta_tbl )
- add metas[meta_tbl[src]];
+ for ( src, md in meta_tbl )
+ add metas[md];
return expire_item(indicator, indicator_type, metas);
}
@@ -306,20 +306,19 @@ function get_items(s: Seen): set[Item]
if ( s$host in data_store$host_data )
{
mt = data_store$host_data[s$host];
- for ( m in mt )
+ for ( m, md in mt )
{
- add return_data[Item($indicator=cat(s$host), $indicator_type=ADDR, $meta=mt[m])];
+ add return_data[Item($indicator=cat(s$host), $indicator_type=ADDR, $meta=md)];
}
}
# See if the host is part of a known subnet, which has meta values
local nets: table[subnet] of MetaDataTable;
nets = filter_subnet_table(addr_to_subnet(s$host), data_store$subnet_data);
- for ( n in nets )
+ for ( n, mt in nets )
{
- mt = nets[n];
- for ( m in mt )
+ for ( m, md in mt )
{
- add return_data[Item($indicator=cat(n), $indicator_type=SUBNET, $meta=mt[m])];
+ add return_data[Item($indicator=cat(n), $indicator_type=SUBNET, $meta=md)];
}
}
}
@@ -330,9 +329,9 @@ function get_items(s: Seen): set[Item]
if ( [lower_indicator, s$indicator_type] in data_store$string_data )
{
mt = data_store$string_data[lower_indicator, s$indicator_type];
- for ( m in mt )
+ for ( m, md in mt )
{
- add return_data[Item($indicator=s$indicator, $indicator_type=s$indicator_type, $meta=mt[m])];
+ add return_data[Item($indicator=s$indicator, $indicator_type=s$indicator_type, $meta=md)];
}
}
}
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index f4c3f64b42..881e5d7467 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -569,10 +569,10 @@ function create_file_info(f: fa_file): Notice::FileInfo
fi$mime = f$info$mime_type;
if ( f?$conns && |f$conns| == 1 )
- for ( id in f$conns )
+ for ( id, c in f$conns )
{
fi$cid = id;
- fi$cuid = f$conns[id]$uid;
+ fi$cuid = c$uid;
}
return fi;
diff --git a/scripts/base/frameworks/packet-filter/main.bro b/scripts/base/frameworks/packet-filter/main.bro
index 8a9cb4eb98..9657f14c44 100644
--- a/scripts/base/frameworks/packet-filter/main.bro
+++ b/scripts/base/frameworks/packet-filter/main.bro
@@ -162,16 +162,16 @@ event bro_init() &priority=5
Log::create_stream(PacketFilter::LOG, [$columns=Info, $path="packet_filter"]);
# Preverify the capture and restrict filters to give more granular failure messages.
- for ( id in capture_filters )
+ for ( id, cf in capture_filters )
{
- if ( ! test_filter(capture_filters[id]) )
- Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, capture_filters[id]));
+ if ( ! test_filter(cf) )
+ Reporter::fatal(fmt("Invalid capture_filter named '%s' - '%s'", id, cf));
}
- for ( id in restrict_filters )
+ for ( id, rf in restrict_filters )
{
if ( ! test_filter(restrict_filters[id]) )
- Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, restrict_filters[id]));
+ Reporter::fatal(fmt("Invalid restrict filter named '%s' - '%s'", id, rf));
}
}
@@ -234,20 +234,20 @@ function build(): string
if ( |capture_filters| == 0 && ! enable_auto_protocol_capture_filters )
cfilter = default_capture_filter;
- for ( id in capture_filters )
- cfilter = combine_filters(cfilter, "or", capture_filters[id]);
+ for ( id, cf in capture_filters )
+ cfilter = combine_filters(cfilter, "or", cf);
if ( enable_auto_protocol_capture_filters )
cfilter = combine_filters(cfilter, "or", Analyzer::get_bpf());
# Apply the restriction filters.
local rfilter = "";
- for ( id in restrict_filters )
- rfilter = combine_filters(rfilter, "and", restrict_filters[id]);
+ for ( id, rf in restrict_filters )
+ rfilter = combine_filters(rfilter, "and", rf);
# Apply the dynamic restriction filters.
- for ( filt in dynamic_restrict_filters )
- rfilter = combine_filters(rfilter, "and", string_cat("not (", dynamic_restrict_filters[filt], ")"));
+ for ( filt, drf in dynamic_restrict_filters )
+ rfilter = combine_filters(rfilter, "and", string_cat("not (", drf, ")"));
# Finally, join them into one filter.
local filter = combine_filters(cfilter, "and", rfilter);
diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro
index 69a853fd5a..a37877f7e8 100644
--- a/scripts/base/frameworks/sumstats/main.bro
+++ b/scripts/base/frameworks/sumstats/main.bro
@@ -300,17 +300,17 @@ function compose_results(r1: Result, r2: Result): Result
{
local result: Result = table();
- for ( id in r1 )
+ for ( id, rv in r1 )
{
- result[id] = r1[id];
+ result[id] = rv;
}
- for ( id in r2 )
+ for ( id, rv in r2 )
{
if ( id in r1 )
- result[id] = compose_resultvals(r1[id], r2[id]);
+ result[id] = compose_resultvals(r1[id], rv);
else
- result[id] = r2[id];
+ result[id] = rv;
}
return result;
diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro
index 100e8dad4a..b4292431c5 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.bro
+++ b/scripts/base/frameworks/sumstats/non-cluster.bro
@@ -8,9 +8,9 @@ event SumStats::process_epoch_result(ss: SumStat, now: time, data: ResultTable)
local i = 50;
local keys_to_delete: vector of SumStats::Key = vector();
- for ( key in data )
+ for ( key, res in data )
{
- ss$epoch_result(now, key, data[key]);
+ ss$epoch_result(now, key, res);
keys_to_delete += key;
if ( --i == 0 )
@@ -37,8 +37,8 @@ event SumStats::finish_epoch(ss: SumStat)
local now = network_time();
if ( bro_is_terminating() )
{
- for ( key in data )
- ss$epoch_result(now, key, data[key]);
+ for ( key, val in data )
+ ss$epoch_result(now, key, val);
if ( ss?$epoch_finished )
ss$epoch_finished(now);
diff --git a/scripts/base/protocols/dce-rpc/main.bro b/scripts/base/protocols/dce-rpc/main.bro
index e73bfa4b2b..7013ae15e9 100644
--- a/scripts/base/protocols/dce-rpc/main.bro
+++ b/scripts/base/protocols/dce-rpc/main.bro
@@ -215,9 +215,8 @@ event connection_state_remove(c: connection)
return;
# TODO: Go through any remaining dce_rpc requests that haven't been processed with replies.
- for ( i in c$dce_rpc_backing )
+ for ( i, x in c$dce_rpc_backing )
{
- local x = c$dce_rpc_backing[i];
set_state(c, x);
# In the event that the binding wasn't seen, but the pipe
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index 2a49e332d7..f8e655d826 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -184,9 +184,9 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
function log_unmatched_msgs(msgs: PendingMessages)
{
- for ( trans_id in msgs )
+ for ( trans_id, q in msgs )
{
- log_unmatched_msgs_queue(msgs[trans_id]);
+ log_unmatched_msgs_queue(q);
}
clear_table(msgs);
@@ -285,8 +285,8 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
else
{
# Just pick an arbitrary, unpaired query.
- for ( trans_id in c$dns_state$pending_queries )
- if ( Queue::len(c$dns_state$pending_queries[trans_id]) > 0 )
+ for ( trans_id, q in c$dns_state$pending_queries )
+ if ( Queue::len(q) > 0 )
{
c$dns_state$pending_query = pop_msg(c$dns_state$pending_queries, trans_id);
break;
diff --git a/scripts/base/protocols/ftp/files.bro b/scripts/base/protocols/ftp/files.bro
index c114f11c8d..e84eda7a5a 100644
--- a/scripts/base/protocols/ftp/files.bro
+++ b/scripts/base/protocols/ftp/files.bro
@@ -37,10 +37,10 @@ function describe_file(f: fa_file): string
if ( f$source != "FTP" )
return "";
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- if ( f$conns[cid]?$ftp )
- return FTP::describe(f$conns[cid]$ftp);
+ if ( c?$ftp )
+ return FTP::describe(c$ftp);
}
return "";
}
diff --git a/scripts/base/protocols/ftp/main.bro b/scripts/base/protocols/ftp/main.bro
index b3eaf79370..9b64345a12 100644
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@@ -295,9 +295,9 @@ event connection_state_remove(c: connection) &priority=-5
{
if ( ! c?$ftp ) return;
- for ( ca in c$ftp$pending_commands )
+ for ( ca, cmdarg in c$ftp$pending_commands )
{
- c$ftp$cmdarg = c$ftp$pending_commands[ca];
+ c$ftp$cmdarg = cmdarg;
ftp_message(c$ftp);
}
}
diff --git a/scripts/base/protocols/ftp/utils-commands.bro b/scripts/base/protocols/ftp/utils-commands.bro
index 0ee1635b4a..67c52e62e4 100644
--- a/scripts/base/protocols/ftp/utils-commands.bro
+++ b/scripts/base/protocols/ftp/utils-commands.bro
@@ -91,9 +91,8 @@ function get_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string):
local best_seq = 0;
local best_score: int = -1;
- for ( cmd_seq in pc )
+ for ( cmd_seq, cmd in pc )
{
- local cmd = pc[cmd_seq];
local score: int = 0;
# if the command is compatible with the reply code
diff --git a/scripts/base/protocols/http/files.bro b/scripts/base/protocols/http/files.bro
index 840b5a2372..078c6d2e66 100644
--- a/scripts/base/protocols/http/files.bro
+++ b/scripts/base/protocols/http/files.bro
@@ -40,10 +40,10 @@ function describe_file(f: fa_file): string
if ( f$source != "HTTP" )
return "";
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- if ( f$conns[cid]?$http )
- return build_url_http(f$conns[cid]$http);
+ if ( c?$http )
+ return build_url_http(c$http);
}
return "";
}
diff --git a/scripts/base/protocols/http/main.bro b/scripts/base/protocols/http/main.bro
index 215ad61fc3..ea86367bb1 100644
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@@ -326,11 +326,11 @@ event connection_state_remove(c: connection) &priority=-5
# Flush all pending but incomplete request/response pairs.
if ( c?$http_state )
{
- for ( r in c$http_state$pending )
+ for ( r, info in c$http_state$pending )
{
# We don't use pending elements at index 0.
if ( r == 0 ) next;
- Log::write(HTTP::LOG, c$http_state$pending[r]);
+ Log::write(HTTP::LOG, info);
}
}
}
diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro
index 44d939209e..bf5094a4f2 100644
--- a/scripts/base/protocols/irc/dcc-send.bro
+++ b/scripts/base/protocols/irc/dcc-send.bro
@@ -65,10 +65,8 @@ function log_dcc(f: fa_file)
{
if ( ! f?$conns ) return;
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- local c: connection = f$conns[cid];
-
if ( [cid$resp_h, cid$resp_p] !in dcc_expected_transfers ) next;
local irc = dcc_expected_transfers[cid$resp_h, cid$resp_p];
diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro
index 5a155d9184..18ee4da83f 100644
--- a/scripts/base/protocols/krb/files.bro
+++ b/scripts/base/protocols/krb/files.bro
@@ -48,11 +48,10 @@ function describe_file(f: fa_file): string
# are already populated).
#
# Just return a bit of our connection information and hope that that is good enough.
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- if ( f$conns[cid]?$krb )
+ if ( c?$krb )
{
- local c = f$conns[cid];
return cat(c$id$resp_h, ":", c$id$resp_p);
}
}
diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro
index 1089f0c1a4..68ebb9b222 100644
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@@ -149,13 +149,13 @@ function flush_pending(c: connection)
# Flush all pending but incomplete request/response pairs.
if ( c?$sip_state )
{
- for ( r in c$sip_state$pending )
+ for ( r, info in c$sip_state$pending )
{
# We don't use pending elements at index 0.
if ( r == 0 )
next;
- Log::write(SIP::LOG, c$sip_state$pending[r]);
+ Log::write(SIP::LOG, info);
}
}
}
@@ -293,9 +293,9 @@ event connection_state_remove(c: connection) &priority=-5
{
if ( c?$sip_state )
{
- for ( r in c$sip_state$pending )
+ for ( r, info in c$sip_state$pending )
{
- Log::write(SIP::LOG, c$sip_state$pending[r]);
+ Log::write(SIP::LOG, info);
}
}
}
diff --git a/scripts/base/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro
index d01aa815a5..0ee4d0a873 100644
--- a/scripts/base/protocols/smb/files.bro
+++ b/scripts/base/protocols/smb/files.bro
@@ -38,11 +38,10 @@ function describe_file(f: fa_file): string
if ( f$source != "SMB" )
return "";
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- local info = f$conns[cid];
- if ( info?$smb_state && info$smb_state?$current_file && info$smb_state$current_file?$name )
- return info$smb_state$current_file$name;
+ if ( c?$smb_state && c$smb_state?$current_file && c$smb_state$current_file?$name )
+ return c$smb_state$current_file$name;
}
return "";
}
diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro
index 14ecbecf46..07225548be 100644
--- a/scripts/base/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@@ -238,9 +238,8 @@ event file_state_remove(f: fa_file) &priority=-5
if ( f$source != "SMB" )
return;
- for ( id in f$conns )
+ for ( id, c in f$conns )
{
- local c = f$conns[id];
if ( c?$smb_state && c$smb_state?$current_file)
{
write_file_log(c$smb_state);
diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.bro
index a65b90b528..bf410fa201 100644
--- a/scripts/base/protocols/smtp/files.bro
+++ b/scripts/base/protocols/smtp/files.bro
@@ -31,9 +31,8 @@ function describe_file(f: fa_file): string
if ( f$source != "SMTP" )
return "";
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- local c = f$conns[cid];
return SMTP::describe(c$smtp);
}
return "";
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index d0d89561e3..ae13147d8e 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -66,11 +66,10 @@ function describe_file(f: fa_file): string
# are already populated).
#
# Just return a bit of our connection information and hope that that is good enough.
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- if ( f$conns[cid]?$ssl )
+ if ( c?$ssl )
{
- local c = f$conns[cid];
return cat(c$id$resp_h, ":", c$id$resp_p);
}
}
@@ -103,12 +102,12 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
|| f$info$mime_type == "application/pkix-cert" ) )
return;
- for ( cid in f$conns )
- {
- if ( ! f$conns[cid]?$ssl )
- return;
+ local c: connection;
- local c = f$conns[cid];
+ for ( cid, c in f$conns )
+ {
+ if ( ! c?$ssl )
+ return;
}
if ( ! c$ssl?$cert_chain )
diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro
index 45248e3ea2..ead214f93e 100644
--- a/scripts/base/utils/json.bro
+++ b/scripts/base/utils/json.bro
@@ -57,9 +57,8 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
local rec_parts: string_vec = vector();
local ft = record_fields(v);
- for ( field in ft )
+ for ( field, field_desc in ft )
{
- local field_desc = ft[field];
# replace the escape pattern in the field.
if( field_escape_pattern in field )
field = cat(sub(field, field_escape_pattern, ""));
@@ -87,11 +86,11 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
{
local tab_parts: vector of string = vector();
local ta: table[bool] of any = v;
- for ( ti in ta )
+ for ( ti, tv in ta )
{
local ts = to_json(ti);
local if_quotes = (ts[0] == "\"") ? "" : "\"";
- tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable));
+ tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(tv, only_loggable));
}
return cat("{", join_string_vec(tab_parts, ", "), "}");
}
diff --git a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro
index aa9c322bcf..343beb277e 100644
--- a/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro
+++ b/scripts/policy/frameworks/intel/seen/smtp-url-extraction.bro
@@ -8,9 +8,8 @@ event intel_mime_data(f: fa_file, data: string)
if ( ! f?$conns )
return;
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- local c: connection = f$conns[cid];
local urls = find_all_urls_without_scheme(data);
for ( url in urls )
{
diff --git a/scripts/policy/frameworks/software/vulnerable.bro b/scripts/policy/frameworks/software/vulnerable.bro
index 13de1c9cf8..92a6698af3 100644
--- a/scripts/policy/frameworks/software/vulnerable.bro
+++ b/scripts/policy/frameworks/software/vulnerable.bro
@@ -111,8 +111,8 @@ function update_vulnerable_sw()
internal_vulnerable_versions = table();
# Copy the const vulnerable versions into the global modifiable one.
- for ( sw in vulnerable_versions )
- internal_vulnerable_versions[sw] = vulnerable_versions[sw];
+ for ( sw, vuln_range_set in vulnerable_versions )
+ internal_vulnerable_versions[sw] = vuln_range_set;
event grab_vulnerable_versions(1);
}
diff --git a/scripts/policy/misc/weird-stats.bro b/scripts/policy/misc/weird-stats.bro
index d08ce9381d..50e29dd010 100644
--- a/scripts/policy/misc/weird-stats.bro
+++ b/scripts/policy/misc/weird-stats.bro
@@ -33,14 +33,14 @@ function weird_epoch_results(ts: time, key: SumStats::Key, result: SumStats::Res
function weird_epoch_finished(ts: time)
{
- for ( n in this_epoch_weirds )
+ for ( n, v in this_epoch_weirds )
{
local last_count: double = 0.0;
if ( n in last_epoch_weirds )
last_count = last_epoch_weirds[n];
- local num_seen: double = this_epoch_weirds[n] - last_count;
+ local num_seen: double = v - last_count;
if ( num_seen > 0.0 )
Log::write(LOG, Info($ts = ts, $name = n,
@@ -70,9 +70,9 @@ function observe_weird_stats()
{
local rs = get_reporter_stats();
- for ( n in rs$weirds_by_type )
+ for ( n, v in rs$weirds_by_type )
SumStats::observe("weirds.encountered", SumStats::Key($str = n),
- SumStats::Observation($dbl=rs$weirds_by_type[n]+0.0));
+ SumStats::Observation($dbl=(v + 0.0)));
}
@if ( Cluster::is_enabled() )
diff --git a/scripts/policy/protocols/smtp/entities-excerpt.bro b/scripts/policy/protocols/smtp/entities-excerpt.bro
index a3c35507ca..f4ee2b07d5 100644
--- a/scripts/policy/protocols/smtp/entities-excerpt.bro
+++ b/scripts/policy/protocols/smtp/entities-excerpt.bro
@@ -24,10 +24,8 @@ event file_new(f: fa_file) &priority=5
if ( ! f?$bof_buffer ) return;
if ( ! f?$conns ) return;
- for ( cid in f$conns )
+ for ( cid, c in f$conns )
{
- local c: connection = f$conns[cid];
-
if ( ! c?$smtp ) next;
if ( default_entity_excerpt_len > 0 )
diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
index 7f07c2b069..258820664f 100644
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -51,12 +51,12 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=4
|| f$info$mime_type == "application/pkix-cert" ) )
return;
- for ( cid in f$conns )
- {
- if ( ! f$conns[cid]?$ssl )
- return;
+ local c: connection;
- local c = f$conns[cid];
+ for ( cid, c in f$conns )
+ {
+ if ( ! c?$ssl )
+ return;
}
local chain: vector of string;
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index 0ce11b63ff..4d79bfd7ad 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -95,12 +95,12 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log
if ( |f$conns| != 1 )
return;
- for ( cid in f$conns )
- {
- if ( ! f$conns[cid]?$ssl )
- return;
+ local c: connection;
- local c = f$conns[cid];
+ for ( cid, c in f$conns )
+ {
+ if ( ! c?$ssl )
+ return;
}
c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 594d814175..7799ecbcee 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -176,15 +176,15 @@
0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert)) ->
0.000000 MetaHookPost CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert)) ->
0.000000 MetaHookPost CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec})) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}])) ->
0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) ->
-0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])) ->
+0.000000 MetaHookPost CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
0.000000 MetaHookPost CallFunction(Log::__add_filter, , (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])) ->
@@ -277,7 +277,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) ->
@@ -462,7 +462,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
@@ -1077,15 +1077,15 @@
0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-ca-cert))
0.000000 MetaHookPre CallFunction(Files::register_for_mime_type, , (Files::ANALYZER_X509, application/x-x509-user-cert))
0.000000 MetaHookPre CallFunction(Files::register_for_mime_types, , (Files::ANALYZER_PE, {application/x-dosexec}))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}]))
0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}]))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
-0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
+0.000000 MetaHookPre CallFunction(Files::register_protocol, , (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]))
0.000000 MetaHookPre CallFunction(Log::__add_filter, , (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}]))
@@ -1178,7 +1178,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG))
@@ -1363,7 +1363,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ())
0.000000 MetaHookPre CallFunction(NetControl::init, , ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, , ())
@@ -1977,15 +1977,15 @@
0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert)
0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert)
0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec})
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::f$conns[HTTP::cid]?$http) return (HTTP::build_url_http(HTTP::f$conns[HTTP::cid]$http))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ FTP::cid, FTP::c{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::c?$ftp) return (FTP::describe(FTP::c$ftp))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_HTTP, [get_file_handle=HTTP::get_file_handle{ if (!HTTP::c?$http) return ()if (HTTP::c$http$range_request && !HTTP::is_orig) { return (cat(Analyzer::ANALYZER_HTTP, HTTP::is_orig, HTTP::c$id$orig_h, HTTP::build_url(HTTP::c$http)))}else{ HTTP::mime_depth = HTTP::is_orig ? HTTP::c$http$orig_mime_depth : HTTP::c$http$resp_mime_depthreturn (cat(Analyzer::ANALYZER_HTTP, HTTP::c$start_time, HTTP::is_orig, HTTP::c$http$trans_depth, HTTP::mime_depth, id_string(HTTP::c$id)))}}, describe=HTTP::describe_file{ HTTP::cid, HTTP::c{ if (HTTP::f$source != HTTP) return ()for ([HTTP::cid] in HTTP::f$conns) { if (HTTP::c?$http) return (HTTP::build_url_http(HTTP::c$http))}return ()}}])
0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ KRB::cid, KRB::c{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::c?$krb) { return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial, Subject: , KRB::f$info$x509$certificate$subject, Issuer: , KRB::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ SMB::cid, SMB::c{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { if (SMB::c?$smb_state && SMB::c$smb_state?$current_file && SMB::c$smb_state$current_file?$name) return (SMB::c$smb_state$current_file$name)}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ SMTP::cid, SMTP::c{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { return (SMTP::describe(SMTP::c$smtp))}return ()}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ SSL::cid, SSL::c{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::c?$ssl) { return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial, Subject: , SSL::f$info$x509$certificate$subject, Issuer: , SSL::f$info$x509$certificate$issuer))}}])
0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=broker, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])
0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=cluster, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])
0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=, path=config, path_func=, include=, exclude=, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=, config={}])
@@ -2078,7 +2078,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2263,7 +2263,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552582539.91497, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction NetControl::check_plugins()
0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()
@@ -2696,7 +2696,7 @@
0.000000 | HookLoadFile base<...>/x509
0.000000 | HookLoadFile base<...>/xmpp
0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite packet_filter [ts=1552582539.914970, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite packet_filter [ts=1552701731.192609, node=bro, filter=ip or not ip, init=T, success=T]
0.000000 | HookQueueEvent NetControl::init()
0.000000 | HookQueueEvent bro_init()
0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
index fd0420cc79..dca63f379e 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
@@ -6,6 +6,6 @@
#open 2018-02-27-17-25-30
#fields ts level message location
#types time enum string string
-0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 553-554
+0.000000 Reporter::INFO Tried to remove non-existing item '192.168.1.1' (Intel::ADDR). /home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 552-553
0.000000 Reporter::INFO received termination signal (empty)
#close 2018-02-27-17-25-30