Provide infrastructure to migrate legacy analyzers to Spicy.

As initial examples, this branch ports the Syslog and Finger analyzers
over. We leave the old analyzers in place for now and activate them
iff we compile without any Spicy.

Needs `zeek-spicy-infra` branches in `spicy/`, `spicy-plugin/`,
`CMake/`, and `zeek/zeek-testing-private`.

Note that the analyzer events remain associated with the Spicy plugin
for now: that's where they will show up with `-NN`, and also inside
the Zeekygen documentation.

We switch CMake over to linking the runtime library into the plugin,
vs. at the top-level through object libraries.

CMakeLists.txt

@@ -547,14 +547,17 @@ else ()
 endif ()
 
 if ( NOT DISABLE_SPICY )
+    set(USE_SPICY_ANALYZERS yes)
+
     if ( NOT SPICY_ROOT_DIR )
+        set(HAVE_SPICY yes) # evaluated by Spicy plugin build
+
         add_subdirectory(auxil/spicy)
 
         # Set variables used by the spicy-plugin build since we are building Spicy
         # as part of Zeek so spicy-plugin cannot use `spicy-config` at configure
         # time to set these.
         set(SPICY_CONFIG "<builtin>")
-        set(HAVE_SPICY "YES")
         set(SPICY_HAVE_TOOLCHAIN "YES")
         set(SPICY_INCLUDE_DIRS_RUNTIME
             ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/runtime/include
@@ -564,6 +567,10 @@ if ( NOT DISABLE_SPICY )
             ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/hilti/toolchain/include
             ${PROJECT_SOURCE_DIR}/auxil/spicy/spicy/spicy/toolchain/include)
         set(SPICY_LIBRARY spicy)
+        set(HILTI_LIBRARY_RT hilti-rt)
+        set(HILTI_LIBRARY_RT_DEBUG hilti-rt-debug)
+        set(SPICY_LIBRARY_RT spicy-rt)
+        set(SPICY_LIBRARY_RT_DEBUG spicy-rt-debug)
 
         # Needed only for logging from CMake configure phase.
         get_directory_property(
@@ -586,12 +593,20 @@ if ( NOT DISABLE_SPICY )
     endif ()
 
     if ( NOT SPICY_PLUGIN_PATH )
+        set(_spicy_plugin "included")
         set(SPICY_PLUGIN_PATH ${CMAKE_SOURCE_DIR}/auxil/spicy-plugin)
     endif ()
 
+    set(SPICY_PLUGIN_BINARY_PATH ${CMAKE_BINARY_DIR}/src/builtin-plugins/spicy-plugin)
     string(APPEND ZEEK_INCLUDE_PLUGINS ";${SPICY_PLUGIN_PATH}")
+else ()
+    set(HAVE_SPICY no) # evaluated by Spicy plugin build
+    set(USE_SPICY_ANALYZERS no)
 endif ()
 
+set(USE_SPICY_ANALYZERS "${USE_SPICY_ANALYZERS}" CACHE BOOL "Use built-in Spicy analyzers")
+include(BuiltInSpicyAnalyzer)
+
 include_directories(BEFORE
                     ${PCAP_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
@@ -866,26 +881,6 @@ if ( NOT DISABLE_SPICY )
     add_dependencies(zeek spicyz)
 
     if ( NOT SPICY_ROOT_DIR )
-        list(APPEND _spicy_rt_libs spicy-rt hilti-rt)
-
-        # Use the debug runtime libraries if we are building a debug Zeek.
-        if ( SPICY_BUILD_MODE STREQUAL "Debug" )
-            list(TRANSFORM _spicy_rt_libs APPEND "-debug")
-        endif ()
-
-        # If we build spicy-plugin into Zeek we also need to build the Spicy
-        # runtime dependencies into Zeek. Since no matter how Spicy itself was
-        # linked this is always a static library, link the object files so we
-        # get all symbols and can resolve all potential dependencies of
-        # HLTO files at runtime.
-        #
-        # TODO(bbannier): Conceptually cleaner would be linking the runtime
-        # objects into spicy-plugin and then inherit that up to zeek, but it
-        # seems this does not work reliable (due incomplete support for object
-        # libraries in CMake?).
-        list(TRANSFORM _spicy_rt_libs APPEND "-objects")
-        target_link_libraries(zeek ${_spicy_rt_libs})
-
         # Make sure we build targets of spicy-plugin after the `spicy` target.
         add_dependencies(plugin-Zeek-Spicy spicy)
         add_dependencies(spicyz spicy)
@@ -959,6 +954,33 @@ if ( GEN_ZAM_EXE_PATH )
     set(_gen_zam_exe_path ${GEN_ZAM_EXE_PATH})
 endif ()
 
+set(_spicy "included")
+if ( DISABLE_SPICY )
+    set(_spicy "disabled")
+elseif ( SPICY_ROOT_DIR )
+    set(_spicy "external (${SPICY_ROOT_DIR})")
+endif ()
+
+if ( DISABLE_SPICY )
+    set(_spicy_plugin "disabled")
+elseif ( "${_spicy_plugin}" STREQUAL "" )
+    set(_spicy_plugin "external (${SPICY_PLUGIN_PATH})")
+endif ()
+
+if ( ZEEK_LEGACY_ANALYZERS )
+    list(JOIN ZEEK_LEGACY_ANALYZERS ", " _legacy_analyzers)
+    set(_legacy_analyzers  "\n          - Using unmaintained legacy analyzers for: ${_legacy_analyzers}")
+endif ()
+
+if ( ZEEK_SKIPPED_ANALYZERS )
+    list(JOIN ZEEK_SKIPPED_ANALYZERS ", " _skipped_analyzers)
+    set(_skipped_analyzers "\n          - Skipping analyzers: ${_skipped_analyzers}")
+endif ()
+
+if ( ZEEK_LEGACY_ANALYZERS OR ZEEK_SKIPPED_ANALYZERS )
+    set(_analyzer_warning "\n\n[Warning] Some analyzers are not available due to lack of Spicy:${_legacy_analyzers}${_skipped_analyzers}")
+endif ()
+
 message(
     "\n====================|  Zeek Build Summary  |===================="
     "\n"
@@ -993,6 +1015,9 @@ message(
     "\nBTest tooling:     ${_install_btest_tools_msg}"
     "\nGen-ZAM:           ${_gen_zam_exe_path}"
     "\nzkg:               ${INSTALL_ZKG}"
+    "\nSpicy:             ${_spicy}"
+    "\nSpicy plugin:      ${_spicy_plugin}"
+    "\nSpicy analyzers:   ${USE_SPICY_ANALYZERS}"
     "\n"
     "\nlibmaxminddb:      ${USE_GEOIP}"
     "\nKerberos:          ${USE_KRB5}"
@@ -1003,6 +1028,7 @@ message(
     "\n"
     "\nFuzz Targets:      ${ZEEK_ENABLE_FUZZERS}"
     "\nFuzz Engine:       ${ZEEK_FUZZING_ENGINE}"
+    "${_analyzer_warning}"
     "\n"
     "\n================================================================\n"
 )

auxil/spicy-plugin

@@ -1 +1 @@
-Subproject commit 9480a7dc8f9049c46f42069b415e1c18a44aa51b
+Subproject commit bd5a32f5c78e1cc1d60b8f010797fe3fb5a6c3aa

auxil/spicy/spicy

@@ -1 +1 @@
-Subproject commit 8c5f9466c5f87a237451438af82dbb8dcf743d5d
+Subproject commit 1e074f8db5f2ccc4a946f66634410bcc7d94dcef

cmake

@@ -1 +1 @@
-Subproject commit f69e08247ed4d7e36258157df6328bad3c81269d
+Subproject commit 9f05362a5c33ed11dab37d2dedf74206d59d8f6d

scripts/base/init-default.zeek

@@ -49,6 +49,7 @@
 @load base/protocols/dhcp
 @load base/protocols/dnp3
 @load base/protocols/dns
+@load base/protocols/finger
 @load base/protocols/ftp
 @load base/protocols/http
 @load base/protocols/imap

scripts/base/protocols/finger/__load__.zeek

@@ -0,0 +1,2 @@
+@load ./spicy-events
+@load ./main

scripts/base/protocols/finger/main.zeek

@@ -0,0 +1,14 @@
+##! Implements base functionality for Finger analysis. We currently do not generate
+##! a log file, but just configure the analyzer.
+
+module Finger;
+
+export {
+	const ports = { 79/tcp };
+	redef likely_server_ports += { ports };
+}
+
+event zeek_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_FINGER, ports);
+	}

scripts/base/protocols/finger/spicy-events.zeek

@@ -0,0 +1,33 @@
+##! Events generated by the Finger analyzer.
+
+@ifdef ( Spicy::available ) # must not be used with legacy analyzer
+
+## Generated for Finger requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## full: True if verbose information is requested (``/W`` switch).
+##
+## username: The request's user name.
+##
+## hostname: The request's host name.
+##
+## .. zeek:see:: finger_reply
+global finger_request: event(c: connection, full: bool, username: string, hostname: string);
+
+## Generated for Finger replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## reply_line: The reply as returned by the server
+##
+## .. zeek:see:: finger_request
+global finger_reply: event(c: connection, reply_line: string);
+
+@endif

scripts/base/protocols/syslog/__load__.zeek

@@ -1,2 +1,3 @@
+@load ./spicy-events
 @load ./consts
 @load ./main

scripts/base/protocols/syslog/spicy-events.zeek

@@ -0,0 +1,21 @@
+##! Events generated by the Syslog analyzer.
+
+@ifdef ( Spicy::available ) # must not be used with legacy analyzer
+
+## Generated for monitored Syslog messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Syslog>`__ for more
+## information about the Syslog protocol.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## facility: The "facility" included in the message.
+##
+## severity: The "severity" included in the message.
+##
+## msg: The message logged.
+##
+## .. note:: Zeek currently parses only UDP syslog traffic.
+global syslog_message: event(c: connection, facility: count, severity: count, msg: string);
+
+@endif

src/analyzer/protocol/finger/CMakeLists.txt

@@ -1,9 +1,9 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek Finger)
-zeek_plugin_cc(Finger.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_end()
+spicy_add_analyzer(
+  NAME
+    Finger
+  SOURCES
+    finger.spicy
+    finger.evt
+  LEGACY
+    legacy
+)

src/analyzer/protocol/finger/finger.evt

@@ -0,0 +1,10 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+
+protocol analyzer Finger over TCP:
+    parse originator with Finger::Request,
+    parse responder with Finger::Reply;
+
+import Finger;
+
+on Finger::Request -> event finger_request($conn, self.whois, self.user, self.host);
+on Finger::ReplyLine if ( |self.data| != 0 ) -> event finger_reply($conn, self.data);

src/analyzer/protocol/finger/finger.spicy

@@ -0,0 +1,54 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+#
+# Giving the rare number of instances of this protocol these days, we err on the side of
+# rejecting sessions if they don't parse well.
+
+module Finger;
+
+import spicy;
+
+const OptionalWhiteSpace = /[ \t]*/;
+const NewLine    = /\r?\n/;
+
+public type Request  = unit {
+    : OptionalWhiteSpace;
+
+    switch {
+        -> : /\/W/ { self.whois = True; }
+        -> void;
+    };
+
+    : OptionalWhiteSpace;
+
+    arg: /[^\r\n]*/ &convert=$$.strip().split1(b"@") {
+        # We require valid UTF-8 to weed out binary data.
+        self.user = self.arg[0].decode();
+
+        if ( |self.arg[1]| > 0 )
+            self.host = self.arg[1].decode();
+    }
+
+    on %done  {
+        if ( |self.arg[0]| > 0 || self.whois )
+            spicy::accept_input();
+    }
+
+    var user: string;
+    var host: string;
+    var whois: bool = False;
+};
+
+type ReplyLine = unit {
+    data: /[^\r\n]*/ &convert=$$.decode(); # Require valid UTF-8 here as well.
+    : NewLine;
+
+    on %done {
+        if ( |self.data| > 10 )
+            # Require some non-trivial output to accept.
+            spicy::accept_input();
+    }
+};
+
+public type Reply  = unit {
+    : ReplyLine[];
+};

src/analyzer/protocol/finger/legacy/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(Zeek Finger)
+zeek_plugin_cc(Finger.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()

src/analyzer/protocol/finger/legacy/Finger.cc

@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "zeek/analyzer/protocol/finger/Finger.h"
+#include "zeek/analyzer/protocol/finger/legacy/Finger.h"
 
 #include "zeek/zeek-config.h"
 
@@ -8,7 +8,7 @@
 
 #include "zeek/Event.h"
 #include "zeek/NetVar.h"
-#include "zeek/analyzer/protocol/finger/events.bif.h"
+#include "zeek/analyzer/protocol/finger/legacy/events.bif.h"
 #include "zeek/analyzer/protocol/tcp/ContentLine.h"
 
 namespace zeek::analyzer::finger

src/analyzer/protocol/finger/legacy/Plugin.cc

@@ -3,7 +3,7 @@
 #include "zeek/plugin/Plugin.h"
 
 #include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/finger/Finger.h"
+#include "zeek/analyzer/protocol/finger/legacy/Finger.h"
 
 namespace zeek::plugin::detail::Zeek_Finger
 	{

src/analyzer/protocol/syslog/CMakeLists.txt

@@ -1,10 +1,9 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek Syslog)
-zeek_plugin_cc(Syslog.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
-zeek_plugin_end()
+spicy_add_analyzer(
+  NAME
+    Syslog
+  SOURCES
+    syslog.spicy
+    syslog.evt
+  LEGACY
+    legacy
+)

src/analyzer/protocol/syslog/legacy/CMakeLists.txt

@@ -0,0 +1,10 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(Zeek Syslog)
+zeek_plugin_cc(Syslog.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_pac(syslog.pac syslog-analyzer.pac syslog-protocol.pac)
+zeek_plugin_end()

src/analyzer/protocol/syslog/legacy/Plugin.cc

@@ -3,7 +3,7 @@
 #include "zeek/plugin/Plugin.h"
 
 #include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/syslog/Syslog.h"
+#include "zeek/analyzer/protocol/syslog/legacy/Syslog.h"
 
 namespace zeek::plugin::detail::Zeek_Syslog
 	{

src/analyzer/protocol/syslog/legacy/Syslog.cc

@@ -1,6 +1,6 @@
-#include "zeek/analyzer/protocol/syslog/Syslog.h"
+#include "zeek/analyzer/protocol/syslog/legacy/Syslog.h"
 
-#include "zeek/analyzer/protocol/syslog/events.bif.h"
+#include "zeek/analyzer/protocol/syslog/legacy/events.bif.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
 
 namespace zeek::analyzer::syslog

src/analyzer/protocol/syslog/legacy/Syslog.h

@@ -2,7 +2,7 @@
 
 #include "zeek/analyzer/protocol/tcp/TCP.h"
 
-#include "analyzer/protocol/syslog/syslog_pac.h"
+#include "analyzer/protocol/syslog/legacy/syslog_pac.h"
 
 namespace zeek::analyzer::syslog
 	{

src/analyzer/protocol/syslog/legacy/syslog.pac

@@ -3,7 +3,7 @@
 %include zeek.pac
 
 %extern{
-#include "zeek/analyzer/protocol/syslog/events.bif.h"
+#include "zeek/analyzer/protocol/syslog/legacy/events.bif.h"
 %}
 
 analyzer Syslog withcontext {

src/analyzer/protocol/syslog/syslog.evt

@@ -0,0 +1,8 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+
+protocol analyzer Syslog over UDP:
+    parse with Syslog::Message;
+
+import Syslog;
+
+on Syslog::Message -> event syslog_message($conn, self.facility, self.severity, self.msg);

src/analyzer/protocol/syslog/syslog.spicy

@@ -0,0 +1,32 @@
+# Copyright (c) 2022 by the Zeek Project. See LICENSE for details.
+
+module Syslog;
+
+import spicy;
+
+public type Message = unit {
+    switch {
+        -> prio: Priority;
+        -> void;
+    };
+
+    msg: bytes &eod;
+
+    on %done {
+        spicy::accept_input();
+
+        if ( self?.prio ) {
+            self.severity = (self.prio.value & 0x07);
+            self.facility = (self.prio.value & 0x03f8) >> 3;
+        }
+    }
+
+    var severity: uint64 = 999; # default per legacy analyzer
+    var facility: uint64 = 999; # default per legacy analyzer
+};
+
+type Priority = unit {
+    : b"<";
+    value: /[[:digit:]]+/ &convert=$$.to_uint();
+    : b">";
+};

testing/btest/Baseline/core.print-bpf-filters/output2

@@ -48,6 +48,7 @@
 1 6669
 1 67
 1 68
+1 79
 1 80
 1 8000
 1 8080
@@ -59,8 +60,8 @@
 1 992
 1 993
 1 995
-66 and
-65 or
-66 port
-43 tcp
+67 and
+66 or
+67 port
+44 tcp
 23 udp

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -151,7 +151,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
@@ -227,7 +226,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -151,7 +151,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_File.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
@@ -227,7 +226,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
@@ -359,6 +357,9 @@ scripts/base/init-default.zeek
   scripts/base/protocols/dns/__load__.zeek
     scripts/base/protocols/dns/consts.zeek
     scripts/base/protocols/dns/main.zeek
+  scripts/base/protocols/finger/__load__.zeek
+    scripts/base/protocols/finger/spicy-events.zeek
+    scripts/base/protocols/finger/main.zeek
   scripts/base/protocols/ftp/__load__.zeek
     scripts/base/protocols/ftp/utils-commands.zeek
     scripts/base/protocols/ftp/info.zeek
@@ -438,6 +439,7 @@ scripts/base/init-default.zeek
   scripts/base/protocols/ssh/__load__.zeek
     scripts/base/protocols/ssh/main.zeek
   scripts/base/protocols/syslog/__load__.zeek
+    scripts/base/protocols/syslog/spicy-events.zeek
     scripts/base/protocols/syslog/consts.zeek
     scripts/base/protocols/syslog/main.zeek
   scripts/base/protocols/tunnels/__load__.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -12,6 +12,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@@ -73,6 +74,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@@ -126,6 +128,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FINGER, {79/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
@@ -807,7 +810,6 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
@@ -895,7 +897,6 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
@@ -977,6 +978,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./site, <...>/site.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./smb1-main, <...>/smb1-main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./smb2-main, <...>/smb2-main.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./spicy-events, <...>/spicy-events.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./std-dev, <...>/std-dev.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./store, <...>/store.zeek) -> -1
@@ -1058,6 +1060,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/files, <...>/files.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/finger, <...>/finger) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ftp, <...>/ftp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geneve, <...>/geneve) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1
@@ -1194,7 +1197,6 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
@@ -1282,7 +1284,6 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek) -> (-1, <no content>)
-0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
@@ -1364,6 +1365,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./site, <...>/site.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./store, <...>/store.zeek) -> (-1, <no content>)
@@ -1445,6 +1447,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/files, <...>/files.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/finger, <...>/finger) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ftp, <...>/ftp) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>)
@@ -1573,6 +1576,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@@ -1634,6 +1638,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FINGER, 79/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@@ -1687,6 +1692,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FINGER, {79/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
@@ -2368,7 +2374,6 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
@@ -2456,7 +2461,6 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -2538,6 +2542,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./site, <...>/site.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./smb1-main, <...>/smb1-main.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./smb2-main, <...>/smb2-main.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./spicy-events, <...>/spicy-events.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./std-dev, <...>/std-dev.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./store, <...>/store.zeek)
@@ -2619,6 +2624,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/files, <...>/files.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/finger, <...>/finger)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ftp, <...>/ftp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
@@ -2755,7 +2761,6 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
@@ -2843,7 +2848,6 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.consts.bif.zeek, <...>/Zeek_Spicy.consts.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.events.bif.zeek, <...>/Zeek_Spicy.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Spicy.functions.bif.zeek, <...>/Zeek_Spicy.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
@@ -2925,6 +2929,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./site, <...>/site.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./spicy-events, <...>/spicy-events.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./store, <...>/store.zeek)
@@ -3006,6 +3011,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/files, <...>/files.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/finger, <...>/finger)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ftp, <...>/ftp)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
@@ -3134,6 +3140,7 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FINGER, 79/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@@ -3195,6 +3202,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FINGER, 79/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@@ -3248,6 +3256,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FINGER, {79/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
@@ -3928,7 +3937,6 @@
 0.000000 | HookLoadFile  ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
@@ -4016,7 +4024,6 @@
 0.000000 | HookLoadFile  ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
@@ -4109,6 +4116,7 @@
 0.000000 | HookLoadFile  ./site <...>/site.zeek
 0.000000 | HookLoadFile  ./smb1-main <...>/smb1-main.zeek
 0.000000 | HookLoadFile  ./smb2-main <...>/smb2-main.zeek
+0.000000 | HookLoadFile  ./spicy-events <...>/spicy-events.zeek
 0.000000 | HookLoadFile  ./stats.bif.zeek <...>/stats.bif.zeek
 0.000000 | HookLoadFile  ./std-dev <...>/std-dev.zeek
 0.000000 | HookLoadFile  ./store <...>/store.zeek
@@ -4191,6 +4199,7 @@
 0.000000 | HookLoadFile  base<...>/files <...>/files.zeek
 0.000000 | HookLoadFile  base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
 0.000000 | HookLoadFile  base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
+0.000000 | HookLoadFile  base<...>/finger <...>/finger
 0.000000 | HookLoadFile  base<...>/ftp <...>/ftp
 0.000000 | HookLoadFile  base<...>/geneve <...>/geneve
 0.000000 | HookLoadFile  base<...>/geoip-distance <...>/geoip-distance.zeek
@@ -4315,7 +4324,6 @@
 0.000000 | HookLoadFileExtended ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek
-0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
@@ -4403,7 +4411,6 @@
 0.000000 | HookLoadFileExtended ./Zeek_Spicy.consts.bif.zeek <...>/Zeek_Spicy.consts.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Spicy.events.bif.zeek <...>/Zeek_Spicy.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Spicy.functions.bif.zeek <...>/Zeek_Spicy.functions.bif.zeek
-0.000000 | HookLoadFileExtended ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
@@ -4496,6 +4503,7 @@
 0.000000 | HookLoadFileExtended ./site <...>/site.zeek
 0.000000 | HookLoadFileExtended ./smb1-main <...>/smb1-main.zeek
 0.000000 | HookLoadFileExtended ./smb2-main <...>/smb2-main.zeek
+0.000000 | HookLoadFileExtended ./spicy-events <...>/spicy-events.zeek
 0.000000 | HookLoadFileExtended ./stats.bif.zeek <...>/stats.bif.zeek
 0.000000 | HookLoadFileExtended ./std-dev <...>/std-dev.zeek
 0.000000 | HookLoadFileExtended ./store <...>/store.zeek
@@ -4578,6 +4586,7 @@
 0.000000 | HookLoadFileExtended base<...>/files <...>/files.zeek
 0.000000 | HookLoadFileExtended base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
 0.000000 | HookLoadFileExtended base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
+0.000000 | HookLoadFileExtended base<...>/finger <...>/finger
 0.000000 | HookLoadFileExtended base<...>/ftp <...>/ftp
 0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve
 0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek

testing/btest/Baseline/scripts.base.protocols.finger.events/output

@@ -0,0 +1,8 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+request, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], F, julien, 
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Login: julien\x09\x09\x09\x09Name: 
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Directory: /home/julien\x09\x09\x09Shell: /bin/sh
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Logged: no
+response, [orig_h=192.168.7.216, orig_p=56149/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Project:
+request, [orig_h=192.168.7.216, orig_p=56750/tcp, resp_h=95.179.238.241, resp_p=79/tcp], T, julien, 
+response, [orig_h=192.168.7.216, orig_p=56750/tcp, resp_h=95.179.238.241, resp_p=79/tcp], Are you lost?

testing/btest/Baseline/spicy.spicyz-jit/output

@@ -1,5 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-8, [$data=[b"POST /post HTTP/1.1", b"User-Agent: curl/7.29.0", b"Host: httpbin.org", b"Accept: */*", b"Content-Length: 11", b"Content-Type: application/x-www-form-urlencoded", b"", b"hello world"]]
-Event:, [POST /post HTTP/1.1, User-Agent: curl/7.29.0, Host: httpbin.org, Accept: */*, Content-Length: 11, Content-Type: application/x-www-form-urlencoded, , hello world]
-8, [$data=[b"HTTP/1.1 200 OK", b"Server: gunicorn/0.16.1", b"Date: Tue, 19 Mar 2013 16:05:11 GMT", b"Content-Type: application/json", b"Content-Length: 366", b"Connection: close", b"", b"{\x0a  \"origin\": \"10.142.133.148\",\x0a  \"files\": {},\x0a  \"form\": null,\x0a  \"url\": \"http://httpbin.org/post\",\x0a  \"args\": {},\x0a  \"headers\": {\x0a    \"Content-Length\": \"11\",\x0a    \"Connection\": \"close\",\x0a    \"Accept\": \"*/*\",\x0a    \"User-Agent\": \"curl/7.29.0\",\x0a    \"Host\": \"httpbin.org\",\x0a    \"Content-Type\": \"application/x-www-form-urlencoded\"\x0a  },\x0a  \"json\": null,\x0a  \"data\": \"hello world\"\x0a}"]]
-Event:, [HTTP/1.1 200 OK, Server: gunicorn/0.16.1, Date: Tue, 19 Mar 2013 16:05:11 GMT, Content-Type: application/json, Content-Length: 366, Connection: close, , {\x0a  "origin": "10.142.133.148",\x0a  "files": {},\x0a  "form": null,\x0a  "url": "http://httpbin.org/post",\x0a  "args": {},\x0a  "headers": {\x0a    "Content-Length": "11",\x0a    "Connection": "close",\x0a    "Accept": "*/*",\x0a    "User-Agent": "curl/7.29.0",\x0a    "Host": "httpbin.org",\x0a    "Content-Type": "application/x-www-form-urlencoded"\x0a  },\x0a  "json": null,\x0a  "data": "hello world"\x0a}]

testing/btest/coverage/default-load-baseline.test

@@ -7,7 +7,7 @@
 # prefix to make the test work everywhere. That's what the sed magic
 # below does. Don't ask. :-)
 
-# @TEST-REQUIRES: test -x ${BUILD}/auxil/spicy/spicy/bin/spicy-config
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
 # @TEST-EXEC: zeek misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | grep -E -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix

testing/btest/scripts/base/frameworks/logging/field-extension-invalid.zeek

@@ -1,4 +1,4 @@
-# @TEST-REQUIRES: test -x ${BUILD}/auxil/spicy/spicy/bin/spicy-config
+# @TEST-REQUIRES: $SCRIPTS/have-spicy
 # @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff .stderr

testing/btest/scripts/base/protocols/finger/events.zeek

@@ -0,0 +1,18 @@
+# @TEST-EXEC: zeek -r $TRACES/finger/standard.pcap %INPUT >>output
+# @TEST-EXEC: zeek -r $TRACES/finger/verbose.pcap %INPUT >>output
+# @TEST-EXEC: btest-diff output
+
+global resp_lines = 0;
+
+event finger_request(c: connection, full: bool, username: string, hostname: string)
+	{
+	print "request", c$id, full, username, hostname;
+	}
+
+event finger_reply(c: connection, reply_line: string)
+	{
+	if ( ++resp_lines >= 5 )
+		return;
+
+	print "response", c$id, reply_line;
+	}

testing/btest/spicy/spicyz-jit.test

@@ -1,39 +0,0 @@
-# @TEST-DOC: Smoke test for a custom Spicy analyzer hooked into Zeek with JIT via Zeek itself.
-#
-# @TEST-REQUIRES: $SCRIPTS/have-spicy
-
-# Use a script here to prevent spicy from outputting warnings during compilation. If the build is
-# failing, the script can be modified to not redirect the output.
-# @TEST-EXEC: HILTI_CXX=$SCRIPTS/hilti-ignore-cxx-errors zeek -NN test.zeek test.spicy test.evt | grep -q ANALYZER_SPICY_TEST
-# @TEST-EXEC: HILTI_CXX=$SCRIPTS/hilti-ignore-cxx-errors zeek -r ${TRACES}/http/post.trace test.spicy test.evt test.zeek "Spicy::enable_print = T;" >>output 2>&1
-# @TEST-EXEC: btest-diff output
-
-# @TEST-START-FILE test.spicy
-module test;
-
-import zeek;
-
-public type Dummy = unit {
-    # Consume all data. We split data into lines and log the number of lines and the lines when done.
-    data: bytes &eod &convert=$$.split(b"\r\n");
-
-    on %done { print |self.data|, self; }
-};
-# @TEST-END-FILE
-
-# @TEST-START-FILE test.evt
-protocol analyzer spicy::Test over TCP:
-    parse with test::Dummy,
-    port 80/tcp;
-
-on test::Dummy -> event test::dummy(self.data);
-# @TEST-END-FILE
-
-# @TEST-START-FILE test.zeek
-module test;
-
-event test::dummy(data: vector of string)
-{
-	print "Event:", data;
-}
-# @TEST-END-FILE

testing/external/commit-hash.zeek-testing-private

@@ -1 +1 @@
-c901e5a69c1d8496973e18d6475b7af7ca5e9fcc
+7bbcd06c50dc5bcae3533842c302c617ac5f1852

testing/scripts/diff-canonifier-external

@@ -25,5 +25,6 @@ $(dirname $0)/diff-remove-timestamps |
     $(dirname $0)/diff-remove-x509-names |
     $(dirname $0)/diff-sort-conn-service |
     $(dirname $0)/diff-sort-set-elements |
+    $(dirname $0)/diff-remove-spicy-abspath |
     $(dirname $0)/diff-sort |
     eval $addl

testing/scripts/diff-remove-spicy-abspath

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+#
+# Replace absolute paths in Spicy error message with the basename. This is more
+# restrictive than diff-remove-abspath to avoid catching other stuff.
+
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
+else
+    sed="sed -E"
+fi
+
+$sed 's#/([^:/]{1,}/){1,}([^:/]{1,}\.spicy[:,])#<...>/\2#g'

testing/scripts/have-spicy

@@ -1,6 +1,2 @@
 #!/bin/sh
-if grep -q "DISABLE_SPICY:BOOL=true" "${BUILD}"/CMakeCache.txt; then
-    return 1
-else
-    true
-fi
+"${BUILD}/zeek-config" --have-spicy-analyzers >/dev/null

zeek-config.in

@@ -6,6 +6,7 @@ btest_tools_dir=@ZEEK_CONFIG_BTEST_TOOLS_DIR@
 build_type=@CMAKE_BUILD_TYPE_LOWER@
 cmake_dir=@CMAKE_INSTALL_PREFIX@/share/zeek/cmake
 config_dir=@ZEEK_ETC_INSTALL_DIR@
+have_spicy=@USE_SPICY_ANALYZERS@
 include_dir=@CMAKE_INSTALL_PREFIX@/include
 lib_dir=@CMAKE_INSTALL_FULL_LIBDIR@
 plugin_dir=@BRO_PLUGIN_INSTALL_PATH@
@@ -64,6 +65,10 @@ Toplevel installation directories for third-party components:
 
   --binpac_root         BinPAC compiler
   --broker_root         Broker communication framework
+
+Feature tests:
+
+  --have-spicy-analyzers  Prints 'yes' if built-in Spicy analyzers are available; exit code reflects result
 "
 }
 
@@ -103,6 +108,15 @@ while [ $# -ne 0 ]; do
         --config_dir)
             echo $config_dir
             ;;
+        --have-spicy-analyzers)
+            if [ "$have_spicy" = "yes" ]; then
+                echo "yes"
+                exit 0
+            else
+                echo "no"
+                exit 1
+            fi
+            ;;
         --include_dir)
             echo $include_dir
             ;;