Merge remote-tracking branch 'origin/master' into topic/johanna/spicy-tls

* origin/master: (82 commits)
  Update doc submodule [nomail] [skip ci]
  Update zeekjs submodule
  Update broker submodule
  telemetry: Disable metrics centralization by default
  GSSAPI: basic support for MIC/WRAP tokens
  CI: Force rebuild of tumbleweed VM to pick up newer version of python
  formatters/JSON: Make JSON::NullDoubleWriter use zeek::json::detail version
  formatters/JSON: Remove surrounding_braces
  formatters/JSON: Prepare to remove rapidjson from installed Zeek headers
  Stmt/Assert: Use std::move() for backtrace element
  Update cmake submodule [nomail]
  Update external testing hashes for 6.1 deprecation changes
  Remove leftover baseline files from 6.1 deprecation removal
  Update doc submodule [nomail] [skip ci]
  Update external testing repo hashes to current master commits
  Update dce-rpc constants
  -O gen-C++ refinements for BiF failures, negative vector indices, boolean vector operations
  Update docs submodule [nomail] [skip ci]
  Force -std=c++17 mode for plugin targets, remove use of RequireCXX17.cmake
  Add Spicy updates to NEWS for 6.0.
  ...

scripts/base/frameworks/cluster/main.zeek

@@ -211,12 +211,6 @@ export {
 	## Returns: The :zeek:type:`Cluster::NodeType` the calling node acts as.
 	global local_node_type: function(): NodeType;
 
-	## This gives the value for the number of workers currently connected to,
-	## and it's maintained internally by the cluster framework.  It's
-	## primarily intended for use by managers to find out how many workers
-	## should be responding to requests.
-	global worker_count: count = 0 &deprecated="Remove in v6.1. Active worker count can be obtained via get_active_node_count(Cluster::WORKER)";
-
 	## The cluster layout definition.  This should be placed into a filter
 	## named cluster-layout.zeek somewhere in the ZEEKPATH.  It will be
 	## automatically loaded if the CLUSTER_NODE environment variable is set.
@@ -347,8 +341,6 @@ function nodeid_topic(id: string): string
 	return nodeid_topic_prefix + id + "/";
 	}
 
-@if ( Cluster::is_enabled() )
-
 event Cluster::hello(name: string, id: string) &priority=10
 	{
 	if ( name !in nodes )
@@ -374,11 +366,6 @@ event Cluster::hello(name: string, id: string) &priority=10
 	if ( n$node_type !in active_node_ids )
 		active_node_ids[n$node_type] = set();
 	add active_node_ids[n$node_type][id];
-
-@pragma push ignore-deprecations
-	if ( n$node_type == WORKER )
-		worker_count = get_active_node_count(WORKER);
-@pragma pop ignore-deprecations
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=10
@@ -400,11 +387,6 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=1
 			delete n$id;
 			delete active_node_ids[n$node_type][endpoint$id];
 
-@pragma push ignore-deprecations
-			if ( n$node_type == WORKER )
-				worker_count = get_active_node_count(WORKER);
-@pragma pop ignore-deprecations
-
 			event Cluster::node_down(node_name, endpoint$id);
 			break;
 			}
@@ -423,8 +405,6 @@ event zeek_init() &priority=5
 	Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster", $policy=log_policy]);
 	}
 
-@endif
-
 function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo
 	{
 	local info = stores[name];

scripts/base/frameworks/cluster/nodes/logger.zeek

@@ -22,18 +22,26 @@ redef Log::default_rotation_interval = 1 hrs;
 ## Alarm summary mail interval.
 redef Log::default_mail_alarms_interval = 24 hrs;
 
-## Generic log metadata rendered into the filename that zeek-archiver may interpret.
-## This is populated with a log_suffix entry within zeek_init() when multiple
-## logger nodes are defined in cluster-layout.zeek.
-global log_metadata: table[string] of string;
+## Generic log metadata rendered into filename that zeek-archiver may interpret.
+global archiver_log_metadata: table[string] of string &redef;
+
+# Populate archiver_log_metadata with a "log_suffix" entry when multiple
+# loggers are configured in Cluster::nodes. Need to evaluate at script
+# loading time as leftover-log-rotation functionality is invoking
+# archiver_rotation_format_func early on during InitPostScript().
+@if ( Cluster::get_node_count(Cluster::LOGGER) > 1 )
+redef archiver_log_metadata += {
+	["log_suffix"] = Cluster::node,
+};
+@endif
 
 ## Encode the given table as zeek-archiver understood metadata part.
-function encode_log_metadata(tbl: table[string] of string): string
+function archiver_encode_log_metadata(tbl: table[string] of string): string
 	{
 	local metadata_vec: vector of string;
-	for ( k, v in log_metadata )
+	for ( k, v in tbl )
 		{
-		if ( |v| == 0 )  # Assume concious decision to skip this entry.
+		if ( |v| == 0 )  # Assume conscious decision to skip this entry.
 			next;
 
 		if ( /[,=]/ in k || /[,=]/ in v )
@@ -57,8 +65,8 @@ function archiver_rotation_format_func(ri: Log::RotationFmtInfo): Log::RotationP
 	local close_str = strftime(Log::default_rotation_date_format, ri$close);
 	local base = fmt("%s__%s__%s__", ri$path, open_str, close_str);
 
-	if ( |log_metadata| > 0 )
-		base = fmt("%s%s__", base, encode_log_metadata(log_metadata));
+	if ( |archiver_log_metadata| > 0 )
+		base = fmt("%s%s__", base, archiver_encode_log_metadata(archiver_log_metadata));
 
 	local rval = Log::RotationPath($file_basename=base);
 	return rval;
@@ -71,15 +79,6 @@ redef Log::default_rotation_dir = "log-queue";
 redef Log::rotation_format_func = archiver_rotation_format_func;
 
 redef LogAscii::enable_leftover_log_rotation = T;
-
-event zeek_init()
-	{
-	if ( "log_suffix" in log_metadata )
-		return;
-
-	if ( Cluster::get_node_count(Cluster::LOGGER) > 1 )
-		log_metadata["log_suffix"] = Cluster::node;
-	}
 @else
 
 ## Use the cluster's archive logging script.

scripts/base/frameworks/dpd/__load__.zeek

@@ -1,3 +0,0 @@
-@deprecated "Remove in v6.1 - now loaded automatically";
-
-@load base/frameworks/analyzer

scripts/base/frameworks/logging/writers/ascii.zeek

@@ -54,14 +54,6 @@ export {
 	## This option is also available as a per-filter ``$config`` option.
 	const gzip_file_extension = "gz" &redef;
 
-	## Define the default logging directory. If empty, logs are written
-	## to the current working directory.
-	##
-	## This setting is superseded by :zeek:see:`Log::default_logdir`. The
-	## latter applies to all file writers and also interacts better with
-	## log rotation.
-	const logdir = "" &redef &deprecated="Remove in v6.1. Use 'Log::default_logdir'.";
-
 	## Format of timestamps when writing out JSON. By default, the JSON
 	## formatter will use double values for timestamps which represent the
 	## number of seconds from the UNIX epoch.

scripts/base/frameworks/netcontrol/main.zeek

@@ -167,7 +167,7 @@ export {
 	##
 	## For example, a search for 192.168.17.0/8 will reveal a rule that exists for
 	## 192.168.0.0/16, since this rule affects the subnet. However, it will not reveal
-	## a more specific rule for 192.168.17.1/32, which does not directy affect the whole
+	## a more specific rule for 192.168.17.1/32, which does not directly affect the whole
 	## subnet.
 	##
 	## This function works on both the manager and workers of a cluster. Note that on

scripts/base/frameworks/notice/main.zeek

@@ -584,15 +584,6 @@ function is_being_suppressed(n: Notice::Info): bool
 		return F;
 	}
 
-# Executes a script with all of the notice fields put into the
-# new process' environment as "ZEEK_ARG_<field>" variables.
-function execute_with_notice(cmd: string, n: Notice::Info) &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	# TODO: fix system calls
-	#local tgs = tags(n);
-	#system_env(cmd, tags);
-	}
-
 function create_file_info(f: fa_file): Notice::FileInfo
 	{
 	local fi: Notice::FileInfo = Notice::FileInfo($fuid = f$id,

scripts/base/frameworks/signatures/main.zeek

@@ -148,13 +148,6 @@ event zeek_init() &priority=5
 	Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy]);
 	}
 
-# Returns true if the given signature has already been triggered for the given
-# [orig, resp] pair.
-function has_signature_matched(id: string, orig: addr, resp: addr): bool &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	return [orig, resp] in vert_table ? id in vert_table[orig, resp] : F;
-	}
-
 event sig_summary(orig: addr, id: string, msg: string)
 	{
 	NOTICE([$note=Signature_Summary, $src=orig,

scripts/base/frameworks/software/main.zeek

@@ -454,11 +454,6 @@ function cmp_versions(v1: Version, v2: Version): int
 	return 0;
 	}
 
-function software_endpoint_name(id: conn_id, host: addr): string &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	return fmt("%s %s", host, (host == id$orig_h ? "client" : "server"));
-	}
-
 # Convert a version into a string "a.b.c-x".  Marked "&is_used" because
 # while the base scripts don't call it, the optional policy/ scripts do.
 function software_fmt_version(v: Version): string &is_used

scripts/base/frameworks/sumstats/non-cluster.zeek

@@ -71,18 +71,6 @@ function data_added(ss: SumStat, key: Key, result: Result)
 		threshold_crossed(ss, key, result);
 	}
 
-function request(ss_name: string): ResultTable &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	# This only needs to be implemented this way for cluster compatibility.
-	return when [ss_name] ( T )
-		{
-		if ( ss_name in result_store )
-			return result_store[ss_name];
-		else
-			return table();
-		}
-	}
-
 function request_key(ss_name: string, key: Key): Result
 	{
 	# This only needs to be implemented this way for cluster compatibility.

scripts/base/frameworks/sumstats/plugins/hll_unique.zeek

@@ -26,7 +26,7 @@ export {
 }
 
 redef record ResultVal += {
-	# Internal use only.  This is not meant to be publically available
+	# Internal use only.  This is not meant to be publicly available
 	# because probabilistic data structures have to be examined using
 	# specialized bifs.
 	card: opaque of cardinality &optional;

scripts/base/frameworks/sumstats/plugins/sample.zeek

@@ -26,7 +26,7 @@ export {
 }
 
 redef record ResultVal += {
-	# Internal use only.  This is not meant to be publically available
+	# Internal use only.  This is not meant to be publicly available
 	# and just a copy of num_samples from the Reducer. Needed for
 	# availability in the compose hook.
 	num_samples: count &default=0;

scripts/base/frameworks/sumstats/plugins/std-dev.zeek

@@ -23,11 +23,6 @@ function calc_std_dev(rv: ResultVal)
 		rv$std_dev = sqrt(rv$variance);
 	}
 
-hook std_dev_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	calc_std_dev(rv);
-	}
-
 hook register_observe_plugins() &priority=-10
 	{
 	register_observe_plugin(STD_DEV, function(r: Reducer, val: double, obs: Observation, rv: ResultVal)

scripts/base/frameworks/sumstats/plugins/unique.zeek

@@ -28,7 +28,7 @@ redef record ResultVal += {
 	# set in the reducer.
 	unique_max: count &optional;
 
-	# Internal use only.  This is not meant to be publically available
+	# Internal use only.  This is not meant to be publicly available
 	# because we don't want to trust that we can inspect the values
 	# since we will likely move to a probabilistic data structure in the future.
 	# TODO: in the future this will optionally be a hyperloglog structure

scripts/base/frameworks/supervisor/api.zeek

@@ -56,9 +56,6 @@ export {
 		## Additional script filenames/paths that the node should load
 		## after any user-specified scripts.
 		addl_user_scripts: vector of string &default = vector();
-		## The former name of addl_user_scripts.
-		scripts: vector of string &default = vector()
-		    &deprecated="Remove in 6.1. Use the addl_user_scripts field instead.";
 		## Environment variables to define in the supervised node.
 		env: table[string] of string &default=table();
 		## A cpu/core number to which the node will try to pin itself.

scripts/base/frameworks/telemetry/__load__.zeek

@@ -1,7 +1,3 @@
 @load ./main
 
 @load base/frameworks/cluster
-
-@if ( Cluster::is_enabled() )
-@load ./cluster
-@endif

scripts/base/frameworks/telemetry/cluster.zeek

@@ -1,21 +0,0 @@
-##! In a cluster configuration, open port 9911 on the manager for
-##! Prometheus exposition and import all metrics from
-##! `zeek/cluster/metrics/...` topic.
-##!
-##! For customization or disabling, redef the involved Broker options again.
-##! Specifically, to disable listening on port 9911, set
-##! :zeek:see:`Broker::metrics_port` to `0/unknown` again.
-
-@load base/frameworks/cluster
-
-# Use Cluster::node as "endpoint" label
-redef Broker::metrics_export_endpoint_name = Cluster::node;
-
-# The manager opens port 9911 and imports metrics from all nodes by default.
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-redef Broker::metrics_port = 9911/tcp;
-redef Broker::metrics_import_topics = vector("zeek/cluster/metrics/");
-
-@else
-redef Broker::metrics_export_topic = "zeek/cluster/metrics/";
-@endif

scripts/base/init-bare.zeek

@@ -623,10 +623,6 @@ type fa_metadata: record {
 	inferred: bool &default=T;
 };
 
-## Same as :zeek:see:`Analyzer::disabling_analyzer`, but deprecated due
-## to living in the global namespace.
-type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef &deprecated="Remove in v6.1. Use Analyzer::disabling_analyzer() instead.";
-
 module Analyzer;
 export {
 	## A hook taking a connection, analyzer tag and analyzer id that can be
@@ -942,6 +938,45 @@ type BacktraceElement: record {
 ## .. zeek:see:: backtrace print_backtrace
 type Backtrace: vector of BacktraceElement;
 
+## A hook that is invoked when an assert statement fails.
+##
+## By default, a reporter error message is logged describing the failing
+## assert similarly to how scripting errors are reported after invoking
+## this hook. Using the :zeek:see:`break` statement in an assertion_failure
+## hook handler allows to suppress this message.
+##
+## cond: The string representation of the condition.
+##
+## msg: Evaluated message as string given to the assert statement.
+##
+## bt: Backtrace of the assertion error. The top element will contain
+##     the location of the assert statement that failed.
+##
+## .. zeek:see:: assertion_result
+type assertion_failure: hook(cond: string, msg: string, bt: Backtrace);
+
+## A hook that is invoked with the result of every assert statement.
+##
+## This is a potentially expensive hook meant to be used by testing
+## frameworks to summarize assert results. In a production setup,
+## this hook is likely detrimental to performance.
+##
+## Using the :zeek:see:`break` statement within an assertion_failure hook
+## handler allows to suppress the reporter error message generated for
+## failing assert statements.
+##
+## result: The result of evaluating **cond**.
+##
+## cond: The string representation of the condition.
+##
+## msg: Evaluated message as string given to the assert statement.
+##
+## bt: Backtrace of the assertion error. The top element will contain
+##     the location of the assert statement that failed.
+##
+## .. zeek:see:: assertion_failure
+type assertion_result: hook(result: bool, cond: string, msg: string, bt: Backtrace);
+
 # todo:: Do we still need these here? Can they move into the packet filter
 # framework?
 #
@@ -1097,7 +1132,7 @@ type entropy_test_result: record {
 ## Return type for from_json BIF.
 ##
 ## .. zeek:see:: from_json
-type from_json_result: record { 
+type from_json_result: record {
 	v: any &optional;	##< Parsed value.
 	valid: bool;	##< True if parsing was successful.
 };
@@ -4741,7 +4776,6 @@ export {
 	type SNMP::BulkPDU: record {
 		request_id:      int;
 		non_repeaters:   count;
-		max_repititions: count &deprecated="Remove in v6.1. Use max_repetitions instead";
 		max_repetitions: count;
 		bindings:        SNMP::Bindings;
 	};
@@ -5162,31 +5196,16 @@ export {
 	## Setting this to zero will disable all types of tunnel decapsulation.
 	const max_depth: count = 2 &redef;
 
-	## Toggle whether to do IPv{4,6}-in-IPv{4,6} decapsulation.
-	const enable_ip = T &redef &deprecated="Remove in v6.1. Tunnel analyzers can be toggled with enable_analyzer()/disable_analyzer() or disabled through Analyzer::disabled_analyzers";
-
-	## Toggle whether to do IPv{4,6}-in-AYIYA decapsulation.
-	const enable_ayiya = T &redef &deprecated="Remove in v6.1. Tunnel analyzers can be toggled with enable_analyzer()/disable_analyzer() or disabled through Analyzer::disabled_analyzers";
-
-	## Toggle whether to do IPv6-in-Teredo decapsulation.
-	const enable_teredo = T &redef &deprecated="Remove in v6.1. Tunnel analyzers can be toggled with enable_analyzer()/disable_analyzer() or disabled through Analyzer::disabled_analyzers";
-
-	## Toggle whether to do GTPv1 decapsulation.
-	const enable_gtpv1 = T &redef &deprecated="Remove in v6.1. Tunnel analyzers can be toggled with enable_analyzer()/disable_analyzer() or disabled through Analyzer::disabled_analyzers";
-
-	## Toggle whether to do GRE decapsulation.
-	const enable_gre = T &redef &deprecated="Remove in v6.1. Tunnel analyzers can be toggled with enable_analyzer()/disable_analyzer() or disabled through Analyzer::disabled_analyzers";
-
 	## With this set, the Teredo analyzer waits until it sees both sides
 	## of a connection using a valid Teredo encapsulation before issuing
-	## a :zeek:see:`analyzer_confirmation`.  If it's false, the first
+	## a :zeek:see:`analyzer_confirmation_info`.  If it's false, the first
 	## occurrence of a packet with valid Teredo encapsulation causes a
 	## confirmation.
 	const delay_teredo_confirmation = T &redef;
 
 	## With this set, the GTP analyzer waits until the most-recent upflow
 	## and downflow packets are a valid GTPv1 encapsulation before
-	## issuing :zeek:see:`analyzer_confirmation`.  If it's false, the
+	## issuing :zeek:see:`analyzer_confirmation_info`.  If it's false, the
 	## first occurrence of a packet with valid GTPv1 encapsulation causes
 	## confirmation.  Since the same inner connection can be carried
 	## differing outer upflow/downflow connections, setting to false

scripts/base/protocols/dce-rpc/consts.zeek

@@ -283,6 +283,8 @@ export {
 		["86d35949-83c9-4044-b424-db363231fd0c",0x0f] = "SchRpcScheduledRuntimes",
 		["86d35949-83c9-4044-b424-db363231fd0c",0x10] = "SchRpcGetLastRunInfo",
 		["86d35949-83c9-4044-b424-db363231fd0c",0x11] = "SchRpcGetTaskInfo",
+		["86d35949-83c9-4044-b424-db363231fd0c",0x12] = "SchRpcGetNumberOfMissedRuns",
+		["86d35949-83c9-4044-b424-db363231fd0c",0x13] = "SchRpcEnableTask",
 
 		# IObjectExporter
 		["99fcfec4-5260-101b-bbcb-00aa0021347a",0x00] = "ResolveOxid",
@@ -306,6 +308,16 @@ export {
 		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x07] = "NspiDNToEph",
 		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x08] = "NspiGetPropList",
 		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x09] = "NspiGetProps",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x0a] = "NspiCompareMIds",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x0b] = "NspiModProps",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x0c] = "NspiGetSpecialTable",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x0d] = "NspiGetTemplateInfo",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x0e] = "NspiModLinkAtt",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x10] = "NspiQueryColumns",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x11] = "NspiGetNamesFromIDs",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x12] = "NspiGetIDsFromNames",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x13] = "NspiResolveNames",
+		["f5cc5a18-4264-101a-8c59-08002b2f8426",0x14] = "NspiResolveNamesW",
 
 		# IWbemServices
 		["9556dc99-828c-11cf-a37e-00aa003240c7",0x03] = "OpenNamespace",
@@ -611,6 +623,12 @@ export {
 		["12345678-1234-abcd-ef00-0123456789ab",0x66] = "RpcCorePrinterDriverInstalled",
 		["12345678-1234-abcd-ef00-0123456789ab",0x67] = "RpcGetPrinterDriverPackagePath",
 		["12345678-1234-abcd-ef00-0123456789ab",0x68] = "RpcReportJobProcessingProgress",
+		["12345678-1234-abcd-ef00-0123456789ab",0x6e] = "RpcGetJobNamedPropertyValue",
+		["12345678-1234-abcd-ef00-0123456789ab",0x6f] = "RpcSetJobNamedProperty",
+		["12345678-1234-abcd-ef00-0123456789ab",0x70] = "RpcDeleteJobNamedProperty",
+		["12345678-1234-abcd-ef00-0123456789ab",0x71] = "RpcEnumJobNamedProperties",
+		["12345678-1234-abcd-ef00-0123456789ab",0x74] = "RpcLogJobInfoForBranchOffice",
+
 
 		["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x00] = "NetrCharDevEnum",
 		["4b324fc8-1670-01d3-1278-5a47bf6ee188",0x01] = "NetrCharDevGetInfo",
@@ -740,6 +758,7 @@ export {
 		["12345778-1234-abcd-ef00-0123456789ac",0x43] = "SamrValidatePassword",
 		["12345778-1234-abcd-ef00-0123456789ac",0x44] = "SamrQueryLocalizableAccountsInDomain",
 		["12345778-1234-abcd-ef00-0123456789ac",0x45] = "SamrPerformGenericOperation",
+		["12345778-1234-abcd-ef00-0123456789ac",0x49] = "SamrUnicodeChangePasswordUser4",
 
 		["338cd001-2244-31f1-aaaa-900038001003",0x00] = "OpenClassesRoot",
 		["338cd001-2244-31f1-aaaa-900038001003",0x01] = "OpenCurrentUser",
@@ -847,6 +866,9 @@ export {
 		["367abb81-9844-35f1-ad32-98f038001003",0x34] = "ScSendPnPMessage",
 		["367abb81-9844-35f1-ad32-98f038001003",0x35] = "ScValidatePnPService",
 		["367abb81-9844-35f1-ad32-98f038001003",0x36] = "ScOpenServiceStatusHandle",
+		["367abb81-9844-35f1-ad32-98f038001003",0x38] = "QueryServiceConfigEx",
+		["367abb81-9844-35f1-ad32-98f038001003",0x3c] = "CreateWowService",
+		["367abb81-9844-35f1-ad32-98f038001003",0x40] = "OpenSCManager2",
 
 		# browser
 		["6bffd098-a112-3610-9833-012892020162",0x00] = "BrowserrServerEnum",
@@ -1132,6 +1154,8 @@ export {
 		["82273fdc-e32a-18c3-3f78-827929dc23ea",0x16] = "ElfrGetLogInformation",
 		["82273fdc-e32a-18c3-3f78-827929dc23ea",0x17] = "ElfrFlushEL",
 		["82273fdc-e32a-18c3-3f78-827929dc23ea",0x18] = "ElfrReportEventAndSourceW",
+		["82273fdc-e32a-18c3-3f78-827929dc23ea",0x19] = "ElfrReportEventExW",
+		["82273fdc-e32a-18c3-3f78-827929dc23ea",0x1a] = "ElfrReportEventExA",
 
 		# ISeclogon
 		["12b81e99-f207-4a4c-85d3-77b42f76fd14",0x00] = "SeclCreateProcessWithLogonW",
@@ -1265,7 +1289,9 @@ export {
 		["12345778-1234-abcd-ef00-0123456789ab",0x5c] = "CredReadByTokenHandle",
 		["12345778-1234-abcd-ef00-0123456789ab",0x5d] = "CredrRestoreCredentials",
 		["12345778-1234-abcd-ef00-0123456789ab",0x5e] = "CredrBackupCredentials",
-
+		["12345778-1234-abcd-ef00-0123456789ab",0x81] = "LsarCreateTrustedDomainEx3",
+		["12345778-1234-abcd-ef00-0123456789ab",0x82] = "LsarOpenPolicy3",
+		["12345778-1234-abcd-ef00-0123456789ab",0x85] = "LsarSetForestTrustInformation2",
 		# msgsvc
 		["17fdd703-1827-4e34-79d4-24a55c53bb37",0x00] = "NetrMessageNameAdd",
 		["17fdd703-1827-4e34-79d4-24a55c53bb37",0x01] = "NetrMessageNameEnum",
@@ -1363,6 +1389,15 @@ export {
 		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x07] = "DnssrvComplexOperation2",
 		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x08] = "DnssrvEnumRecords2",
 		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x09] = "DnssrvUpdateRecord2",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x0a] = "DnssrvUpdateRecord3",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x0b] = "DnssrvEnumRecords3",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x0c] = "DnssrvOperation3",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x0d] = "DnssrvQuery3",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x0e] = "DnssrvComplexOperation3",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x0f] = "DnssrvOperation4",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x10] = "DnssrvQuery4",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x11] = "DnssrvUpdateRecord4",
+		["50abc2a4-574d-40b3-9d66-ee4fd5fba076",0x12] = "DnssrvEnumRecords4",
 
 		# lls_license
 		["57674cd0-5200-11ce-a897-08002b2e9c6d",0x00] = "LlsrLicenseRequestW",
@@ -1487,6 +1522,9 @@ export {
 		["4fc742e0-4a10-11cf-8273-00aa004ae673",0x14] = "NetrDfsRemove2",
 		["4fc742e0-4a10-11cf-8273-00aa004ae673",0x15] = "NetrDfsEnumEx",
 		["4fc742e0-4a10-11cf-8273-00aa004ae673",0x16] = "NetrDfsSetInfo2",
+		["4fc742e0-4a10-11cf-8273-00aa004ae673",0x17] = "NetrDfsAddRootTarget",
+		["4fc742e0-4a10-11cf-8273-00aa004ae673",0x18] = "NetrDfsRemoveRootTarget",
+		["4fc742e0-4a10-11cf-8273-00aa004ae673",0x19] = "NetrDfsGetSupportedNamespaceVersion",
 
 		# sfcapi
 		["83da7c00-e84f-11d2-9807-00c04f8ec850",0x00] = "SfcSrv_GetNextProtectedFile",
@@ -1609,6 +1647,12 @@ export {
 		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x16] = "DRSReplicaVerifyObjects",
 		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x17] = "DRSGetObjectExistence",
 		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x18] = "DRSQuerySitesByCost",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x19] = "IDL_DRSInitDemotion",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x1a] = "IDL_DRSReplicaDemotion",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x1b] = "IDL_DRSFinishDemotion",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x1c] = "IDL_DRSAddCloneDC",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x1d] = "IDL_DRSWriteNgcKey",
+		["e3514235-4b06-11d1-ab04-00c04fc2dcd2",0x1e] = "IDL_DRSReadNgcKey",
 
 		# winspipe
 		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x00] = "R_WinsRecordAction",
@@ -1628,9 +1672,12 @@ export {
 		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0e] = "R_WinsGetBrowserNames_Old",
 		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x0f] = "R_WinsDeleteWins",
 		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x10] = "R_WinsSetFlags",
-		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x11] = "R_WinsGetDbRecsByName",
-		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x12] = "R_WinsStatusWHdl",
-		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x13] = "R_WinsDoScavengingNew",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x11] = "R_WinsGetBrowserNames",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x12] = "R_WinsGetDbRecsByName",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x13] = "R_WinsStatusNew",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x14] = "R_WinsStatusWHdl",
+		["45f52c28-7f9f-101a-b52b-08002b2efabe",0x15] = "R_WinsDoScavengingNew",
+
 
 		# mgmt
 		["afa8bd80-7d8a-11c9-bef4-08002b102989",0x00] = "inq_if_ids",
@@ -1761,6 +1808,64 @@ export {
 		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x6A] = "ApiClusterControl",
 		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x6B] = "ApiUnblockGetNotifyCall",
 		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x6C] = "ApiSetServiceAccountPassword",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x6D] = "ApiSetResourceDependencyExpression",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x6E] = "ApiGetResourceDependencyExpression",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x70] = "ApiGetResourceNetworkName",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x71] = "ApiExecuteBatch",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x72] = "ApiCreateBatchPort",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x73] = "ApiGetBatchNotification",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x74] = "ApiCloseBatchPort",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x75] = "ApiOpenClusterEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x76] = "ApiOpenNodeEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x77] = "ApiOpenGroupEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x78] = "ApiOpenResourceEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x79] = "ApiOpenNetworkEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x7A] = "ApiOpenNetInterfaceEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x7B] = "ApiChangeCsvState",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x7C] = "ApiCreateNodeEnumEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x7D] = "ApiCreateEnumEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x7E] = "ApiPauseNodeEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x7F] = "ApiPauseNodeWithDrainTarget",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x80] = "ApiResumeNodeEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x81] = "ApiCreateGroupEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x82] = "ApiOnlineGroupEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x83] = "ApiOfflineGroupEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x84] = "ApiMoveGroupEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x85] = "ApiMoveGroupToNodeEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x86] = "ApiCancelClusterGroupOperation",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x87] = "ApiOnlineResourceEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x88] = "ApiOfflineResourceEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x89] = "ApiCreateNotifyV2",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x8A] = "ApiAddNotifyV2",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x8B] = "ApiGetNotifyV2",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x8F] = "ApiCreateGroupEnum",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x90] = "ApiCreateResourceEnum",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x91] = "ApiExecuteReadBatch",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x92] = "ApiRestartResource",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x93] = "ApiGetNotifyAsync",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x9B] = "ApiAddNotifyResourceTypeV2",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0x9D] = "ApiExecuteReadBatchEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xA3] = "ApiCreateGroupSet",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xA4] = "ApiOpenGroupSet",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xA5] = "ApiCloseGroupSet",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xA6] = "ApiDeleteGroupSet",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xA7] = "ApiAddGroupToGroupSet",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xA8] = "ApiRemoveGroupFromGroupSet",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xA9] = "ApiMoveGroupToGroupSet",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xAB] = "ApiAddGroupSetDependency",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xAC] = "ApiAddGroupToGroupSetDependency",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xAD] = "ApiNodeGroupSetControl",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xAE] = "ApiGroupSetControl",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xAF] = "ApiSetGroupDependencyExpression",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB0] = "ApiRemoveClusterGroupDependency",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB1] = "ApiSetGroupSetDependencyExpression",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB2] = "ApiRemoveGroupSetDependency",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB3] = "ApiRemoveClusterGroupToGroupSetDependency",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB4] = "ApiCreateGroupSetEnum",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB5] = "ApiCreateNetInterfaceEnum",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB6] = "ApiChangeCsvStateEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB7] = "ApiAddGroupToGroupSetEx",
+		["b97db8b2-4c63-11cf-bff6-08002be23f2f",0xB8] = "ApiChangeResourceGroupEx",
 
 		# dhcpsrv - MSDN Ref: DHCP Server Mgmt Protocol [ms-dhcpm]
 		["6bffd098-a112-3610-9833-46c3f874532d",0x00] = "R_DhcpCreateSubnet",
@@ -2219,7 +2324,7 @@ export {
 		["00020401-0000-0000-c000-000000000046",0x12] = "GetContainingTypeLib",
 
 		# IDMNotify - MSDN Ref: Disk Mgmt Remote Protocol [ms-dmrp]
-		["d2d79df7-3400-11d0-b40b-00aa005ff586",0x00] = "ObjectsChanged",
+		["d2d79df7-3400-11d0-b40b-00aa005ff586",0x03] = "ObjectsChanged",
 
 		# IDMRemoteServer - MSDN Ref: Disk Mgmt Remote Protocol [ms-dmrp]
 		["3a410f21-553f-11d1-8e5e-00a0c92c9d5d",0x03] = "CreateRemoteObject",

scripts/base/protocols/ftp/utils-commands.zeek

@@ -135,10 +135,3 @@ function remove_pending_cmd(pc: PendingCmds, ca: CmdArg): bool
 	else
 		return F;
 	}
-
-function pop_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string): CmdArg &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	local ca = get_pending_cmd(pc, reply_code, reply_msg);
-	remove_pending_cmd(pc, ca);
-	return ca;
-	}

scripts/base/protocols/radius/consts.zeek

@@ -182,7 +182,7 @@ const attr_types: table[count] of string = {
 	[171] = "Delegated-IPv6-Prefix-Pool",
 	[172] = "Stateful-IPv6-Address-Pool",
 	[173] = "IPv6-6rd-Configuration"
-} &default=function(i: count): string { return fmt("unknown-%d", i); } &deprecated="Remove in v6.1.  Usage testing indicates this function is unused.";
+} &default=function(i: count): string { return fmt("unknown-%d", i); } &is_used;
 
 const nas_port_types: table[count] of string = {
 	[0] = "Async",
@@ -205,7 +205,7 @@ const nas_port_types: table[count] of string = {
 	[17] = "Cable",
 	[18] = "Wireless - Other",
 	[19] = "Wireless - IEEE 802.11"
-} &default=function(i: count): string { return fmt("unknown-%d", i); } &deprecated="Remove in v6.1.  Usage testing indicates this function is unused.";
+} &default=function(i: count): string { return fmt("unknown-%d", i); } &is_used;
 
 const service_types: table[count] of string = {
 	[1] = "Login",
@@ -219,7 +219,7 @@ const service_types: table[count] of string = {
 	[9] = "Callback NAS Prompt",
 	[10] = "Call Check",
 	[11] = "Callback Administrative",
-} &default=function(i: count): string { return fmt("unknown-%d", i); } &deprecated="Remove in v6.1.  Usage testing indicates this function is unused.";
+} &default=function(i: count): string { return fmt("unknown-%d", i); } &is_used;
 
 const framed_protocol_types: table[count] of string = {
 	[1] = "PPP",
@@ -228,4 +228,4 @@ const framed_protocol_types: table[count] of string = {
 	[4] = "Gandalf proprietary SingleLink/MultiLink protocol",
 	[5] = "Xylogics proprietary IPX/SLIP",
 	[6] = "X.75 Synchronous"
-} &default=function(i: count): string { return fmt("unknown-%d", i); } &deprecated="Remove in v6.1.  Usage testing indicates this function is unused.";
+} &default=function(i: count): string { return fmt("unknown-%d", i); } &is_used;

scripts/base/protocols/smb/smb1-main.zeek

@@ -274,50 +274,3 @@ event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count,
 
 	c$smb_state$pipe_map[file_id] = c$smb_state$current_file$uuid;
 	}
-
-event smb_pipe_bind_ack_response(c: connection, hdr: SMB1::Header) &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	if ( ! c$smb_state?$current_file || ! c$smb_state$current_file?$uuid )
-		{
-		# TODO: figure out why the uuid isn't getting set sometimes.
-		return;
-		}
-
-	c$smb_state$current_cmd$sub_command = "RPC_BIND_ACK";
-	c$smb_state$current_cmd$argument = SMB::rpc_uuids[c$smb_state$current_file$uuid];
-	}
-
-event smb_pipe_bind_request(c: connection, hdr: SMB1::Header, uuid: string, version: string) &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	if ( ! c$smb_state?$current_file || ! c$smb_state$current_file?$uuid )
-		{
-		# TODO: figure out why the current_file isn't getting set sometimes.
-		return;
-		}
-
-	c$smb_state$current_cmd$sub_command = "RPC_BIND";
-	c$smb_state$current_file$uuid = uuid;
-	c$smb_state$current_cmd$argument = fmt("%s v%s", SMB::rpc_uuids[uuid], version);
-	}
-
-event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count) &deprecated="Remove in v6.1.  Usage testing indicates this function is unused."
-	{
-	if ( ! c$smb_state?$current_file )
-		{
-		# TODO: figure out why the current file isn't being set sometimes.
-		return;
-		}
-
-	local f = c$smb_state$current_file;
-	if ( ! f?$uuid )
-		{
-		# TODO: figure out why this is happening.
-		Reporter::conn_weird("smb_pipe_request_missing_uuid", c, "");
-		return;
-		}
-	local arg = fmt("%s: %s",
-	                SMB::rpc_uuids[f$uuid],
-	                SMB::rpc_sub_cmds[f$uuid][op_num]);
-
-	c$smb_state$current_cmd$argument = arg;
-	}

scripts/base/protocols/socks/dpd.sig

@@ -31,7 +31,7 @@ signature dpd_socks4_reverse_server {
 signature dpd_socks5_client {
 	ip-proto == tcp
 	# Watch for a few authentication methods to reduce false positives.
-	payload /^\x05.[\x00\x01\x02]/
+	payload /^\x05.[\x00\x01\x02\x03\x05\x06\x07\x08\x09]/
 	tcp-state originator
 }
 
@@ -40,9 +40,23 @@ signature dpd_socks5_server {
 	requires-reverse-signature dpd_socks5_client
 	# Watch for a single authentication method to be chosen by the server or
 	# the server to indicate the no authentication is required.
-	payload /^\x05(\x00|\x01[\x00\x01\x02])/
+	# From wikipedia:
+	# 0x00: No authentication
+	# 0x01: GSSAPI (RFC 1961)
+	# 0x02: Username/password (RFC 1929)
+	# 0x03–0x7F: methods assigned by IANA[11]
+	# 0x03: Challenge-Handshake Authentication Protocol
+	# 0x04: Unassigned
+	# 0x05: Challenge-Response Authentication Method
+	# 0x06: Secure Sockets Layer
+	# 0x07: NDS Authentication
+	# 0x08: Multi-Authentication Framework
+	# 0x09: JSON Parameter Block
+	# 0x0A–0x7F: Unassigned
+	# 0x80–0xFE: methods reserved for private use
+	#
+	# Keep in sync with dpd_socks5_client, 0xff is "no acceptable methods"
+	payload /^\x05[\x00\x01\x02\x03\x05\x06\x07\x08\x09\xff]/
 	tcp-state responder
 	enable "socks"
 }
-
-

scripts/base/utils/site.zeek

@@ -167,7 +167,7 @@ export {
 	global get_emails: function(a: addr): string;
 }
 
-# Please ignore, this is an interally used variable.
+# Please ignore, this is an internally used variable.
 global local_dns_suffix_regex: pattern = /MATCH_NOTHING/;
 global local_dns_neighbor_suffix_regex: pattern = /MATCH_NOTHING/;