Merge remote-tracking branch 'origin/master' into topic/seth/metrics-merge

Conflicts:
	testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
	testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log
	testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log
	testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log

CHANGES

@@ -1,4 +1,67 @@
 
+2.1-357 | 2013-03-08 09:18:35 -0800
+
+  * Fix race-condition in table-event test. (Bernhard Amann)
+
+  * s/bro-ids.org/bro.org/g. (Robin Sommer)
+
+2.1-353 | 2013-03-07 13:31:37 -0800
+
+  * Fix function type-equivalence requiring same parameter names.
+    Addresses #957. (Jon Siwek)
+
+2.1-351 | 2013-03-07 13:27:29 -0800
+
+  * Fix new/delete mismatch. Addresses #958. (Jacob Baines)
+    
+  * Fix compiler warnings. (Jon Siwek)
+    
+2.1-347 | 2013-03-06 16:48:44 -0800
+
+  * Remove unused parameter from vector assignment method. (Bernhard Amann)
+
+  * Remove the byte_len() and length() bifs. (Bernhard Amann)
+
+2.1-342 | 2013-03-06 15:42:52 -0800
+
+  * Moved the Notice::notice event and Notice::policy table to both be
+    hooks. See documentation and NEWS for information. (Seth Hall).
+
+2.1-338 | 2013-03-06 15:10:43 -0800
+
+  * Fix init of local sets/vectors via curly brace initializer lists.
+    (Jon Siwek)
+
+2.1-336 | 2013-03-06 15:08:06 -0800
+
+  * Fix memory leaks resulting from 'when' and 'return when'
+    statements. Addresses #946. (Jon Siwek)
+
+  * Fix three bugs with 'when' and 'return when' statements. Addresses
+    #946. (Jon Siwek)
+
+2.1-333 | 2013-03-06 14:59:47 -0800
+
+  * Add parsing for GTPv1 extension headers and control messages.  (Jon Siwek)
+
+    This includes:
+
+      - A new generic gtpv1_message() event generated for any GTP
+        message type.
+
+      - Specific events for the create/update/delete PDP context
+        request/response messages.
+
+    Addresses #934.
+
+2.1-331 | 2013-03-06 14:54:33 -0800
+
+  * Fix possible null pointer dereference in identify_data BIF. Also
+    centralized libmagic calls for consistent error handling/output.
+    (Jon Siwek)
+
+  * Fix build on OpenBSD 5.2. (Jon Siwek)
+
 2.1-328 | 2013-02-05 01:34:29 -0500
 
   * New script to query the ICSI Certificate Notary 

INSTALL

@@ -4,7 +4,7 @@
 .. _MacPorts: http://www.macports.org
 .. _Fink: http://www.finkproject.org
 .. _Homebrew: http://mxcl.github.com/homebrew
-.. _bro downloads page: http://bro-ids.org/download/index.html
+.. _bro downloads page: http://bro.org/download/index.html
 
 ==============
 Installing Bro
@@ -189,15 +189,15 @@ Bro releases are bundled into source packages for convenience and
 available from the `bro downloads page`_.
 
 Alternatively, the latest Bro development version can be obtained through git
-repositories hosted at `git.bro-ids.org <http://git.bro-ids.org>`_.  See
+repositories hosted at `git.bro.org <http://git.bro.org>`_.  See
 our `git development documentation
-<http://bro-ids.org/development/process.html>`_ for comprehensive
+<http://bro.org/development/process.html>`_ for comprehensive
 information on Bro's use of git revision control, but the short story
 for downloading the full source code experience for Bro via git is:
 
 .. console::
 
-    git clone --recursive git://git.bro-ids.org/bro
+    git clone --recursive git://git.bro.org/bro
 
 .. note:: If you choose to clone the ``bro`` repository non-recursively for
    a "minimal Bro experience", be aware that compiling it depends on
@@ -230,7 +230,7 @@ automatically.  Finally, use ``make install-aux`` to install some of
 the other programs that are in the ``aux/bro-aux`` directory.
 
 OpenBSD users, please see our FAQ at
-http://www.bro-ids.org/documentation/faq.html if you are having
+http://www.bro.org/documentation/faq.html if you are having
 problems installing Bro.
 
 
@@ -298,7 +298,7 @@ Running Bro
 
 Bro is a complex program and it takes a bit of time to get familiar
 with it.  A good place for newcomers to start is the Quick Start Guide
-at http://www.bro-ids.org/documentation/quickstart.html.
+at http://www.bro.org/documentation/quickstart.html.
 
 For developers that wish to run Bro directly from the ``build/``
 directory (i.e., without performing ``make install``), they will have

NEWS

@@ -67,6 +67,7 @@ Changed Functionality
         - md5_*, sha1_*, sha256_*, and entropy_* have all changed
         their signatures to work with opaque types (see above).
 
+
 - Removed a now unused argument from "do_split" helper function.
 
 - "this" is no longer a reserved keyword.
@@ -81,6 +82,50 @@ Changed Functionality
   value can now be set with the new broctl.cfg option
   "MailAlarmsInterval".
 
+- We have completely reworded the "notice_policy" mechanism. It now no
+  linger uses a record of policy items but a "hook", a new language
+  element that's roughly equivalent to a function with multiple
+  bodies. The documentation [TODO: insert link] describes how to use
+  the new notice policy. For existing code, the two main changes are:
+
+    - What used to be a "redef" of "Notice::policy" now becomes a hook
+      implementation. Example:
+
+      Old:
+
+        redef Notice::policy += {
+            [$pred(n: Notice::Info) = {
+                return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
+                },
+            $action = Notice::ACTION_EMAIL]
+            };
+
+      New:
+
+        hook Notice::policy(n: Notice::Info)
+            {
+            if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 )
+                add n$actions[Notice::ACTION_EMAIL];
+            }
+
+    - notice() is now likewise a hook, no longer an event. If you have
+      handlers for that event, you'll likely just need to change the
+      type accordingly. Example:
+
+      Old:
+
+        event notice(n: Notice::Info) { ... }
+
+      New:
+
+        hook notice(n: Notice::Info) { ... }
+
+- The notice_policy.log is gone. That's a result of the new notice
+  policy setup.
+
+- Removed the byte_len() and length() bif functions. Use the "|...|"
+  operator instead.
+
 Bro 2.1
 -------
 
@@ -247,7 +292,7 @@ Bro 2.0
 As the version number jump suggests, Bro 2.0 is a major upgrade and
 lots of things have changed. We have assembled a separate upgrade
 guide with the most important changes compared to Bro 1.5 at
-http://www.bro-ids.org/documentation/upgrade.html. You can find
+http://www.bro.org/documentation/upgrade.html. You can find
 the offline version of that document in ``doc/upgrade.rst.``.
 
 Compared to the earlier 2.0 Beta version, the major changes in the
@@ -255,7 +300,7 @@ final release are:
 
     * The default scripts now come with complete reference
       documentation. See
-      http://www.bro-ids.org/documentation/index.html.
+      http://www.bro.org/documentation/index.html.
 
     * libz and libmagic are now required dependencies.
 

README

@@ -11,7 +11,7 @@ Please see COPYING for licensing information.
 For more documentation, research publications, and community contact
 information, please see Bro's home page:
 
-    http://www.bro-ids.org
+    http://www.bro.org
 
 On behalf of the Bro Development Team,
 

VERSION

@@ -1 +1 @@
-2.1-328
+2.1-357

aux/binpac

@@ -1 +1 @@
-Subproject commit 2fd9086c9dc0e76f6ff1ae04a60cbbce60507aab
+Subproject commit 72d121ade5a37df83d3252646de51cb77ce69a89

aux/bro-aux

@@ -1 +1 @@
-Subproject commit bea556198b69d30d64c0cf1b594e6de71176df6f
+Subproject commit ae14da422bfb252c8a53bd00d3e5fd7da8bc112e

aux/broccoli

@@ -1 +1 @@
-Subproject commit c1ba9b44c4815c61c54c968f462ec5b0865e5990
+Subproject commit e64204fec55759c614a276c1933bbff2069a63db

aux/broctl

@@ -1 +1 @@
-Subproject commit 2bf6b37177b895329173acac2bb98f38a8783bc1
+Subproject commit 3d2172a60aa503745c92cef8ab3020d1dfc13f0d

aux/btest

@@ -1 +1 @@
-Subproject commit ba0700fe448895b654b90d50f389f6f1341234cb
+Subproject commit d5b8df42cb9c398142e02d4bf8ede835fd0227f4

cmake

@@ -1 +1 @@
-Subproject commit 14537f56d66b18ab9d5024f798caf4d1f356fc67
+Subproject commit 94e72a3075bb0b9550ad05758963afda394bfb2c

doc/_templates/layout.html

@@ -10,7 +10,7 @@
 {% endblock %}
 
 {% block header %}
-<iframe src="http://www.bro-ids.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+<iframe src="http://www.bro.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}
 
@@ -108,6 +108,6 @@
 {% endblock %}
 
 {% block footer %}
-<iframe src="http://www.bro-ids.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+<iframe src="http://www.bro.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}

doc/index.rst

@@ -53,7 +53,7 @@ Other Bro Components
 The following are snapshots of documentation for components that come
 with this version of Bro (|version|). Since they can also be used
 independently, see the `download page
-<http://bro-ids.org/download/index.html>`_ for documentation of any
+<http://bro.org/download/index.html>`_ for documentation of any
 current, independent component releases.
 
 .. toctree::

doc/notice.rst

@@ -6,7 +6,7 @@ Notice Framework
 
     One of the easiest ways to customize Bro is writing a local notice
     policy. Bro can detect a large number of potentially interesting
-    situations, and the notice policy tells which of them the user wants to be
+    situations, and the notice policy hook which of them the user wants to be
     acted upon in some manner. In particular, the notice policy can specify
     actions to be taken, such as sending an email or compiling regular
     alarm emails.  This page gives an introduction into writing such a notice
@@ -24,8 +24,8 @@ of interest for the user. However, none of these scripts determines the
 importance of what it finds itself. Instead, the scripts only flag situations
 as *potentially* interesting, leaving it to the local configuration to define
 which of them are in fact actionable. This decoupling of detection and
-reporting allows Bro to address the different needs that sites have:
+reporting allows Bro to address the different needs that sites have.
-definitions of what constitutes an attack or even a compromise differ quite a
+Definitions of what constitutes an attack or even a compromise differ quite a
 bit between environments, and activity deemed malicious at one site might be
 fully acceptable at another.
 
@@ -40,7 +40,7 @@ More information about raising notices can be found in the `Raising Notices`_
 section.
 
 Once a notice is raised, it can have any number of actions applied to it by
-the :bro:see:`Notice::policy` set which is described in the `Notice Policy`_
+writing :bro:see:`Notice::policy` hooks which is described in the `Notice Policy`_
 section below. Such actions can be to send a mail to the configured
 address(es) or to simply ignore the notice. Currently, the following actions
 are defined:
@@ -68,12 +68,6 @@ are defined:
       - Send an email to the email address or addresses given in the
         :bro:see:`Notice::mail_page_dest` variable.
 
-    * - Notice::ACTION_NO_SUPPRESS
-      - This action will disable the built in notice suppression for the
-        notice. Keep in mind that this action will need to be applied to
-        every notice that shouldn't be suppressed including each of the future
-        notices that would have normally been suppressed.
-
 How these notice actions are applied to notices is discussed in the
 `Notice Policy`_ and `Notice Policy Shortcuts`_ sections.
 
@@ -83,26 +77,24 @@ Processing Notices
 Notice Policy
 *************
 
-The predefined set :bro:see:`Notice::policy` provides the mechanism for
+The hook :bro:see:`Notice::policy` provides the mechanism for applying
-applying actions and other behavior modifications to notices. Each entry
+actions and generally modifying the notice before it's sent onward to
-of :bro:see:`Notice::policy` is a record of the type
+the action plugins.  Hooks can be thought of as multi-bodied functions
-:bro:see:`Notice::PolicyItem` which defines a condition to be matched
+and using them looks very similar to handling events.  The difference
-against all raised notices and one or more of a variety of behavior
+is that they don't go through the event queue like events.  Users should
-modifiers. The notice policy is defined by adding any number of
+directly make modifications to the :bro:see:`Notice::Info` record
-:bro:see:`Notice::PolicyItem` records to the :bro:see:`Notice::policy`
+given as the argument to the hook.
-set.
 
 Here's a simple example which tells Bro to send an email for all notices of
 type :bro:see:`SSH::Login` if the server is 10.0.0.1:
 
 .. code:: bro
 
-    redef Notice::policy += {
+    hook Notice::policy(n: Notice::Info)
-      [$pred(n: Notice::Info) = {
+      {
-         return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
+      if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 )
-       },
+        add n$actions[Notice::ACTION_EMAIL];
-       $action = Notice::ACTION_EMAIL]
+      }
-      };
 
 .. note::
 
@@ -110,78 +102,21 @@ type :bro:see:`SSH::Login` if the server is 10.0.0.1:
     such that it is only raised when Bro heuristically detects a successful
     login. No apparently failed logins will raise this notice.
 
-While the syntax might look a bit convoluted at first, it provides a lot of
+Hooks can also have priorities applied to order their execution like events
-flexibility due to having access to Bro's full programming language.
+with a default priority of 0.  Greater values are executed first.  Setting
-
+a hook body to run before default hook bodies might look like this:
-Predicate Field
-^^^^^^^^^^^^^^^
-
-The :bro:see:`Notice::PolicyItem` record type has a field name ``$pred``
-which defines the entry's condition in the form of a predicate written
-as a Bro function. The function is passed the notice as a
-:bro:see:`Notice::Info` record and it returns a boolean value indicating
-if the entry is applicable to that particular notice.
-
-.. note::
-
-    The lack of a predicate in a ``Notice::PolicyItem`` is implicitly true
-    (``T``) since an implicit false (``F``) value would never be used.
-
-Bro evaluates the predicates of each entry in the order defined by the
-``$priority`` field in :bro:see:`Notice::PolicyItem` records. The valid
-values are 0-10 with 10 being earliest evaluated. If ``$priority`` is
-omitted, the default priority is 5.
-
-Behavior Modification Fields
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-There are a set of fields in the :bro:see:`Notice::PolicyItem` record type that
-indicate ways that either the notice or notice processing should be modified
-if the predicate field (``$pred``) evaluated to true (``T``). Those fields are
-explained in more detail in the following table.
-
-.. list-table::
-    :widths: 20 30 20
-    :header-rows: 1
-
-    * - Field
-      - Description
-      - Example
-
-    * - ``$action=<Notice::Action>``
-      - Each :bro:see:`Notice::PolicyItem` can have a single action
-        applied to the notice with this field.
-      - ``$action = Notice::ACTION_EMAIL``
-
-    * - ``$suppress_for=<interval>`` 
-      - This field makes it possible for a user to modify the behavior of the
-        notice framework's automated suppression of intrinsically similar
-        notices. More information about the notice framework's automated
-        suppression can be found in the `Automated Suppression`_ section of
-        this document.
-      - ``$suppress_for = 10mins``
-
-    * - ``$halt=<bool>``
-      - This field can be used for modification of the notice policy
-        evaluation. To stop processing of notice policy items before
-        evaluating all of them, set this field to ``T`` and make the ``$pred``
-        field return ``T``. :bro:see:`Notice::PolicyItem` records defined at
-        a higher priority as defined by the ``$priority`` field will still be
-        evaluated but those at a lower priority won't.
-      - ``$halt = T``
-
-
 
 .. code:: bro
 
-    redef Notice::policy += {
+    hook Notice::policy(n: Notice::Info) &priority=5
-      [$pred(n: Notice::Info) = {
+      {
-         return n$note == SSH::Login && n$id$resp_h == 10.0.0.1;
+      if ( n$note == SSH::Login && n$id$resp_h == 10.0.0.1 )
-       },
+        add n$actions[Notice::ACTION_EMAIL];
-       $action = Notice::ACTION_EMAIL,
+      }
-       $priority=5]
-      };
 
+Hooks can also abort later hook bodies with the ``break`` keyword. This
+is primarily useful if one wants to completely preempt processing by
+lower priority :bro:see:`Notice::policy` hooks.
 
 Notice Policy Shortcuts
 ***********************
@@ -189,7 +124,7 @@ Notice Policy Shortcuts
 Although the notice framework provides a great deal of flexibility and
 configurability there are many times that the full expressiveness isn't needed
 and actually becomes a hindrance to achieving results. The framework provides
-a default :bro:see:`Notice::policy` suite as a way of giving users the
+a default :bro:see:`Notice::policy` hook body as a way of giving users the
 shortcuts to easily apply many common actions to notices.
 
 These are implemented as sets and tables indexed with a
@@ -377,19 +312,45 @@ Setting the ``$identifier`` field is left to those raising notices because
 it's assumed that the script author who is raising the notice understands the
 full problem set and edge cases of the notice which may not be readily
 apparent to users. If users don't want the suppression to take place or simply
-want a different interval, they can always modify it with the
+want a different interval, they can set a notice's suppression
-:bro:see:`Notice::policy`.
+interval to ``0secs`` or delete the value from the ``$identifier`` field in
+a :bro:see:`Notice::policy` hook.
 
 
 Extending Notice Framework
 --------------------------
 
-Adding Custom Notice Actions
+There are a couple of mechanism currently for extending the notice framework
-****************************
+and adding new capability.
 
 Extending Notice Emails
 ***********************
 
+If there is extra information that you would like to add to emails, that is
+possible to add by writing :bro:see:`Notice::policy` hooks.
+
+There is a field in the :bro:see:`Notice::Info` record named
+``$email_body_sections`` which will be included verbatim when email is being
+sent. An example of including some information from an HTTP request is
+included below.
+
+.. code:: bro
+
+    hook Notice::policy(n: Notice::Info)
+      {
+      if ( n?$conn && n$conn?$http && n$conn$http?$host )
+        n$email_body_sections[|email_body_sections|] = fmt("HTTP host header: %s", n$conn$http$host);
+      }
+
+
 Cluster Considerations
 ----------------------
 
+As a user/developer of Bro, the main cluster concern with the notice framework
+is understanding what runs where. When a notice is generated on a worker, the
+worker checks to see if the notice shoudl be suppressed based on information
+locally maintained in the worker process. If it's not being
+suppressed, the worker forwards the notice directly to the manager and does no more
+local processing. The manager then runs the :bro:see:`Notice::policy` hook and
+executes all of the actions determined to be run.
+

doc/quickstart.rst

@@ -111,7 +111,7 @@ protocol-dependent activity that's occurring.  E.g. ``http.log``'s next few
 columns (shortened for brevity) show a request to the root of Bro website::
 
     # method   host         uri  referrer  user_agent
-    GET        bro-ids.org  /    -         <...>Chrome/12.0.742.122<...>
+    GET        bro.org  /    -         <...>Chrome/12.0.742.122<...>
 
 Some logs are worth explicit mention:
 

doc/reporting-problems.rst

@@ -19,7 +19,7 @@ Reporting Problems
 
 Generally, when you encounter a problem with Bro, the best thing to do
 is opening a new ticket in `Bro's issue tracker
-<http://tracker.bro-ids.org/>`__ and include information on how to
+<http://tracker.bro.org/>`__ and include information on how to
 reproduce the issue. Ideally, your ticket should come with the
 following:
 

doc/scripts/DocSourcesList.cmake

@@ -57,6 +57,7 @@ rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro)
 rest_target(${psd} base/frameworks/notice/cluster.bro)
 rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro)
 rest_target(${psd} base/frameworks/notice/main.bro)
+rest_target(${psd} base/frameworks/notice/non-cluster.bro)
 rest_target(${psd} base/frameworks/notice/weird.bro)
 rest_target(${psd} base/frameworks/packet-filter/main.bro)
 rest_target(${psd} base/frameworks/packet-filter/netstats.bro)

doc/upgrade.rst

@@ -254,7 +254,7 @@ Variable Naming
 
 - Identifiers may have been renamed to conform to new `scripting
   conventions
-  <http://www.bro-ids.org/development/script-conventions.html>`_
+  <http://www.bro.org/development/script-conventions.html>`_
 
 
 BroControl
@@ -296,7 +296,7 @@ Development Infrastructure
 Bro development has moved from using SVN to Git for revision control.
 Users that want to use the latest Bro development snapshot by checking it out
 from the source repositories should see the `development process
-<http://www.bro-ids.org/development/process.html>`_. Note that all the various
+<http://www.bro.org/development/process.html>`_. Note that all the various
 sub-components now reside in their own repositories. However, the
 top-level Bro repository includes them as git submodules so it's easy
 to check them all out simultaneously.

scripts/base/frameworks/cluster/main.bro

@@ -39,7 +39,7 @@ export {
 		## The node type doing all the actual traffic analysis.
 		WORKER,
 		## A node acting as a traffic recorder using the
-		## `Time Machine <http://tracker.bro-ids.org/time-machine>`_ software.
+		## `Time Machine <http://tracker.bro.org/time-machine>`_ software.
 		TIME_MACHINE,
 	};
 	

scripts/base/frameworks/notice/__load__.bro

@@ -17,6 +17,8 @@
 
 @if ( Cluster::is_enabled() )
 @load ./cluster
+@else
+@load ./non-cluster
 @endif
 
 # Load here so that it can check whether clustering is enabled.

scripts/base/frameworks/notice/actions/add-geodata.bro

@@ -27,18 +27,17 @@ export {
 	## Notice types which should have the "remote" location looked up.
 	## If GeoIP support is not built in, this does nothing.
 	const lookup_location_types: set[Notice::Type] = {} &redef;
-	
-	## Add a helper to the notice policy for looking up GeoIP data.
-	redef Notice::policy += {
-		[$pred(n: Notice::Info) = { return (n$note in Notice::lookup_location_types); },
-		 $action = ACTION_ADD_GEODATA,
-		 $priority = 10],
-	};
 }
 
+hook policy(n: Notice::Info) &priority=10
+	{
+	if ( n$note in Notice::lookup_location_types )
+		add n$actions[ACTION_ADD_GEODATA];
+	}
+
 # This is handled at a high priority in case other notice handlers 
 # want to use the data.
-event notice(n: Notice::Info) &priority=10
+hook notice(n: Notice::Info) &priority=10
 	{
 	if ( ACTION_ADD_GEODATA in n$actions &&
 	     |Site::local_nets| > 0 &&

scripts/base/frameworks/notice/actions/drop.bro

@@ -17,20 +17,13 @@ export {
 	};
 }
 
-# This is a little awkward because we want to inject drop along with the
+hook notice(n: Notice::Info)
-# synchronous functions.
-event bro_init()
 	{
-	local drop_func = function(n: Notice::Info)
+	if ( ACTION_DROP in n$actions )
 		{
-		if ( ACTION_DROP in n$actions )
+		#local drop = React::drop_address(n$src, "");
-			{
+		#local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
-			#local drop = React::drop_address(n$src, "");
+		#n$dropped = drop$note != Drop::AddressDropIgnored;
-			#local addl = drop?$sub ? fmt(" %s", drop$sub) : "";
+		#n$msg += fmt(" [%s%s]", drop$note, addl);
-			#n$dropped = drop$note != Drop::AddressDropIgnored;
+		}
-			#n$msg += fmt(" [%s%s]", drop$note, addl);
-			}
-		};
-
-	add Notice::sync_functions[drop_func];
 	}

scripts/base/frameworks/notice/actions/email_admin.bro

@@ -18,7 +18,7 @@ export {
 	};
 }
 
-event notice(n: Notice::Info) &priority=-5
+hook notice(n: Notice::Info) &priority=-5
 	{
 	if ( |Site::local_admins| > 0 &&
 	     ACTION_EMAIL_ADMIN in n$actions )

scripts/base/frameworks/notice/actions/page.bro

@@ -15,7 +15,7 @@ export {
 	const mail_page_dest = "" &redef;
 }
 
-event notice(n: Notice::Info) &priority=-5
+hook notice(n: Notice::Info) &priority=-5
 	{
 	if ( ACTION_PAGE in n$actions )
 		email_notice_to(n, mail_page_dest, F);

scripts/base/frameworks/notice/actions/pp-alarms.bro

@@ -105,7 +105,7 @@ event bro_init()
 			 $postprocessor=pp_postprocessor]);
 	}
 
-event notice(n: Notice::Info) &priority=-5
+hook notice(n: Notice::Info) &priority=-5
 	{
 	if ( ! want_pp() )
 		return;

scripts/base/frameworks/notice/cluster.bro

@@ -21,30 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/;
 redef Cluster::worker2manager_events += /Notice::cluster_notice/;
 
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
-
-# The notice policy is completely handled by the manager and shouldn't be 
-# done by workers or proxies to save time for packet processing.
-redef Notice::policy = table();
-
 event Notice::begin_suppression(n: Notice::Info)
 	{
 	suppressing[n$note, n$identifier] = n;
 	}
-
-event Notice::notice(n: Notice::Info)
-	{
-	# Send the locally generated notice on to the manager.
-	event Notice::cluster_notice(n);
-	}
-
-event bro_init() &priority=-3
-	{
-	# Workers and proxies need to disable the notice streams because notice
-	# events are forwarded directly instead of being logged remotely.
-	Log::disable_stream(Notice::LOG);
-	Log::disable_stream(Notice::POLICY_LOG);
-	Log::disable_stream(Notice::ALARM_LOG);
-	}
 @endif
 
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
@@ -54,3 +34,19 @@ event Notice::cluster_notice(n: Notice::Info)
 	NOTICE(n);
 	}
 @endif
+
+module GLOBAL;
+
+## This is the entry point in the global namespace for the notice framework.
+function NOTICE(n: Notice::Info)
+	{
+	# Suppress this notice if necessary.
+	if ( Notice::is_being_suppressed(n) )
+		return;
+
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		Notice::internal_NOTICE(n);
+	else
+		# For non-managers, send the notice on to the manager.
+		event Notice::cluster_notice(n);
+	}

scripts/base/frameworks/notice/extend-email/hostnames.bro

@@ -13,7 +13,7 @@ module Notice;
 # reference to the original notice)
 global tmp_notice_storage: table[string] of Notice::Info &create_expire=max_email_delay+10secs;
 
-event Notice::notice(n: Notice::Info) &priority=10
+hook notice(n: Notice::Info) &priority=10
 	{
 	if ( ! n?$src && ! n?$dst )
 		return;

scripts/base/frameworks/notice/main.bro

@@ -10,9 +10,6 @@ export {
 	redef enum Log::ID += {
 		## This is the primary logging stream for notices.
 		LOG,
-		## This is the notice policy auditing log.  It records what the current
-		## notice policy is at Bro init time.
-		POLICY_LOG,
 		## This is the alarm stream.
 		ALARM_LOG,
 	};
@@ -42,9 +39,6 @@ export {
 		## version of the alarm log is emailed in bulk to the address(es)
 		## configured in :bro:id:`Notice::mail_dest`.
 		ACTION_ALARM,
-		## Indicates that the notice should not be supressed by the normal
-		## duplicate notice suppression that the notice framework does.
-		ACTION_NO_SUPPRESS,
 	};
 
 	## The notice framework is able to do automatic notice supression by
@@ -102,10 +96,6 @@ export {
 		## The actions which have been applied to this notice.
 		actions:        set[Notice::Action] &log &optional;
 
-		## These are policy items that returned T and applied their action
-		## to the notice.
-		policy_items:   set[count]     &log &optional;
-
 		## By adding chunks of text into this element, other scripts can
 		## expand on notices that are being emailed.  The normal way to add text
 		## is to extend the vector by handling the :bro:id:`Notice::notice`
@@ -142,9 +132,8 @@ export {
 		identifier:          string         &optional;
 
 		## This field indicates the length of time that this
-		## unique notice should be suppressed.  This field is automatically
+		## unique notice should be suppressed.
-		## filled out and should not be written to by any other script.
+		suppress_for:        interval       &log &default=default_suppression_interval;
-		suppress_for:        interval       &log &optional;
 	};
 
 	## Ignored notice types.
@@ -159,58 +148,8 @@ export {
 	## intervals for entire notice types.
 	const type_suppression_intervals: table[Notice::Type] of interval = {} &redef;
 
-	## This is the record that defines the items that make up the notice policy.
+	## The hook to modify notice handling.
-	type PolicyItem: record {
+	global policy: hook(n: Notice::Info);
-		## This is the exact positional order in which the
-		## :bro:type:`Notice::PolicyItem` records are checked.
-		## This is set internally by the notice framework.
-		position: count                            &log &optional;
-		## Define the priority for this check.  Items are checked in ordered
-		## from highest value (10) to lowest value (0).
-		priority: count                            &log &default=5;
-		## An action given to the notice if the predicate return true.
-		action:   Notice::Action                   &log &default=ACTION_NONE;
-		## The pred (predicate) field is a function that returns a boolean T
-		## or F value.  If the predicate function return true, the action in
-		## this record is applied to the notice that is given as an argument
-		## to the predicate function.  If no predicate is supplied, it's
-		## assumed that the PolicyItem always applies.
-		pred:     function(n: Notice::Info): bool  &log &optional;
-		## Indicates this item should terminate policy processing if the
-		## predicate returns T.
-		halt:     bool                             &log &default=F;
-		## This defines the length of time that this particular notice should
-		## be supressed.
-		suppress_for: interval                     &log &optional;
-	};
-	
-	## Defines a notice policy that is extensible on a per-site basis.
-	## All notice processing is done through this variable.
-	const policy: set[PolicyItem] = {
-		[$pred(n: Notice::Info) = { return (n$note in Notice::ignored_types); },
-		 $halt=T, $priority = 9],
-		[$pred(n: Notice::Info) = { return (n$note in Notice::not_suppressed_types); },
-		 $action = ACTION_NO_SUPPRESS,
-		 $priority = 9],
-		[$pred(n: Notice::Info) = { return (n$note in Notice::alarmed_types); },
-		 $action = ACTION_ALARM,
-		 $priority = 8],
-		[$pred(n: Notice::Info) = { return (n$note in Notice::emailed_types); },
-		 $action = ACTION_EMAIL,
-		 $priority = 8],
-		[$pred(n: Notice::Info) = {
-			if (n$note in Notice::type_suppression_intervals)
-				{
-				n$suppress_for=Notice::type_suppression_intervals[n$note];
-				return T;
-				}
-			return F;
-		 },
-		 $action = ACTION_NONE,
-		 $priority = 8],
-		[$action = ACTION_LOG,
-		 $priority = 0],
-	} &redef;
 
 	## Local system sendmail program.
 	const sendmail            = "/usr/sbin/sendmail" &redef;
@@ -240,25 +179,11 @@ export {
 	## This is the event that is called as the entry point to the
 	## notice framework by the global :bro:id:`NOTICE` function.  By the time
 	## this event is generated, default values have already been filled out in
-	## the :bro:type:`Notice::Info` record and synchronous functions in the 
+	## the :bro:type:`Notice::Info` record and the notice
-	## :bro:id:`Notice::sync_functions` have already been called.  The notice
 	## policy has also been applied.
 	##
 	## n: The record containing notice data.
-	global notice: event(n: Info);
+	global notice: hook(n: Info);
-
-	## This is a set of functions that provide a synchronous way for scripts
-	## extending the notice framework to run before the normal event based
-	## notice pathway that most of the notice framework takes.  This is helpful
-	## in cases where an action against a notice needs to happen immediately
-	## and can't wait the short time for the event to bubble up to the top of
-	## the event queue.  An example is the IP address dropping script that
-	## can block IP addresses that have notices generated because it
-	## needs to operate closer to real time than the event queue allows it to.
-	## Normally the event based extension model using the
-	## :bro:id:`Notice::notice` event will work fine if there aren't harder
-	## real time constraints.
-	const sync_functions: set[function(n: Notice::Info)] = set() &redef;
 
 	## This event is generated when a notice begins to be suppressed.
 	##
@@ -266,6 +191,11 @@ export {
 	##    about to be suppressed.
 	global begin_suppression: event(n: Notice::Info);
 
+	## A function to determine if an event is supposed to be suppressed.
+	##
+	## n: The record containing the notice in question.
+	global is_being_suppressed: function(n: Notice::Info): bool;
+
 	## This event is generated on each occurence of an event being suppressed.
 	##
 	## n: The record containing notice data regarding the notice type
@@ -338,10 +268,6 @@ global suppressing: table[Type, string] of Notice::Info = {}
 		&create_expire=0secs
 		&expire_func=per_notice_suppression_interval;
 
-# This is an internal variable used to store the notice policy ordered by
-# priority.
-global ordered_policy: vector of PolicyItem = vector();
-
 function log_mailing_postprocessor(info: Log::RotationInfo): bool
 	{
 	if ( ! reading_traces() && mail_dest != "" )
@@ -424,9 +350,7 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
 				}
 			else
 				{
-				event reporter_info(network_time(),
+				Reporter::info(fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens));
-					fmt("Notice email delay tokens weren't released in time (%s).", n$email_delay_tokens),
-					"");
 				}
 			}
 		}
@@ -468,7 +392,26 @@ function email_notice_to(n: Notice::Info, dest: string, extend: bool)
 	piped_exec(fmt("%s -t -oi", sendmail), email_text);
 	}
 
-event notice(n: Notice::Info) &priority=-5
+hook Notice::policy(n: Notice::Info) &priority=10
+	{
+	if ( n$note in Notice::ignored_types )
+		break;
+
+	if ( n$note in Notice::not_suppressed_types )
+		n$suppress_for=0secs;
+	if ( n$note in Notice::alarmed_types )
+		add n$actions[ACTION_ALARM];
+	if ( n$note in Notice::emailed_types )
+		add n$actions[ACTION_EMAIL];
+
+	if ( n$note in Notice::type_suppression_intervals )
+		n$suppress_for=Notice::type_suppression_intervals[n$note];
+
+	# Logging is a default action.  It can be removed in a later hook if desired.
+	add n$actions[ACTION_LOG];
+	}
+
+hook Notice::notice(n: Notice::Info) &priority=-5
 	{
 	if ( ACTION_EMAIL in n$actions )
 		email_notice_to(n, mail_dest, T);
@@ -480,7 +423,6 @@ event notice(n: Notice::Info) &priority=-5
 	# Normally suppress further notices like this one unless directed not to.
 	#  n$identifier *must* be specified for suppression to function at all.
 	if ( n?$identifier &&
-	     ACTION_NO_SUPPRESS !in n$actions &&
 	     [n$note, n$identifier] !in suppressing &&
 	     n$suppress_for != 0secs )
 		{
@@ -565,27 +507,8 @@ function apply_policy(n: Notice::Info)
 	if ( ! n?$email_delay_tokens )
 		n$email_delay_tokens = set();
 
-	if ( ! n?$policy_items )
+	# Apply the hook based policy.
-		n$policy_items = set();
+	hook Notice::policy(n);
-
-	for ( i in ordered_policy )
-		{
-		# If there's no predicate or the predicate returns F.
-		if ( ! ordered_policy[i]?$pred || ordered_policy[i]$pred(n) )
-			{
-			add n$actions[ordered_policy[i]$action];
-			add n$policy_items[int_to_count(i)];
-
-			# If the predicate matched and there was a suppression interval,
-			# apply it to the notice now.
-			if ( ordered_policy[i]?$suppress_for )
-				n$suppress_for = ordered_policy[i]$suppress_for;
-
-			# If the policy item wants to halt policy processing, do it now!
-			if ( ordered_policy[i]$halt )
-				break;
-			}
-		}
 
 	# Apply the suppression time after applying the policy so that policy
 	# items can give custom suppression intervals.  If there is no
@@ -602,61 +525,15 @@ function apply_policy(n: Notice::Info)
 		delete n$iconn;
 	}
 
-# Create the ordered notice policy automatically which will be used at runtime
-# for prioritized matching of the notice policy.
-event bro_init() &priority=10
-	{
-	# Create the policy log here because it's only written to in this handler.
-	Log::create_stream(Notice::POLICY_LOG, [$columns=PolicyItem]);
-
-	local tmp: table[count] of set[PolicyItem] = table();
-	for ( pi in policy )
-		{
-		if ( pi$priority < 0 || pi$priority > 10 )
-			Reporter::fatal("All Notice::PolicyItem priorities must be within 0 and 10");
-
-		if ( pi$priority !in tmp )
-			tmp[pi$priority] = set();
-		add tmp[pi$priority][pi];
-		}
-
-	local rev_count = vector(10,9,8,7,6,5,4,3,2,1,0);
-	for ( i in rev_count )
-		{
-		local j = rev_count[i];
-		if ( j in tmp )
-			{
-			for ( pi in tmp[j] )
-				{
-				pi$position = |ordered_policy|;
-				ordered_policy[|ordered_policy|] = pi;
-				Log::write(Notice::POLICY_LOG, pi);
-				}
-			}
-		}
-	}
-
 function internal_NOTICE(n: Notice::Info)
 	{
-	# Suppress this notice if necessary.
-	if ( is_being_suppressed(n) )
-		return;
-
 	# Fill out fields that might be empty and do the policy processing.
 	apply_policy(n);
 
-	# Run the synchronous functions with the notice.
-	for ( func in sync_functions )
-		func(n);
-
 	# Generate the notice event with the notice.
-	event Notice::notice(n);
+	hook Notice::notice(n);
 	}
 
 module GLOBAL;
 
-## This is the entry point in the global namespace for notice framework.
+global NOTICE: function(n: Notice::Info);
-function NOTICE(n: Notice::Info)
-	{
-	Notice::internal_NOTICE(n);
-	}

scripts/base/frameworks/notice/non-cluster.bro

@@ -0,0 +1,14 @@
+
+@load ./main
+
+module GLOBAL;
+
+## This is the entry point in the global namespace for notice framework.
+function NOTICE(n: Notice::Info)
+	{
+	# Suppress this notice if necessary.
+	if ( Notice::is_being_suppressed(n) )
+		return;
+
+	Notice::internal_NOTICE(n);
+	}

scripts/base/frameworks/signatures/main.bro

@@ -161,7 +161,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 		return;
 
 	# Trim the matched data down to something reasonable
-	if ( byte_len(data) > 140 )
+	if ( |data| > 140 )
 		data = fmt("%s...", sub_bytes(data, 0, 140));
 		
 	local src_addr: addr;
@@ -259,8 +259,8 @@ event signature_match(state: signature_state, msg: string, data: string)
 
 	add vert_table[orig, resp][sig_id];
 
-	local hcount = length(horiz_table[orig, sig_id]);
+	local hcount = |horiz_table[orig, sig_id]|;
-	local vcount = length(vert_table[orig, resp]);
+	local vcount = |vert_table[orig, resp]|;
 
 	if ( hcount in horiz_scan_thresholds && hcount != last_hthresh[orig] )
 		{

scripts/base/frameworks/tunnels/main.bro

@@ -88,10 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
 const teredo_ports = { 3544/udp };
 redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
 
-const gtpv1u_ports = { 2152/udp };
+const gtpv1_ports = { 2152/udp, 2123/udp };
-redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] };
+redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] };
 
-redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports };
+redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports };
 
 event bro_init() &priority=5
 	{

scripts/base/init-bare.bro

@@ -1488,6 +1488,146 @@ type gtpv1_hdr: record {
 	next_type: count &optional;
 };
 
+type gtp_cause: count;
+type gtp_imsi: count;
+type gtp_teardown_ind: bool;
+type gtp_nsapi: count;
+type gtp_recovery: count;
+type gtp_teid1: count;
+type gtp_teid_control_plane: count;
+type gtp_charging_id: count;
+type gtp_charging_gateway_addr: addr;
+type gtp_trace_reference: count;
+type gtp_trace_type: count;
+type gtp_tft: string;
+type gtp_trigger_id: string;
+type gtp_omc_id: string;
+type gtp_reordering_required: bool;
+type gtp_proto_config_options: string;
+type gtp_charging_characteristics: count;
+type gtp_selection_mode: count;
+type gtp_access_point_name: string;
+type gtp_msisdn: string;
+
+type gtp_gsn_addr: record {
+	## If the GSN Address information element has length 4 or 16, then this
+	## field is set to be the informational element's value interpreted as
+	## an IPv4 or IPv6 address, respectively.
+	ip: addr &optional;
+	## This field is set if it's not an IPv4 or IPv6 address.
+	other: string &optional;
+};
+
+type gtp_end_user_addr: record {
+	pdp_type_org: count;
+	pdp_type_num: count;
+	## Set if the End User Address information element is IPv4/IPv6.
+	pdp_ip: addr &optional;
+	## Set if the End User Address information element isn't IPv4/IPv6.
+	pdp_other_addr: string &optional;
+};
+
+type gtp_rai: record {
+	mcc: count;
+	mnc: count;
+	lac: count;
+	rac: count;
+};
+
+type gtp_qos_profile: record {
+	priority: count;
+	data: string;
+};
+
+type gtp_private_extension: record {
+	id: count;
+	value: string;
+};
+
+type gtp_create_pdp_ctx_request_elements: record {
+	imsi:             gtp_imsi &optional;
+	rai:              gtp_rai &optional;
+	recovery:         gtp_recovery &optional;
+	select_mode:      gtp_selection_mode &optional;
+	data1:            gtp_teid1;
+	cp:               gtp_teid_control_plane &optional;
+	nsapi:            gtp_nsapi;
+	linked_nsapi:     gtp_nsapi &optional;
+	charge_character: gtp_charging_characteristics &optional;
+	trace_ref:        gtp_trace_reference &optional;
+	trace_type:       gtp_trace_type &optional;
+	end_user_addr:    gtp_end_user_addr &optional;
+	ap_name:          gtp_access_point_name &optional;
+	opts:             gtp_proto_config_options &optional;
+	signal_addr:      gtp_gsn_addr;
+	user_addr:        gtp_gsn_addr;
+	msisdn:           gtp_msisdn &optional;
+	qos_prof:         gtp_qos_profile;
+	tft:              gtp_tft &optional;
+	trigger_id:       gtp_trigger_id &optional;
+	omc_id:           gtp_omc_id &optional;
+	ext:              gtp_private_extension &optional;
+};
+
+type gtp_create_pdp_ctx_response_elements: record {
+	cause:          gtp_cause;
+	reorder_req:    gtp_reordering_required &optional;
+	recovery:       gtp_recovery &optional;
+	data1:          gtp_teid1 &optional;
+	cp:             gtp_teid_control_plane &optional;
+	charging_id:    gtp_charging_id &optional;
+	end_user_addr:  gtp_end_user_addr &optional;
+	opts:           gtp_proto_config_options &optional;
+	cp_addr:        gtp_gsn_addr &optional;
+	user_addr:      gtp_gsn_addr &optional;
+	qos_prof:       gtp_qos_profile &optional;
+	charge_gateway: gtp_charging_gateway_addr &optional;
+	ext:            gtp_private_extension &optional;
+};
+
+type gtp_update_pdp_ctx_request_elements: record {
+	imsi:          gtp_imsi &optional;
+	rai:           gtp_rai &optional;
+	recovery:      gtp_recovery &optional;
+	data1:         gtp_teid1;
+	cp:            gtp_teid_control_plane &optional;
+	nsapi:         gtp_nsapi;
+	trace_ref:     gtp_trace_reference &optional;
+	trace_type:    gtp_trace_type &optional;
+	cp_addr:       gtp_gsn_addr;
+	user_addr:     gtp_gsn_addr;
+	qos_prof:      gtp_qos_profile;
+	tft:           gtp_tft &optional;
+	trigger_id:    gtp_trigger_id &optional;
+	omc_id:        gtp_omc_id &optional;
+	ext:           gtp_private_extension &optional;
+	end_user_addr: gtp_end_user_addr &optional;
+};
+
+type gtp_update_pdp_ctx_response_elements: record {
+	cause:          gtp_cause;
+	recovery:       gtp_recovery &optional;
+	data1:          gtp_teid1 &optional;
+	cp:             gtp_teid_control_plane &optional;
+	charging_id:    gtp_charging_id &optional;
+	cp_addr:        gtp_gsn_addr &optional;
+	user_addr:      gtp_gsn_addr &optional;
+	qos_prof:       gtp_qos_profile &optional;
+	charge_gateway: gtp_charging_gateway_addr &optional;
+	ext:            gtp_private_extension &optional;
+};
+
+type gtp_delete_pdp_ctx_request_elements: record {
+	teardown_ind: gtp_teardown_ind &optional;
+	nsapi:        gtp_nsapi;
+	ext:          gtp_private_extension &optional;
+};
+
+type gtp_delete_pdp_ctx_response_elements: record {
+	cause: gtp_cause;
+	ext:   gtp_private_extension &optional;
+};
+
 ## Definition of "secondary filters". A secondary filter is a BPF filter given as
 ## index in this table. For each such filter, the corresponding event is raised for
 ## all matching packets.

scripts/base/utils/paths.bro

@@ -27,7 +27,7 @@ function compress_path(dir: string): string
 	const cdup_sep = /((\/)*([^\/]|\\\/)+)?((\/)+\.\.(\/)*)/;
 
 	local parts = split_n(dir, cdup_sep, T, 1);
-	if ( length(parts) > 1 )
+	if ( |parts| > 1 )
 		{
 		# reaching a point with two parent dir references back-to-back means
 		# we don't know about anything higher in the tree to pop off

scripts/base/utils/strings.bro

@@ -6,7 +6,7 @@
 ## characters.
 function is_string_binary(s: string): bool
 	{
-	return byte_len(gsub(s, /[\x00-\x7f]/, "")) * 100 / |s| >= 25;
+	return |gsub(s, /[\x00-\x7f]/, "")| * 100 / |s| >= 25;
 	}
 
 ## Joins a set of string together, with elements delimited by a constant string.

scripts/policy/protocols/http/detect-MHR.bro

@@ -32,7 +32,7 @@ event log_http(rec: HTTP::Info)
 			{
 			# Data is returned as "<dateFirstDetected> <detectionRate>"
 			local MHR_answer = split1(MHR_result, / /);
-			if ( length(MHR_answer) == 2 && to_count(MHR_answer[2]) >= MHR_threshold )
+			if ( |MHR_answer| == 2 && to_count(MHR_answer[2]) >= MHR_threshold )
 				{
 				local url = HTTP::build_url_http(rec);
 				local message = fmt("%s %s %s", rec$id$orig_h, rec$md5, url);

src/BroString.cc

@@ -369,7 +369,7 @@ VectorVal* BroString:: VecToPolicy(Vec* vec)
 		BroString* string = (*vec)[i];
 		StringVal* val = new StringVal(string->Len(),
 						(const char*) string->Bytes());
-		result->Assign(i+1, val, 0);
+		result->Assign(i+1, val);
 		}
 
 	return result;

src/CompHash.cc

@@ -856,7 +856,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 				if ( have_val )
 					kp1 = RecoverOneVal(k, kp1, k_end, vt->YieldType(), value,
 					                    false);
-				vv->Assign(index, value, 0);
+				vv->Assign(index, value);
 				}
 
 			pval = vv;

src/Debug.cc

@@ -763,7 +763,7 @@ int dbg_handle_debug_input()
 	Frame* curr_frame = g_frame_stack.back();
 	const BroFunc* func = curr_frame->GetFunction();
 	if ( func )
-		current_module = func->GetID()->ModuleName();
+		current_module = extract_module_name(func->Name());
 	else
 		current_module = GLOBAL_MODULE_NAME;
 

src/Expr.cc

@@ -485,7 +485,7 @@ Val* UnaryExpr::Eval(Frame* f) const
 		for ( unsigned int i = 0; i < v_op->Size(); ++i )
 			{
 			Val* v_i = v_op->Lookup(i);
-			result->Assign(i, v_i ? Fold(v_i) : 0, this);
+			result->Assign(i, v_i ? Fold(v_i) : 0);
 			}
 
 		Unref(v);
@@ -625,10 +625,9 @@ Val* BinaryExpr::Eval(Frame* f) const
 			if ( v_op1->Lookup(i) && v_op2->Lookup(i) )
 				v_result->Assign(i,
 						 Fold(v_op1->Lookup(i),
-						      v_op2->Lookup(i)),
+						      v_op2->Lookup(i)));
-						 this);
 			else
-				v_result->Assign(i, 0, this);
+				v_result->Assign(i, 0);
 			// SetError("undefined element in vector operation");
 			}
 
@@ -648,10 +647,9 @@ Val* BinaryExpr::Eval(Frame* f) const
 			if ( vv_i )
 				v_result->Assign(i,
 					 is_vec1 ?
-						 Fold(vv_i, v2) : Fold(v1, vv_i),
+						 Fold(vv_i, v2) : Fold(v1, vv_i));
-					 this);
 			else
-				v_result->Assign(i, 0, this);
+				v_result->Assign(i, 0);
 
 			// SetError("Undefined element in vector operation");
 			}
@@ -1049,10 +1047,10 @@ Val* IncrExpr::Eval(Frame* f) const
 			if ( elt )
 				{
 				Val* new_elt = DoSingleEval(f, elt);
-				v_vec->Assign(i, new_elt, this, OP_INCR);
+				v_vec->Assign(i, new_elt, OP_INCR);
 				}
 			else
-				v_vec->Assign(i, 0, this, OP_INCR);
+				v_vec->Assign(i, 0, OP_INCR);
 			}
 		op->Assign(f, v_vec, OP_INCR);
 		}
@@ -1919,7 +1917,7 @@ Val* BoolExpr::Eval(Frame* f) const
 			result = new VectorVal(Type()->AsVectorType());
 			result->Resize(vector_v->Size());
 			result->AssignRepeat(0, result->Size(),
-						scalar_v, this);
+						scalar_v);
 			}
 		else
 			result = vector_v->Ref()->AsVectorVal();
@@ -1957,10 +1955,10 @@ Val* BoolExpr::Eval(Frame* f) const
 				(! op1->IsZero() && ! op2->IsZero()) :
 				(! op1->IsZero() || ! op2->IsZero());
 
-			result->Assign(i, new Val(local_result, TYPE_BOOL), this);
+			result->Assign(i, new Val(local_result, TYPE_BOOL));
 			}
 		else
-			result->Assign(i, 0, this);
+			result->Assign(i, 0);
 		}
 
 	Unref(v1);
@@ -2334,10 +2332,9 @@ Val* CondExpr::Eval(Frame* f) const
 		if ( local_cond )
 			result->Assign(i,
 				       local_cond->IsZero() ?
-					       b->Lookup(i) : a->Lookup(i),
+					       b->Lookup(i) : a->Lookup(i));
-				       this);
 		else
-			result->Assign(i, 0, this);
+			result->Assign(i, 0);
 		}
 
 	return result;
@@ -2507,15 +2504,27 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
 				attr_copy->append((*attrs)[i]);
 			}
 
-		op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy);
+		if ( op1->Type()->IsSet() )
+			op2 = new SetConstructorExpr(op2->AsListExpr(), attr_copy);
+		else
+			op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy);
+
 		return true;
 		}
 
-	if ( bt1 == TYPE_VECTOR && bt2 == bt1 &&
+	if ( bt1 == TYPE_VECTOR )
-	     op2->Type()->AsVectorType()->IsUnspecifiedVector() )
 		{
-		op2 = new VectorCoerceExpr(op2, op1->Type()->AsVectorType());
+		if ( bt2 == bt1 && op2->Type()->AsVectorType()->IsUnspecifiedVector() )
-		return true;
+			{
+			op2 = new VectorCoerceExpr(op2, op1->Type()->AsVectorType());
+			return true;
+			}
+
+		if ( op2->Tag() == EXPR_LIST )
+			{
+			op2 = new VectorConstructorExpr(op2->AsListExpr());
+			return true;
+			}
 		}
 
 	if ( op1->Type()->Tag() == TYPE_RECORD &&
@@ -2961,7 +2970,7 @@ Val* IndexExpr::Eval(Frame* f) const
 			for ( unsigned int i = 0; i < v_v2->Size(); ++i )
 				{
 				if ( v_v2->Lookup(i)->AsBool() )
-					v_result->Assign(v_result->Size() + 1, v_v1->Lookup(i), this);
+					v_result->Assign(v_result->Size() + 1, v_v1->Lookup(i));
 				}
 			}
 		else
@@ -2971,7 +2980,7 @@ Val* IndexExpr::Eval(Frame* f) const
 			// Probably only do this if *all* are negative.
 			v_result->Resize(v_v2->Size());
 			for ( unsigned int i = 0; i < v_v2->Size(); ++i )
-				v_result->Assign(i, v_v1->Lookup(v_v2->Lookup(i)->CoerceToInt()), this);
+				v_result->Assign(i, v_v1->Lookup(v_v2->Lookup(i)->CoerceToInt()));
 			}
 		}
 	else
@@ -3048,7 +3057,7 @@ void IndexExpr::Assign(Frame* f, Val* v, Opcode op)
 
 	switch ( v1->Type()->Tag() ) {
 	case TYPE_VECTOR:
-		if ( ! v1->AsVectorVal()->Assign(v2, v, this, op) )
+		if ( ! v1->AsVectorVal()->Assign(v2, v, op) )
 			Internal("assignment failed");
 		break;
 
@@ -3620,7 +3629,7 @@ Val* VectorConstructorExpr::Eval(Frame* f) const
 		{
 		Expr* e = exprs[i];
 		Val* v = e->Eval(f);
-		if ( ! vec->Assign(i, v, e) )
+		if ( ! vec->Assign(i, v) )
 			{
 			Error(fmt("type mismatch at index %d", i), e);
 			return 0;
@@ -3644,7 +3653,7 @@ Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 		Expr* e = exprs[i];
 		Val* v = check_and_promote(e->Eval(0), t->YieldType(), 1);
 
-		if ( ! v || ! vec->Assign(i, v, e) )
+		if ( ! v || ! vec->Assign(i, v) )
 			{
 			Error(fmt("initialization type mismatch at index %d", i), e);
 			return 0;
@@ -3865,9 +3874,9 @@ Val* ArithCoerceExpr::Fold(Val* v) const
 		{
 		Val* elt = vv->Lookup(i);
 		if ( elt )
-			result->Assign(i, FoldSingleVal(elt, t), this);
+			result->Assign(i, FoldSingleVal(elt, t));
 		else
-			result->Assign(i, 0, this);
+			result->Assign(i, 0);
 		}
 
 	return result;
@@ -4639,12 +4648,16 @@ Val* CallExpr::Eval(Frame* f) const
 		{
 		const ::Func* func = func_val->AsFunc();
 		calling_expr = this;
+		const CallExpr* current_call = f ? f->GetCall() : 0;
 
 		if ( f )
 			f->SetCall(this);
+
 		ret = func->Call(v, f); // No try/catch here; we pass exceptions upstream.
+
 		if ( f )
-			f->ClearCall();
+			f->SetCall(current_call);
+
 		// Don't Unref() the arguments, as Func::Call already did that.
 		delete v;
 
@@ -5042,7 +5055,7 @@ Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
 			Expr* e = exprs[i];
 			check_and_promote_expr(e, vec->Type()->AsVectorType()->YieldType());
 			Val* v = e->Eval(0);
-			if ( ! vec->Assign(i, v, e) )
+			if ( ! vec->Assign(i, v) )
 				{
 				e->Error(fmt("type mismatch at index %d", i));
 				return 0;

src/FileAnalyzer.cc

@@ -2,6 +2,7 @@
 
 #include "FileAnalyzer.h"
 #include "Reporter.h"
+#include "util.h"
 
 magic_t File_Analyzer::magic = 0;
 magic_t File_Analyzer::magic_mime = 0;
@@ -11,11 +12,8 @@ File_Analyzer::File_Analyzer(Connection* conn)
 	{
 	buffer_len = 0;
 
-	if ( ! magic )
+	bro_init_magic(&magic, MAGIC_NONE);
-		{
+	bro_init_magic(&magic_mime, MAGIC_MIME);
-		InitMagic(&magic, MAGIC_NONE);
-		InitMagic(&magic_mime, MAGIC_MIME);
-		}
 	}
 
 void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
@@ -49,10 +47,10 @@ void File_Analyzer::Identify()
 	const char* mime = 0;
 
 	if ( magic )
-		descr = magic_buffer(magic, buffer, buffer_len);
+		descr = bro_magic_buffer(magic, buffer, buffer_len);
 
 	if ( magic_mime )
-		mime = magic_buffer(magic_mime, buffer, buffer_len);
+		mime = bro_magic_buffer(magic_mime, buffer, buffer_len);
 
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
@@ -61,18 +59,3 @@ void File_Analyzer::Identify()
 	vl->append(new StringVal(mime ? mime : "<unknown>"));
 	ConnectionEvent(file_transferred, vl);
 	}
-
-void File_Analyzer::InitMagic(magic_t* magic, int flags)
-	{
-	*magic = magic_open(flags);
-
-	if ( ! *magic )
-		reporter->Error("can't init libmagic: %s", magic_error(*magic));
-
-	else if ( magic_load(*magic, 0) < 0 )
-		{
-		reporter->Error("can't load magic file: %s", magic_error(*magic));
-		magic_close(*magic);
-		*magic = 0;
-		}
-	}

src/FileAnalyzer.h

@@ -29,8 +29,6 @@ protected:
 	char buffer[BUFFER_SIZE];
 	int buffer_len;
 
-	static void InitMagic(magic_t* magic, int flags);
-
 	static magic_t magic;
 	static magic_t magic_mime;
 };

src/Frame.cc

@@ -87,8 +87,11 @@ Frame* Frame::Clone()
 
 void Frame::SetTrigger(Trigger* arg_trigger)
 	{
+	ClearTrigger();
+
 	if ( arg_trigger )
 		Ref(arg_trigger);
+
 	trigger = arg_trigger;
 	}
 

src/Func.cc

@@ -54,13 +54,13 @@ bool did_builtin_init = false;
 
 vector<Func*> Func::unique_ids;
 
-Func::Func() : scope(0), id(0), return_value(0)
+Func::Func() : scope(0), type(0)
 	{
 	unique_id = unique_ids.size();
 	unique_ids.push_back(this);
 	}
 
-Func::Func(Kind arg_kind) : scope(0), kind(arg_kind), id(0), return_value(0)
+Func::Func(Kind arg_kind) : scope(0), kind(arg_kind), type(0)
 	{
 	unique_id = unique_ids.size();
 	unique_ids.push_back(this);
@@ -68,6 +68,7 @@ Func::Func(Kind arg_kind) : scope(0), kind(arg_kind), id(0), return_value(0)
 
 Func::~Func()
 	{
+	Unref(type);
 	}
 
 void Func::AddBody(Stmt* /* new_body */, id_list* /* new_inits */,
@@ -129,6 +130,12 @@ bool Func::DoSerialize(SerialInfo* info) const
 	if ( ! SERIALIZE(char(kind) ) )
 		return false;
 
+	if ( ! type->Serialize(info) )
+		return false;
+
+	if ( ! SERIALIZE(Name()) )
+		return false;
+
 	// We don't serialize scope as only global functions are considered here
 	// anyway.
 	return true;
@@ -160,12 +167,25 @@ bool Func::DoUnserialize(UnserialInfo* info)
 		return false;
 
 	kind = (Kind) c;
+
+	type = BroType::Unserialize(info);
+	if ( ! type )
+		return false;
+
+	const char* n;
+	if ( ! UNSERIALIZE_STR(&n, 0) )
+		return false;
+
+	name = n;
+	delete [] n;
+
 	return true;
 	}
 
 void Func::DescribeDebug(ODesc* d, const val_list* args) const
 	{
-	id->Describe(d);
+	d->Add(Name());
+
 	RecordType* func_args = FType()->Args();
 
 	if ( args )
@@ -196,21 +216,6 @@ void Func::DescribeDebug(ODesc* d, const val_list* args) const
 		}
 	}
 
-void Func::SetID(ID *arg_id)
-	{
-	id = arg_id;
-
-	return_value =
-		new ID(string(string(id->Name()) + "_returnvalue").c_str(),
-			SCOPE_FUNCTION, false);
-	return_value->SetType(FType()->YieldType()->Ref());
-	}
-
-ID* Func::GetReturnValueID() const
-	{
-	return return_value;
-	}
-
 TraversalCode Func::Traverse(TraversalCallback* cb) const
 	{
 	// FIXME: Make a fake scope for builtins?
@@ -226,12 +231,6 @@ TraversalCode Func::Traverse(TraversalCallback* cb) const
 		tc = scope->Traverse(cb);
 		HANDLE_TC_STMT_PRE(tc);
 
-		if ( GetReturnValueID() )
-			{
-			tc = GetReturnValueID()->Traverse(cb);
-			HANDLE_TC_STMT_PRE(tc);
-			}
-
 		for ( unsigned int i = 0; i < bodies.size(); ++i )
 			{
 			tc = bodies[i].stmts->Traverse(cb);
@@ -249,7 +248,8 @@ BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits,
 		int arg_frame_size, int priority)
 : Func(BRO_FUNC)
 	{
-	id = arg_id;
+	name = arg_id->Name();
+	type = arg_id->Type()->Ref();
 	frame_size = arg_frame_size;
 
 	if ( arg_body )
@@ -263,7 +263,6 @@ BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits,
 
 BroFunc::~BroFunc()
 	{
-	Unref(id);
 	for ( unsigned int i = 0; i < bodies.size(); ++i )
 		Unref(bodies[i].stmts);
 	}
@@ -378,7 +377,8 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 	     (flow != FLOW_RETURN /* we fell off the end */ ||
 	      ! result /* explicit return with no result */) &&
 	     ! f->HasDelayed() )
-		reporter->Warning("non-void function returns without a value: %s", id->Name());
+		reporter->Warning("non-void function returns without a value: %s",
+		                  Name());
 
 	if ( result && g_trace_state.DoTrace() )
 		{
@@ -421,8 +421,7 @@ void BroFunc::AddBody(Stmt* new_body, id_list* new_inits, int new_frame_size,
 
 void BroFunc::Describe(ODesc* d) const
 	{
-	if ( id )
+	d->Add(Name());
-		id->Describe(d);
 
 	d->NL();
 	d->AddCount(frame_size);
@@ -450,14 +449,14 @@ IMPLEMENT_SERIAL(BroFunc, SER_BRO_FUNC);
 bool BroFunc::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_BRO_FUNC, Func);
-	return id->Serialize(info) && SERIALIZE(frame_size);
+	return SERIALIZE(frame_size);
 	}
 
 bool BroFunc::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(Func);
-	id = ID::Unserialize(info);
+
-	return id && UNSERIALIZE(&frame_size);
+	return UNSERIALIZE(&frame_size);
 	}
 
 BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
@@ -465,15 +464,16 @@ BuiltinFunc::BuiltinFunc(built_in_func arg_func, const char* arg_name,
 : Func(BUILTIN_FUNC)
 	{
 	func = arg_func;
-	name = copy_string(make_full_var_name(GLOBAL_MODULE_NAME, arg_name).c_str());
+	name = make_full_var_name(GLOBAL_MODULE_NAME, arg_name);
 	is_pure = arg_is_pure;
 
-	id = lookup_ID(name, GLOBAL_MODULE_NAME, false);
+	ID* id = lookup_ID(Name(), GLOBAL_MODULE_NAME, false);
 	if ( ! id )
-		reporter->InternalError("built-in function %s missing", name);
+		reporter->InternalError("built-in function %s missing", Name());
 	if ( id->HasVal() )
-		reporter->InternalError("built-in function %s multiply defined", name);
+		reporter->InternalError("built-in function %s multiply defined", Name());
 
+	type = id->Type()->Ref();
 	id->SetVal(new Val(this));
 	}
 
@@ -491,7 +491,7 @@ Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Function: %s\n", Name());
 #endif
-	SegmentProfiler(segment_logger, name);
+	SegmentProfiler(segment_logger, Name());
 
 	if ( sample_logger )
 		sample_logger->FunctionSeen(this);
@@ -522,8 +522,7 @@ Val* BuiltinFunc::Call(val_list* args, Frame* parent) const
 
 void BuiltinFunc::Describe(ODesc* d) const
 	{
-	if ( id )
+	d->Add(Name());
-	id->Describe(d);
 	d->AddCount(is_pure);
 	}
 
@@ -532,16 +531,13 @@ IMPLEMENT_SERIAL(BuiltinFunc, SER_BUILTIN_FUNC);
 bool BuiltinFunc::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_BUILTIN_FUNC, Func);
-
+	return true;
-	// We ignore the ID. Func::Serialize() will rebind us anyway.
-	return SERIALIZE(name);
 	}
 
 bool BuiltinFunc::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(Func);
-	id = 0;
+	return true;
-	return UNSERIALIZE_STR(&name, 0);
 	}
 
 void builtin_error(const char* msg, BroObj* arg)

src/Func.h

@@ -47,15 +47,11 @@ public:
 	virtual void SetScope(Scope* newscope)	{ scope = newscope; }
 	virtual Scope* GetScope() const		{ return scope; }
 
-	virtual FuncType* FType() const
+	virtual FuncType* FType() const { return type->AsFuncType(); }
-		{
-		return (FuncType*) id->Type()->AsFuncType();
-		}
 
 	Kind GetKind() const	{ return kind; }
 
-	const ID* GetID() const { return id; }
+	const char* Name() const { return name.c_str(); }
-	void SetID(ID *arg_id);
 
 	virtual void Describe(ODesc* d) const = 0;
 	virtual void DescribeDebug(ODesc* d, const val_list* args) const;
@@ -64,7 +60,6 @@ public:
 	bool Serialize(SerialInfo* info) const;
 	static Func* Unserialize(UnserialInfo* info);
 
-	ID* GetReturnValueID() const;
 	virtual TraversalCode Traverse(TraversalCallback* cb) const;
 
 	uint32 GetUniqueFuncID() const { return unique_id; }
@@ -79,8 +74,8 @@ protected:
 	vector<Body> bodies;
 	Scope* scope;
 	Kind kind;
-	ID* id;
+	BroType* type;
-	ID* return_value;
+	string name;
 	uint32 unique_id;
 	static vector<Func*> unique_ids;
 };
@@ -119,18 +114,16 @@ public:
 
 	int IsPure() const;
 	Val* Call(val_list* args, Frame* parent) const;
-	const char* Name() const	{ return name; }
 	built_in_func TheFunc() const	{ return func; }
 
 	void Describe(ODesc* d) const;
 
 protected:
-	BuiltinFunc()	{ func = 0; name = 0; is_pure = 0; }
+	BuiltinFunc()	{ func = 0; is_pure = 0; }
 
 	DECLARE_SERIAL(BuiltinFunc);
 
 	built_in_func func;
-	const char* name;
 	int is_pure;
 };
 

src/ICMP.cc

@@ -829,7 +829,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
 		data += length;
 		caplen -= length;
 
-		vv->Assign(vv->Size(), rv, 0);
+		vv->Assign(vv->Size(), rv);
 		}
 
 	return vv;

src/IP.cc

@@ -63,7 +63,7 @@ static VectorVal* BuildOptionsVal(const u_char* data, int len)
 			len -= opt->ip6o_len + off;
 			}
 
-		vv->Assign(vv->Size(), rv, 0);
+		vv->Assign(vv->Size(), rv);
 		}
 
 	return vv;
@@ -626,7 +626,7 @@ VectorVal* IPv6_Hdr_Chain::BuildVal() const
 			reporter->InternalError("IPv6_Hdr_Chain bad header %d", type);
 			break;
 		}
-		rval->Assign(rval->Size(), ext_hdr, 0);
+		rval->Assign(rval->Size(), ext_hdr);
 		}
 
 	return rval;

src/NFS.cc

@@ -599,7 +599,7 @@ RecordVal* NFS_Interp::nfs3_readdir_reply(bool isplus, const u_char*& buf,
 				entry->Assign(4, nfs3_post_op_fh(buf,n));
 				}
 
-			entries->Assign(pos, entry, 0);
+			entries->Assign(pos, entry);
 			pos++;
 			}
 

src/NetVar.cc

@@ -5,7 +5,6 @@
 #include "Var.h"
 #include "NetVar.h"
 
-RecordType* gtpv1_hdr_type;
 RecordType* conn_id;
 RecordType* endpoint;
 RecordType* endpoint_stats;
@@ -309,7 +308,6 @@ void init_net_var()
 #include "input.bif.netvar_init"
 #include "reporter.bif.netvar_init"
 
-	gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType();
 	conn_id = internal_type("conn_id")->AsRecordType();
 	endpoint = internal_type("endpoint")->AsRecordType();
 	endpoint_stats = internal_type("endpoint_stats")->AsRecordType();

src/NetVar.h

@@ -8,7 +8,6 @@
 #include "EventRegistry.h"
 #include "Stats.h"
 
-extern RecordType* gtpv1_hdr_type;
 extern RecordType* conn_id;
 extern RecordType* endpoint;
 extern RecordType* endpoint_stats;

src/RE.cc

@@ -496,7 +496,7 @@ static RE_Matcher* matcher_merge(const RE_Matcher* re1, const RE_Matcher* re2,
 	safe_snprintf(merge_text, n, "(%s)%s(%s)", text1, merge_op, text2);
 
 	RE_Matcher* merge = new RE_Matcher(merge_text);
-	delete merge_text;
+	delete [] merge_text;
 
 	merge->Compile();
 

src/SerialObj.cc

@@ -155,7 +155,7 @@ SerialObj* SerialObj::Unserialize(UnserialInfo* info, SerialType type)
 	else
 		{
 		// Broccoli compatibility mode with 32bit pids.
-		uint32 tmp;
+		uint32 tmp = 0;
 		result = UNSERIALIZE(&full_obj) && UNSERIALIZE(&tmp);
 		pid = tmp;
 		}

src/SmithWaterman.cc

@@ -96,12 +96,12 @@ VectorVal* BroSubstring::VecToPolicy(Vec* vec)
 				align_val->Assign(0, new StringVal(new BroString(*align.string)));
 				align_val->Assign(1, new Val(align.index, TYPE_COUNT));
 
-				aligns->Assign(j+1, align_val, 0);
+				aligns->Assign(j+1, align_val);
 				}
 
 			st_val->Assign(1, aligns);
 			st_val->Assign(2, new Val(bst->IsNewAlignment(), TYPE_BOOL));
-			result->Assign(i+1, st_val, 0);
+			result->Assign(i+1, st_val);
 			}
 		}
 

src/StateAccess.cc

@@ -371,7 +371,7 @@ void StateAccess::Replay()
 
 			CheckOld("index assign", target.id, op1.val, op3,
 					v->AsVectorVal()->Lookup(index));
-			v->AsVectorVal()->Assign(index, op2 ? op2->Ref() : 0, 0);
+			v->AsVectorVal()->Assign(index, op2 ? op2->Ref() : 0);
 			}
 
 		else
@@ -421,7 +421,7 @@ void StateAccess::Replay()
 			Val* lookup_op1 = v->AsVectorVal()->Lookup(index);
 			int delta = lookup_op1->CoerceToInt() + amount;
 			Val* new_val = new Val(delta, t);
-			v->AsVectorVal()->Assign(index, new_val, 0);
+			v->AsVectorVal()->Assign(index, new_val);
 			}
 
 		else
@@ -926,17 +926,22 @@ void NotifierRegistry::Register(ID* id, NotifierRegistry::Notifier* notifier)
 	DBG_LOG(DBG_NOTIFIERS, "registering ID %s for notifier %s",
 		id->Name(), notifier->Name());
 
+	Attr* attr = new Attr(ATTR_TRACKED);
+
 	if ( id->Attrs() )
-		id->Attrs()->AddAttr(new Attr(ATTR_TRACKED));
+		{
+		if ( ! id->Attrs()->FindAttr(ATTR_TRACKED) )
+			id->Attrs()->AddAttr(attr);
+		}
 	else
 		{
 		attr_list* a = new attr_list;
-		Attr* attr = new Attr(ATTR_TRACKED);
 		a->append(attr);
 		id->SetAttrs(new Attributes(a, id->Type(), false));
-		Unref(attr);
 		}
 
+	Unref(attr);
+
 	NotifierMap::iterator i = ids.find(id->Name());
 
 	if ( i != ids.end() )
@@ -967,7 +972,9 @@ void NotifierRegistry::Unregister(ID* id, NotifierRegistry::Notifier* notifier)
 	if ( i == ids.end() )
 		return;
 
+	Attr* attr = id->Attrs()->FindAttr(ATTR_TRACKED);
 	id->Attrs()->RemoveAttr(ATTR_TRACKED);
+	Unref(attr);
 
 	NotifierSet* s = i->second;
 	s->erase(notifier);

src/Stats.cc

@@ -338,7 +338,7 @@ SampleLogger::~SampleLogger()
 
 void SampleLogger::FunctionSeen(const Func* func)
 	{
-	load_samples->Assign(new StringVal(func->GetID()->Name()), 0);
+	load_samples->Assign(new StringVal(func->Name()), 0);
 	}
 
 void SampleLogger::LocationSeen(const Location* loc)

src/Trigger.cc

@@ -242,6 +242,7 @@ bool Trigger::Eval()
 
 		trigger->Cache(frame->GetCall(), v);
 		trigger->Release();
+		frame->ClearTrigger();
 		}
 
 	Unref(v);
@@ -330,6 +331,7 @@ void Trigger::Timeout()
 #endif
 			trigger->Cache(frame->GetCall(), v);
 			trigger->Release();
+			frame->ClearTrigger();
 			}
 
 		Unref(v);
@@ -424,6 +426,12 @@ Val* Trigger::Lookup(const CallExpr* expr)
 	return (i != cache.end()) ? i->second : 0;
 	}
 
+void Trigger::Disable()
+	{
+	UnregisterAll();
+	disabled = true;
+	}
+
 const char* Trigger::Name() const
 	{
 	assert(location);

src/Trigger.h

@@ -49,7 +49,7 @@ public:
 
 	// Disable this trigger completely. Needed because Unref'ing the trigger
 	// may not immediately delete it as other references may still exist.
-	void Disable()	{ disabled = true; }
+	void Disable();
 
 	virtual void Describe(ODesc* d) const { d->Add("<trigger>"); }
 
@@ -79,7 +79,6 @@ private:
 	friend class TriggerTimer;
 
 	void Init();
-	void DeleteTrigger();
 	void Register(ID* id);
 	void Register(Val* val);
 	void UnregisterAll();

src/TunnelEncapsulation.h

@@ -186,7 +186,7 @@ public:
 		if ( conns )
 			{
 			for ( size_t i = 0; i < conns->size(); ++i )
-				vv->Assign(i, (*conns)[i].GetRecordVal(), 0);
+				vv->Assign(i, (*conns)[i].GetRecordVal());
 			}
 
 		return vv;

src/Type.cc

@@ -696,7 +696,9 @@ string FuncType::FlavorString() const
 
 FuncType::~FuncType()
 	{
+	Unref(args);
 	Unref(arg_types);
+	Unref(yield);
 	}
 
 BroType* FuncType::YieldType()
@@ -710,7 +712,7 @@ int FuncType::MatchesIndex(ListExpr*& index) const
 			MATCHES_INDEX_SCALAR : DOES_NOT_MATCH_INDEX;
 	}
 
-int FuncType::CheckArgs(const type_list* args) const
+int FuncType::CheckArgs(const type_list* args, bool is_init) const
 	{
 	const type_list* my_args = arg_types->Types();
 
@@ -718,7 +720,7 @@ int FuncType::CheckArgs(const type_list* args) const
 		return 0;
 
 	for ( int i = 0; i < my_args->length(); ++i )
-		if ( ! same_type((*args)[i], (*my_args)[i]) )
+		if ( ! same_type((*args)[i], (*my_args)[i], is_init) )
 			return 0;
 
 	return 1;
@@ -1720,7 +1722,7 @@ int same_type(const BroType* t1, const BroType* t2, int is_init)
 				return 0;
 			}
 
-		return same_type(ft1->Args(), ft2->Args(), is_init);
+		return ft1->CheckArgs(ft2->ArgTypes()->Types(), is_init);
 		}
 
 	case TYPE_RECORD:

src/Type.h

@@ -370,11 +370,9 @@ public:
 		{ Unref(yield); yield = 0; flavor = arg_flav; }
 
 	int MatchesIndex(ListExpr*& index) const;
-	int CheckArgs(const type_list* args) const;
+	int CheckArgs(const type_list* args, bool is_init = false) const;
 
-	TypeList* ArgTypes()	{ return arg_types; }
+	TypeList* ArgTypes() const	{ return arg_types; }
-
-	ID* GetReturnValueID() const;
 
 	void Describe(ODesc* d) const;
 	void DescribeReST(ODesc* d) const;

src/Val.cc

@@ -2921,8 +2921,7 @@ VectorVal::~VectorVal()
 	delete val.vector_val;
 	}
 
-bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
+bool VectorVal::Assign(unsigned int index, Val* element, Opcode op)
-			Opcode op)
 	{
 	if ( element &&
 	     ! same_type(element->Type(), vector_type->YieldType(), 0) )
@@ -2983,12 +2982,12 @@ bool VectorVal::Assign(unsigned int index, Val* element, const Expr* assigner,
 	}
 
 bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
-				Val* element, const Expr* assigner)
+				Val* element)
 	{
 	ResizeAtLeast(index + how_many);
 
 	for ( unsigned int i = index; i < index + how_many; ++i )
-		if ( ! Assign(i, element, assigner) )
+		if ( ! Assign(i, element ) )
 			return false;
 
 	return true;
@@ -3089,7 +3088,7 @@ bool VectorVal::DoUnserialize(UnserialInfo* info)
 		{
 		Val* v;
 		UNSERIALIZE_OPTIONAL(v, Val::Unserialize(info, TYPE_ANY));
-		Assign(i, v, 0);
+		Assign(i, v);
 		}
 
 	return true;

src/Val.h

@@ -968,18 +968,16 @@ public:
 	// Note: does NOT Ref() the element! Remember to do so unless
 	//       the element was just created and thus has refcount 1.
 	//
-	bool Assign(unsigned int index, Val* element, const Expr* assigner,
+	bool Assign(unsigned int index, Val* element, Opcode op = OP_ASSIGN);
-			Opcode op = OP_ASSIGN);
+	bool Assign(Val* index, Val* element, Opcode op = OP_ASSIGN)
-	bool Assign(Val* index, Val* element, const Expr* assigner,
-			Opcode op = OP_ASSIGN)
 		{
 		return Assign(index->AsListVal()->Index(0)->CoerceToUnsigned(),
-				element, assigner, op);
+				element, op);
 		}
 
 	// Assigns the value to how_many locations starting at index.
 	bool AssignRepeat(unsigned int index, unsigned int how_many,
-			  Val* element, const Expr* assigner);
+			  Val* element);
 
 	// Returns nil if no element was at that value.
 	// Lookup does NOT grow the vector to this size.

src/bro.bif

@@ -16,6 +16,7 @@
 #include "digest.h"
 #include "Reporter.h"
 #include "IPAddr.h"
+#include "util.h"
 
 using namespace std;
 
@@ -844,38 +845,21 @@ extern "C" {
 ## return_mime: If true, the function returns a short MIME type string (e.g.,
 ##              ``text/plain`` instead of a more elaborate textual description).
 ##
-## Returns: The MIME type of *data*.
+## Returns: The MIME type of *data*, or "<unknown>" if there was an error.
 function identify_data%(data: string, return_mime: bool%): string
 	%{
-	const char* descr = "";
-
 	static magic_t magic_mime = 0;
 	static magic_t magic_descr = 0;
 
 	magic_t* magic = return_mime ? &magic_mime : &magic_descr;
+	bro_init_magic(magic, return_mime ? MAGIC_MIME : MAGIC_NONE);
 
 	if( ! *magic )
-		{
+		return new StringVal("<unknown>");
-		*magic = magic_open(return_mime ? MAGIC_MIME : MAGIC_NONE);
 
-		if ( ! *magic )
+	const char* desc = bro_magic_buffer(*magic, data->Bytes(), data->Len());
-			{
-			reporter->Error("can't init libmagic: %s", magic_error(*magic));
-			return new StringVal("");
-			}
 
-		if ( magic_load(*magic, 0) < 0 )
+	return new StringVal(desc ? desc : "<unknown>");
-			{
-			reporter->Error("can't load magic file: %s", magic_error(*magic));
-			magic_close(*magic);
-			*magic = 0;
-			return new StringVal("");
-			}
-		}
-
-	descr = magic_buffer(*magic, data->Bytes(), data->Len());
-
-	return new StringVal(descr);
 	%}
 
 ## Performs an entropy test on the given data.
@@ -1033,29 +1017,6 @@ function clear_table%(v: any%): any
 	return 0;
 	%}
 
-## Returns the number of elements in a container. This function works with all
-## container types, i.e., sets, tables, and vectors.
-##
-## v: The container whose elements are counted.
-##
-## Returns: The number of elements in *v*.
-function length%(v: any%): count
-	%{
-	TableVal* tv = v->Type()->Tag() == TYPE_TABLE ? v->AsTableVal() : 0;
-
-	if ( tv )
-		return new Val(tv->Size(), TYPE_COUNT);
-
-	else if ( v->Type()->Tag() == TYPE_VECTOR )
-		return new Val(v->AsVectorVal()->Size(), TYPE_COUNT);
-
-	else
-		{
-		builtin_error("length() requires a table/set/vector argument");
-		return new Val(0, TYPE_COUNT);
-		}
-	%}
-
 ## Checks whether two objects reference the same internal object. This function
 ## uses equality comparison of C++ raw pointer values to determine if the two
 ## objects are the same.
@@ -1349,7 +1310,7 @@ function order%(v: any, ...%) : index_vec
 	for ( i = 0; i < n; ++i )
 		{
 		int ind = ind_vv[i];
-		result_v->Assign(i, new Val(ind, TYPE_COUNT), 0);
+		result_v->Assign(i, new Val(ind, TYPE_COUNT));
 		}
 
 	return result_v;
@@ -1633,7 +1594,7 @@ function record_type_to_vector%(rt: string%): string_vec
 		for ( int i = 0; i < type->NumFields(); ++i )
 			{
 			StringVal* val = new StringVal(type->FieldName(i));
-			result->Assign(i+1, val, 0);
+			result->Assign(i+1, val);
 			}
 		}
 
@@ -2139,7 +2100,7 @@ function routing0_data_to_addrs%(s: string%): addr_vec
 	while ( len > 0 )
 		{
 		IPAddr a(IPv6, (const uint32*) bytes, IPAddr::Network);
-		rval->Assign(rval->Size(), new AddrVal(a), 0);
+		rval->Assign(rval->Size(), new AddrVal(a));
 		bytes += 16;
 		len -= 16;
 		}
@@ -2162,7 +2123,7 @@ function addr_to_counts%(a: addr%): index_vec
 	int len = a->AsAddr().GetBytes(&bytes);
 
 	for ( int i = 0; i < len; ++i )
-		rval->Assign(i, new Val(ntohl(bytes[i]), TYPE_COUNT), 0);
+		rval->Assign(i, new Val(ntohl(bytes[i]), TYPE_COUNT));
 
 	return rval;
 	%}
@@ -3574,7 +3535,7 @@ function lookup_addr%(host: addr%) : string
 
 ## Issues an asynchronous TEXT DNS lookup and delays the function result.
 ## This function can therefore only be called inside a ``when`` condition,
-## e.g., ``when ( local h = lookup_hostname_txt("www.bro-ids.org") ) { f(h); }``.
+## e.g., ``when ( local h = lookup_hostname_txt("www.bro.org") ) { f(h); }``.
 ##
 ## host: The hostname to lookup.
 ##
@@ -3603,7 +3564,7 @@ function lookup_hostname_txt%(host: string%) : string
 
 ## Issues an asynchronous DNS lookup and delays the function result.
 ## This function can therefore only be called inside a ``when`` condition,
-## e.g., ``when ( local h = lookup_hostname("www.bro-ids.org") ) { f(h); }``.
+## e.g., ``when ( local h = lookup_hostname("www.bro.org") ) { f(h); }``.
 ##
 ## host: The hostname to lookup.
 ##

src/bro_inet_ntop.h

@@ -5,6 +5,7 @@
 extern "C" {
 #endif
 
+#include <sys/types.h>
 #include <sys/socket.h>
 
 const char * 

src/event.bif

@@ -577,6 +577,13 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
 ##    it may become particularly expensive for real-time analysis.
 event teredo_bubble%(outer: connection, inner: teredo_hdr%);
 
+## Generated for any GTP message with a GTPv1 header.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
+
 ## Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
 ## that includes a GTP header followed by an IPv4 or IPv6 packet.
 ##
@@ -590,6 +597,60 @@ event teredo_bubble%(outer: connection, inner: teredo_hdr%);
 ##    it may become particularly expensive for real-time analysis.
 event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
 
+## Generated for GTPv1-C Create PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Create PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Update PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Update PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);
+
 ## Generated for every packet that has a non-empty transport-layer payload.
 ## This is a very low-level and expensive event that should be avoided when
 ## at all possible.  It's usually infeasible to handle when processing even

src/gtpv1-analyzer.pac

@@ -1,4 +1,607 @@
 
+%code{
+RecordVal* BuildGTPv1Hdr(const GTPv1_Header* pdu)
+	{
+	RecordVal* rv = new RecordVal(BifType::Record::gtpv1_hdr);
+
+	rv->Assign(0, new Val(pdu->version(), TYPE_COUNT));
+	rv->Assign(1, new Val(pdu->pt_flag(), TYPE_BOOL));
+	rv->Assign(2, new Val(pdu->rsv(), TYPE_BOOL));
+	rv->Assign(3, new Val(pdu->e_flag(), TYPE_BOOL));
+	rv->Assign(4, new Val(pdu->s_flag(), TYPE_BOOL));
+	rv->Assign(5, new Val(pdu->pn_flag(), TYPE_BOOL));
+	rv->Assign(6, new Val(pdu->msg_type(), TYPE_COUNT));
+	rv->Assign(7, new Val(pdu->length(), TYPE_COUNT));
+	rv->Assign(8, new Val(pdu->teid(), TYPE_COUNT));
+
+	if ( pdu->has_opt() )
+		{
+		rv->Assign(9, new Val(pdu->opt_hdr()->seq(), TYPE_COUNT));
+		rv->Assign(10, new Val(pdu->opt_hdr()->n_pdu(), TYPE_COUNT));
+		rv->Assign(11, new Val(pdu->opt_hdr()->next_type(), TYPE_COUNT));
+		}
+
+	return rv;
+	}
+
+Val* BuildIMSI(const InformationElement* ie)
+	{
+	return new Val(ie->imsi()->value(), TYPE_COUNT);
+	}
+
+Val* BuildRAI(const InformationElement* ie)
+	{
+	RecordVal* ev = new RecordVal(BifType::Record::gtp_rai);
+	ev->Assign(0, new Val(ie->rai()->mcc(), TYPE_COUNT));
+	ev->Assign(1, new Val(ie->rai()->mnc(), TYPE_COUNT));
+	ev->Assign(2, new Val(ie->rai()->lac(), TYPE_COUNT));
+	ev->Assign(3, new Val(ie->rai()->rac(), TYPE_COUNT));
+	return ev;
+	}
+
+Val* BuildRecovery(const InformationElement* ie)
+	{
+	return new Val(ie->recovery()->restart_counter(), TYPE_COUNT);
+	}
+
+Val* BuildSelectionMode(const InformationElement* ie)
+	{
+	return new Val(ie->selection_mode()->mode(), TYPE_COUNT);
+	}
+
+Val* BuildTEID1(const InformationElement* ie)
+	{
+	return new Val(ie->teid1()->value(), TYPE_COUNT);
+	}
+
+Val* BuildTEID_ControlPlane(const InformationElement* ie)
+	{
+	return new Val(ie->teidcp()->value(), TYPE_COUNT);
+	}
+
+Val* BuildNSAPI(const InformationElement* ie)
+	{
+	return new Val(ie->nsapi()->nsapi(), TYPE_COUNT);
+	}
+
+Val* BuildChargingCharacteristics(const InformationElement* ie)
+	{
+	return new Val(ie->charging_characteristics()->value(), TYPE_COUNT);
+	}
+
+Val* BuildTraceReference(const InformationElement* ie)
+	{
+	return new Val(ie->trace_reference()->value(), TYPE_COUNT);
+	}
+
+Val* BuildTraceType(const InformationElement* ie)
+	{
+	return new Val(ie->trace_type()->value(), TYPE_COUNT);
+	}
+
+Val* BuildEndUserAddr(const InformationElement* ie)
+	{
+	RecordVal* ev = new RecordVal(BifType::Record::gtp_end_user_addr);
+	ev->Assign(0, new Val(ie->end_user_addr()->pdp_type_org(), TYPE_COUNT));
+	ev->Assign(1, new Val(ie->end_user_addr()->pdp_type_num(), TYPE_COUNT));
+
+	int len = ie->end_user_addr()->pdp_addr().length();
+
+	if ( len > 0 )
+		{
+		const uint8* d = ie->end_user_addr()->pdp_addr().data();
+
+		switch ( ie->end_user_addr()->pdp_type_num() ) {
+		case 0x21:
+			ev->Assign(2, new AddrVal(
+			  IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
+			break;
+		case 0x57:
+			ev->Assign(2, new AddrVal(
+			  IPAddr(IPv6, (const uint32*) d, IPAddr::Network)));
+			break;
+		default:
+			ev->Assign(3, new StringVal(
+			  new BroString((const u_char*) d, len, 0)));
+			break;
+		}
+		}
+
+	return ev;
+	}
+
+Val* BuildAccessPointName(const InformationElement* ie)
+	{
+	BroString* bs = new BroString((const u_char*) ie->ap_name()->value().data(),
+	                              ie->ap_name()->value().length(), 0);
+	return new StringVal(bs);
+	}
+
+Val* BuildProtoConfigOptions(const InformationElement* ie)
+	{
+	const u_char* d = (const u_char*) ie->proto_config_opts()->value().data();
+	int len = ie->proto_config_opts()->value().length();
+	return new StringVal(new BroString(d, len, 0));
+	}
+
+Val* BuildGSN_Addr(const InformationElement* ie)
+	{
+	RecordVal* ev = new RecordVal(BifType::Record::gtp_gsn_addr);
+
+	int len = ie->gsn_addr()->value().length();
+	const uint8* d = ie->gsn_addr()->value().data();
+
+	if ( len == 4 )
+		ev->Assign(0, new AddrVal(
+		  IPAddr(IPv4, (const uint32*) d, IPAddr::Network)));
+	else if ( len == 16 )
+		ev->Assign(0, new AddrVal(
+		  IPAddr(IPv6, (const uint32*) d, IPAddr::Network)));
+	else
+		ev->Assign(1, new StringVal(new BroString((const u_char*) d, len, 0)));
+
+	return ev;
+	}
+
+Val* BuildMSISDN(const InformationElement* ie)
+	{
+	const u_char* d = (const u_char*) ie->msisdn()->value().data();
+	int len = ie->msisdn()->value().length();
+	return new StringVal(new BroString(d, len, 0));
+	}
+
+Val* BuildQoS_Profile(const InformationElement* ie)
+	{
+	RecordVal* ev = new RecordVal(BifType::Record::gtp_qos_profile);
+
+	const u_char* d = (const u_char*) ie->qos_profile()->data().data();
+	int len = ie->qos_profile()->data().length();
+
+	ev->Assign(0, new Val(ie->qos_profile()->alloc_retention_priority(),
+	                      TYPE_COUNT));
+	ev->Assign(1, new StringVal(new BroString(d, len, 0)));
+
+	return ev;
+	}
+
+Val* BuildTrafficFlowTemplate(const InformationElement* ie)
+	{
+	const uint8* d = ie->traffic_flow_template()->value().data();
+	int len = ie->traffic_flow_template()->value().length();
+	return new StringVal(new BroString((const u_char*) d, len, 0));
+	}
+
+Val* BuildTriggerID(const InformationElement* ie)
+	{
+	const uint8* d = ie->trigger_id()->value().data();
+	int len = ie->trigger_id()->value().length();
+	return new StringVal(new BroString((const u_char*) d, len, 0));
+	}
+
+Val* BuildOMC_ID(const InformationElement* ie)
+	{
+	const uint8* d = ie->omc_id()->value().data();
+	int len = ie->omc_id()->value().length();
+	return new StringVal(new BroString((const u_char*) d, len, 0));
+	}
+
+Val* BuildPrivateExt(const InformationElement* ie)
+	{
+	RecordVal* ev = new RecordVal(BifType::Record::gtp_private_extension);
+
+	const uint8* d = ie->private_ext()->value().data();
+	int len = ie->private_ext()->value().length();
+
+	ev->Assign(0, new Val(ie->private_ext()->id(), TYPE_COUNT));
+	ev->Assign(1, new StringVal(new BroString((const u_char*) d, len, 0)));
+
+	return ev;
+	}
+
+Val* BuildCause(const InformationElement* ie)
+	{
+	return new Val(ie->cause()->value(), TYPE_COUNT);
+	}
+
+Val* BuildReorderReq(const InformationElement* ie)
+	{
+	return new Val(ie->reorder_req()->req(), TYPE_BOOL);
+	}
+
+Val* BuildChargingID(const InformationElement* ie)
+	{
+	return new Val(ie->charging_id()->value(), TYPE_COUNT);;
+	}
+
+Val* BuildChargingGatewayAddr(const InformationElement* ie)
+	{
+	const uint8* d = ie->charging_gateway_addr()->value().data();
+	int len = ie->charging_gateway_addr()->value().length();
+	if ( len == 4 )
+		return new AddrVal(IPAddr(IPv4, (const uint32*) d, IPAddr::Network));
+	else if ( len == 16 )
+		return new AddrVal(IPAddr(IPv6, (const uint32*) d, IPAddr::Network));
+	else
+		return 0;
+	}
+
+Val* BuildTeardownInd(const InformationElement* ie)
+	{
+	return new Val(ie->teardown_ind()->ind(), TYPE_BOOL);
+	}
+
+void CreatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_create_pdp_ctx_request ) return;
+
+	RecordVal* rv = new RecordVal(
+	  BifType::Record::gtp_create_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
+
+	bool second_nsapi = false;
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_IMSI:
+			rv->Assign(0, BuildIMSI(ie));
+			break;
+		case GTPv1::TYPE_RAI:
+			rv->Assign(1, BuildRAI(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_SELECTION_MODE:
+			rv->Assign(3, BuildSelectionMode(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(4, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(5, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			if ( second_nsapi )
+				rv->Assign(7, BuildNSAPI(ie));
+			else
+				{
+				second_nsapi = true;
+				rv->Assign(6, BuildNSAPI(ie));
+				}
+			break;
+		case GTPv1::TYPE_CHARGING_CHARACTERISTICS:
+			rv->Assign(8, BuildChargingCharacteristics(ie));
+			break;
+		case GTPv1::TYPE_TRACE_REFERENCE:
+			rv->Assign(9, BuildTraceReference(ie));
+			break;
+		case GTPv1::TYPE_TRACE_TYPE:
+			rv->Assign(10, BuildTraceType(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(11, BuildEndUserAddr(ie));
+			break;
+		case GTPv1::TYPE_ACCESS_POINT_NAME:
+			rv->Assign(12, BuildAccessPointName(ie));
+			break;
+		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
+			rv->Assign(13, BuildProtoConfigOptions(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(15, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(14, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_MSISDN:
+			rv->Assign(16, BuildMSISDN(ie));
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(17, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
+			rv->Assign(18, BuildTrafficFlowTemplate(ie));
+			break;
+		case GTPv1::TYPE_TRIGGER_ID:
+			rv->Assign(19, BuildTriggerID(ie));
+			break;
+		case GTPv1::TYPE_OMC_ID:
+			rv->Assign(20, BuildOMC_ID(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(21, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	BifEvent::generate_gtpv1_create_pdp_ctx_request(a, a->Conn(),
+	                                                BuildGTPv1Hdr(pdu), rv);
+	}
+
+void CreatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_create_pdp_ctx_response )
+	    return;
+
+	RecordVal* rv = new RecordVal(
+	  BifType::Record::gtp_create_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_REORDER_REQ:
+			rv->Assign(1, BuildReorderReq(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(3, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(4, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_ID:
+			rv->Assign(5, BuildChargingID(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(6, BuildEndUserAddr(ie));
+			break;
+		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
+			rv->Assign(7, BuildProtoConfigOptions(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(9, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(8, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(10, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
+			rv->Assign(11, BuildChargingGatewayAddr(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(12, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	BifEvent::generate_gtpv1_create_pdp_ctx_response(a, a->Conn(),
+	                                                 BuildGTPv1Hdr(pdu), rv);
+	}
+
+void UpdatePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_update_pdp_ctx_request )
+	    return;
+
+	RecordVal* rv = new RecordVal(
+	  BifType::Record::gtp_update_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_IMSI:
+			rv->Assign(0, BuildIMSI(ie));
+			break;
+		case GTPv1::TYPE_RAI:
+			rv->Assign(1, BuildRAI(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(3, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(4, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			rv->Assign(5, BuildNSAPI(ie));
+			break;
+		case GTPv1::TYPE_TRACE_REFERENCE:
+			rv->Assign(6, BuildTraceReference(ie));
+			break;
+		case GTPv1::TYPE_TRACE_TYPE:
+			rv->Assign(7, BuildTraceType(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(9, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(8, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(10, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
+			rv->Assign(11, BuildTrafficFlowTemplate(ie));
+			break;
+		case GTPv1::TYPE_TRIGGER_ID:
+			rv->Assign(12, BuildTriggerID(ie));
+			break;
+		case GTPv1::TYPE_OMC_ID:
+			rv->Assign(13, BuildOMC_ID(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(14, BuildPrivateExt(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(15, BuildEndUserAddr(ie));
+			break;
+		default:
+			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	BifEvent::generate_gtpv1_update_pdp_ctx_request(a, a->Conn(),
+	                                                BuildGTPv1Hdr(pdu), rv);
+	}
+
+void UpdatePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_update_pdp_ctx_response )
+	    return;
+
+	RecordVal* rv = new RecordVal(
+	  BifType::Record::gtp_update_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(1, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(2, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(3, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_ID:
+			rv->Assign(4, BuildChargingID(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(6, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(5, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(7, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
+			rv->Assign(8, BuildChargingGatewayAddr(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(9, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	BifEvent::generate_gtpv1_update_pdp_ctx_response(a, a->Conn(),
+	                                                 BuildGTPv1Hdr(pdu), rv);
+	}
+
+void DeletePDP_Request(const BroAnalyzer& a, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_delete_pdp_ctx_request )
+	    return;
+
+	RecordVal* rv = new RecordVal(
+	  BifType::Record::gtp_delete_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_TEARDOWN_IND:
+			rv->Assign(0, BuildTeardownInd(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			rv->Assign(1, BuildNSAPI(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(2, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	BifEvent::generate_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
+	                                                BuildGTPv1Hdr(pdu), rv);
+	}
+
+void DeletePDP_Response(const BroAnalyzer& a, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_delete_pdp_ctx_response )
+	    return;
+
+	RecordVal* rv = new RecordVal(
+	  BifType::Record::gtp_delete_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(1, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird(fmt("gtp_invalid_info_element_%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	BifEvent::generate_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
+	                                                 BuildGTPv1Hdr(pdu), rv);
+	}
+%}
+
 connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
 	{
 	upflow = GTPv1_Flow(true);
@@ -27,17 +630,17 @@ connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
 		%}
 	}
 
-%code{
-inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p)
-	{
-	a->ProtocolViolation(r, (const char*) p.data(), p.length());
-	}
-%}
-
 flow GTPv1_Flow(is_orig: bool)
 	{
 	datagram = GTPv1_Header withcontext(connection, this);
 
+	function violate(r: string, pdu: GTPv1_Header): void
+		%{
+		BroAnalyzer a = connection()->bro_analyzer();
+		const_bytestring b = ${pdu.sourcedata};
+		a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length());
+		%}
+
 	function process_gtpv1(pdu: GTPv1_Header): bool
 		%{
 		BroAnalyzer a = connection()->bro_analyzer();
@@ -55,14 +658,14 @@ flow GTPv1_Flow(is_orig: bool)
 		if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
 			{
 			// GTP is never tunneled in GTP so, this must be a regular packet
-			violate("GTP-in-GTP", a, ${pdu.packet});
+			violate("GTP-in-GTP", pdu);
 			return false;
 			}
 
 		if ( ${pdu.version} != 1 )
 			{
 			// Only know of GTPv1 with Version == 1
-			violate("GTPv1 bad Version", a, ${pdu.packet});
+			violate("GTPv1 bad Version", pdu);
 			return false;
 			}
 
@@ -72,21 +675,46 @@ flow GTPv1_Flow(is_orig: bool)
 			return false;
 			}
 
-		if ( ${pdu.e_flag} )
+		if ( ::gtpv1_message )
-			{
+			BifEvent::generate_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
-			// TODO: can't currently parse past extension headers
-			return false;
-			}
 
-		if ( ${pdu.msg_type} != 0xff )
+		switch ( ${pdu.msg_type} ) {
-			{
+		case 16:
-			// Only interested in decapsulating user plane data beyond here.
+			CreatePDP_Request(a, pdu);
+			return true;
+		case 17:
+			CreatePDP_Response(a, pdu);
+			return true;
+		case 18:
+			UpdatePDP_Request(a, pdu);
+			return true;
+		case 19:
+			UpdatePDP_Response(a, pdu);
+			return true;
+		case 20:
+			DeletePDP_Request(a, pdu);
+			return true;
+		case 21:
+			DeletePDP_Response(a, pdu);
+			return true;
+		case 255:
+			return process_g_pdu(pdu);
+		default:
 			return false;
-			}
+		}
+
+		return false;
+		%}
+
+	function process_g_pdu(pdu: GTPv1_Header): bool
+		%{
+		BroAnalyzer a = connection()->bro_analyzer();
+		Connection *c = a->Conn();
+		const EncapsulationStack* e = c->GetEncapsulation();
 
 		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
 			{
-			violate("Truncated GTPv1", a, ${pdu.packet});
+			violate("Truncated GTPv1", pdu);
 			return false;
 			}
 
@@ -94,7 +722,7 @@ flow GTPv1_Flow(is_orig: bool)
 
 		if ( ip->ip_v != 4 && ip->ip_v != 6 )
 			{
-			violate("non-IP packet in GTPv1", a, ${pdu.packet});
+			violate("non-IP packet in GTPv1", pdu);
 			return false;
 			}
 
@@ -113,10 +741,10 @@ flow GTPv1_Flow(is_orig: bool)
 			}
 
 		else if ( result < 0 )
-			violate("Truncated GTPv1", a, ${pdu.packet});
+			violate("Truncated GTPv1", pdu);
 
 		else
-			violate("GTPv1 payload length", a, ${pdu.packet});
+			violate("GTPv1 payload length", pdu);
 
 		if ( result != 0 )
 			{
@@ -125,37 +753,16 @@ flow GTPv1_Flow(is_orig: bool)
 			}
 
 		if ( ::gtpv1_g_pdu_packet )
-			{
+			BifEvent::generate_gtpv1_g_pdu_packet(a, c, BuildGTPv1Hdr(pdu),
-			RecordVal* rv = new RecordVal(gtpv1_hdr_type);
-
-			rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT));
-			rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL));
-			rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL));
-			rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL));
-			rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL));
-			rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL));
-			rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT));
-			rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT));
-			rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT));
-
-			if ( ${pdu.has_opt} )
-				{
-				rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT));
-				rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT));
-				rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT));
-				}
-
-			BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv,
 			                                      inner->BuildPktHdrVal());
-			}
 
 		EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);
 
 		sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec);
 
-		return (result == 0) ? true : false;
+		return true;
 		%}
-
 	};
 
 refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };
+

src/gtpv1-protocol.pac

@@ -4,11 +4,27 @@ type GTPv1_Header = record {
 	msg_type:  uint8;
 	length:    uint16;
 	teid:      uint32;
+
 	opt:       case has_opt of {
 		true  -> opt_hdr: GTPv1_Opt_Header;
 		false -> no_opt:  empty;
-	} &requires(has_opt);
+	};
-	packet:    bytestring &restofdata;
+
+	ext:       case e_flag of {
+		true  -> ext_hdrs: GTPv1_Ext_Header[] &until($element.next_type == 0);
+		false -> no_ext:   empty;
+	};
+
+	msg:       case msg_type of {
+		16      -> create_pdp_ctx_request:  InformationElement[];
+		17      -> create_pdp_ctx_response: InformationElement[];
+		18      -> update_pdp_ctx_request:  InformationElement[];
+		19      -> update_pdp_ctx_response: InformationElement[];
+		20      -> delete_pdp_ctx_request:  InformationElement[];
+		21      -> delete_pdp_ctx_response: InformationElement[];
+		255     -> packet:  bytestring &restofdata;
+		default -> unknown: bytestring &restofdata;
+	};
 
 } &let {
 	version:  uint8 = (flags & 0xE0) >> 5;
@@ -18,10 +34,463 @@ type GTPv1_Header = record {
 	s_flag:   bool  = flags & 0x02;
 	pn_flag:  bool  = flags & 0x01;
 	has_opt:  bool  = flags & 0x07;
-} &byteorder = littleendian;
+} &byteorder = bigendian, &exportsourcedata;
 
 type GTPv1_Opt_Header = record {
 	seq:       uint16;
 	n_pdu:     uint8;
 	next_type: uint8;
-}
+};
+
+type GTPv1_Ext_Header = record {
+	length:    uint8;
+	contents:  bytestring &length=(length * 4 - 2);
+	next_type: uint8;
+};
+
+enum InfoElementType {
+	TYPE_CAUSE                       = 1,
+	TYPE_IMSI                        = 2,
+	TYPE_RAI                         = 3,
+	TYPE_TLLI                        = 4,
+	TYPE_P_TMSI                      = 5,
+	TYPE_REORDER_REQ                 = 8,
+	TYPE_AUTHN_TRIPLET               = 9,
+	TYPE_MAP_CAUSE                   = 11,
+	TYPE_P_TMSI_SIG                  = 12,
+	TYPE_MS_VALID                    = 13,
+	TYPE_RECOVERY                    = 14,
+	TYPE_SELECTION_MODE              = 15,
+	TYPE_TEID1                       = 16,
+	TYPE_TEID_CONTROL_PLANE          = 17,
+	TYPE_TEID2                       = 18,
+	TYPE_TEARDOWN_IND                = 19,
+	TYPE_NSAPI                       = 20,
+	TYPE_RANAP_CAUSE                 = 21,
+	TYPE_RAB_CTX                     = 22,
+	TYPE_RADIO_PRIORITY_SMS          = 23,
+	TYPE_RADIO_PRIORITY              = 24,
+	TYPE_PACKET_FLOW_ID              = 25,
+	TYPE_CHARGING_CHARACTERISTICS    = 26,
+	TYPE_TRACE_REFERENCE             = 27,
+	TYPE_TRACE_TYPE                  = 28,
+	TYPE_MS_NOT_REACHABLE_REASON     = 29,
+	TYPE_CHARGING_ID                 = 127,
+	TYPE_END_USER_ADDR               = 128,
+	TYPE_MM_CTX                      = 129,
+	TYPE_PDP_CTX                     = 130,
+	TYPE_ACCESS_POINT_NAME           = 131,
+	TYPE_PROTO_CONFIG_OPTIONS        = 132,
+	TYPE_GSN_ADDR                    = 133,
+	TYPE_MSISDN                      = 134,
+	TYPE_QOS_PROFILE                 = 135,
+	TYPE_AUTHN_QUINTUPLET            = 136,
+	TYPE_TRAFFIC_FLOW_TEMPLATE       = 137,
+	TYPE_TARGET_ID                   = 138,
+	TYPE_UTRAN_TRANSPARENT_CONTAINER = 139,
+	TYPE_RAB_SETUP_INFO              = 140,
+	TYPE_EXT_HEADER_TYPE_LIST        = 141,
+	TYPE_TRIGGER_ID                  = 142,
+	TYPE_OMC_ID                      = 143,
+	TYPE_CHARGING_GATEWAY_ADDR       = 251,
+	TYPE_PRIVATE_EXT                 = 255,
+};
+
+type InformationElement = record {
+	type: uint8;
+
+	len: case is_tlv of {
+		true  -> tlv_len: uint16;
+		false -> no_len:  empty;
+	};
+
+	value: case type of {
+		TYPE_CAUSE -> cause: Cause;
+		TYPE_IMSI -> imsi: IMSI;
+		TYPE_RAI -> rai: RAI;
+		TYPE_TLLI -> tlli: TLLI;
+		TYPE_P_TMSI -> p_tmsi: P_TMSI;
+		TYPE_REORDER_REQ -> reorder_req: ReorderReq;
+		TYPE_AUTHN_TRIPLET -> authn_triplet: AuthN_Triplet;
+		TYPE_MAP_CAUSE -> map_cause: MAP_Cause;
+		TYPE_P_TMSI_SIG -> p_tmsi_sig: P_TMSI_Sig;
+		TYPE_MS_VALID -> ms_valid: MS_Valid;
+		TYPE_RECOVERY -> recovery: Recovery;
+		TYPE_SELECTION_MODE -> selection_mode: SelectionMode;
+		TYPE_TEID1 -> teid1: TEID1;
+		TYPE_TEID_CONTROL_PLANE -> teidcp: TEID_ControlPlane;
+		TYPE_TEID2 -> teid2: TEID2;
+		TYPE_TEARDOWN_IND -> teardown_ind: TeardownInd;
+		TYPE_NSAPI -> nsapi: NSAPI;
+		TYPE_RANAP_CAUSE -> ranap_cause: RANAP_Cause;
+		TYPE_RAB_CTX -> rab_ctx: RAB_Ctx;
+		TYPE_RADIO_PRIORITY_SMS -> radio_priority_sms: RadioPrioritySMS;
+		TYPE_RADIO_PRIORITY -> radio_priority: RadioPriority;
+		TYPE_PACKET_FLOW_ID -> packet_flow_id: PacketFlowID;
+		TYPE_CHARGING_CHARACTERISTICS -> charging_characteristics: ChargingCharacteristics;
+		TYPE_TRACE_REFERENCE -> trace_reference: TraceReference;
+		TYPE_TRACE_TYPE -> trace_type: TraceType;
+		TYPE_MS_NOT_REACHABLE_REASON -> ms_not_reachable_reason: MS_Not_Reachable_Reason;
+		TYPE_CHARGING_ID -> charging_id: ChargingID;
+		TYPE_END_USER_ADDR -> end_user_addr: EndUserAddr(length);
+		TYPE_MM_CTX -> mm_ctx: MM_Ctx(length);
+		TYPE_PDP_CTX -> pdp_ctx: PDP_Ctx(length);
+		TYPE_ACCESS_POINT_NAME -> ap_name: AP_Name(length);
+		TYPE_PROTO_CONFIG_OPTIONS -> proto_config_opts: ProtoConfigOpts(length);
+		TYPE_GSN_ADDR -> gsn_addr: GSN_Addr(length);
+		TYPE_MSISDN -> msisdn: MSISDN(length);
+		TYPE_QOS_PROFILE -> qos_profile: QoS_Profile(length);
+		TYPE_AUTHN_QUINTUPLET -> authn_quintuplet: AuthN_Quintuplet(length);
+		TYPE_TRAFFIC_FLOW_TEMPLATE -> traffic_flow_template: TrafficFlowTemplate(length);
+		TYPE_TARGET_ID -> target_id: TargetID(length);
+		TYPE_UTRAN_TRANSPARENT_CONTAINER -> utran_transparent_container: UTRAN_TransparentContainer(length);
+		TYPE_RAB_SETUP_INFO -> rab_setup_info: RAB_SetupInfo(length);
+		TYPE_EXT_HEADER_TYPE_LIST -> ext_hdr_type_list: ExtHdrTypeList(length);
+		TYPE_TRIGGER_ID -> trigger_id: TriggerID(length);
+		TYPE_OMC_ID -> omc_id: OMC_ID(length);
+		TYPE_CHARGING_GATEWAY_ADDR -> charging_gateway_addr: ChargingGatewayAddr(length);
+		TYPE_PRIVATE_EXT -> private_ext: PrivateExt(length);
+		default -> unknown: bytestring &length=length;
+	} &requires(length);
+
+} &let {
+	is_tlv: bool = (type & 0x80);
+	length: uint16 = is_tlv ? tlv_len : Get_IE_Len(type);
+};
+
+type Cause = record {
+	value: uint8;
+};
+
+function decode_imsi(v: uint8[8]): uint64
+	%{
+	uint64 rval = 0;
+	uint8 digits[16];
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		digits[2 * i + 1] = ((*v)[i] & 0xf0) >> 4;
+		digits[2 * i] = (*v)[i] & 0x0f;
+		}
+	int power = 0;
+	for ( int i = 15; i >= 0; --i )
+		{
+		if ( digits[i] == 0x0f ) continue;
+		rval += digits[i] * pow(10, power);
+		++power;
+		}
+	return rval;
+	%}
+
+type IMSI = record {
+	tbcd_encoded_value: uint8[8];
+} &let {
+	value: uint64 = decode_imsi(tbcd_encoded_value);
+};
+
+type RAI = record {
+	mcc2_mcc1: uint8;
+	mnc3_mcc3: uint8;
+	mnc2_mnc1: uint8;
+	lac: uint16;
+	rac: uint8;
+} &let {
+	mcc1: uint8 = (mcc2_mcc1 & 0x0f);
+	mcc2: uint8 = ((mcc2_mcc1 & 0xf0)>>4);
+	mcc3: uint8 = (mnc3_mcc3 & 0x0f);
+	mcc: uint16 = mcc1 * 100 + mcc2 * 10 + mcc3;
+	mnc1: uint8 = (mnc2_mnc1 & 0x0f);
+	mnc2: uint8 = ((mnc2_mnc1 & 0xf0)>>4);
+	mnc3: uint8 = (mnc3_mcc3 & 0xf0)>>4;
+	mnc: uint16 = (mnc3 & 0x0f) ? mnc1 * 10 + mnc2 : mnc1 * 100 + mnc2 * 10 + mnc3;
+};
+
+type TLLI = record {
+	value: uint32;
+};
+
+type P_TMSI = record {
+	value: uint32;
+};
+
+type ReorderReq = record {
+	value: uint8;
+} &let {
+	req: bool = value & 0x01;
+};
+
+type AuthN_Triplet = record {
+	rand: bytestring &length=16;
+	sres: uint32;
+	kc: uint64;
+};
+
+type MAP_Cause = record {
+	value: uint8;
+};
+
+type P_TMSI_Sig = record {
+	value: bytestring &length=3;
+};
+
+type MS_Valid = record {
+	value: uint8;
+};
+
+type Recovery = record {
+	restart_counter: uint8;
+};
+
+type SelectionMode = record {
+	value: uint8;
+} &let {
+	mode: uint8 = value & 0x01;
+};
+
+type TEID1 = record {
+	value: uint32;
+};
+
+type TEID_ControlPlane = record {
+	value: uint32;
+};
+
+type TEID2 = record {
+	spare_nsapi: uint8;
+	teid2: uint32;
+};
+
+type TeardownInd = record {
+	value: uint8;
+} &let {
+	ind: bool = value & 0x01;
+};
+
+type NSAPI = record {
+	xxxx_nsapi: uint8;
+} &let {
+	nsapi: uint8 = xxxx_nsapi & 0x0f;
+};
+
+type RANAP_Cause = record {
+	value: uint8;
+};
+
+type RAB_Ctx = record {
+	spare_nsapi: uint8;
+	dl_gtpu_seq_num: uint16;
+	ul_gtpu_seq_num: uint16;
+	dl_pdcp_seq_num: uint16;
+	ul_pdcp_seq_num: uint16;
+};
+
+type RadioPrioritySMS = record {
+	value: uint8;
+};
+
+type RadioPriority = record {
+	nsapi_radio_priority: uint8;
+};
+
+type PacketFlowID = record {
+	rsv_nsapi: uint8;
+	packet_flow_id: uint8;
+};
+
+type ChargingCharacteristics = record {
+	value: uint16;
+};
+
+type TraceReference = record {
+	value: uint16;
+};
+
+type TraceType = record {
+	value: uint16;
+};
+
+type MS_Not_Reachable_Reason = record {
+	value: uint8;
+};
+
+type ChargingID = record {
+	value: uint32;
+};
+
+type EndUserAddr(n: uint16) = record {
+	spare_pdp_type_org: uint8;
+	pdp_type_num: uint8;
+	pdp_addr: bytestring &length=(n-2);
+} &let {
+	pdp_type_org: uint8 = spare_pdp_type_org & 0x0f;
+};
+
+type MM_Ctx(n: uint16) = record {
+	spare_cksn_ksi: uint8;
+	security_params: uint8;
+
+	keys: case gsm_keys of {
+		true  -> kc: uint64;
+		false -> ck_ik: bytestring &length=32;
+	};
+
+	vector_len: case have_triplets of {
+		true  -> no_quint_len: empty;
+		false -> quint_len: uint16;
+	};
+
+	vectors: case have_triplets of {
+		true  -> triplets: AuthN_Triplet[num_vectors];
+		false -> quintuplets: AuthN_Quintuplet(quint_len)[num_vectors];
+	} &requires(num_vectors);
+
+	drx_param: uint16;
+	ms_net_capability_len: uint8;
+	ms_net_capability: bytestring &length=ms_net_capability_len;
+	container_len: uint16;
+	container: bytestring &length=container_len;
+
+} &let {
+	security_mode: uint8 = security_params >> 6;
+	gsm_keys: bool = security_mode & 0x01;
+	have_triplets: bool = (security_mode == 1);
+	num_vectors: uint8 = (security_params & 0x38) >> 3;
+};
+
+type PDP_Ctx(n: uint16) = record {
+	rsv_nsapi:	uint8;
+	xxxx_sapi: uint8;
+	qos_sub_len: uint8;
+	qos_sub: QoS_Profile(qos_sub_len);
+	qos_req_len: uint8;
+	qos_req: QoS_Profile(qos_req_len);
+	qos_neg_len: uint8;
+	qos_neg: QoS_Profile(qos_neg_len);
+	snd: uint16;
+	snu: uint16;
+	send_npdu_num: uint8;
+	recv_npdu_num: uint8;
+	ul_teid_cp: TEID_ControlPlane;
+	ul_teid_data1: TEID1;
+	pdp_ctx_id: uint8;
+	spare_pdp_type_org: uint8;
+	pdp_type_num: uint8;
+	pdp_addr_len: uint8;
+	pdp_addr: bytestring &length=pdp_addr_len;
+	ggsn_addr_control_plane_len: uint8;
+	ggsn_addr_control_plane: bytestring &length=ggsn_addr_control_plane_len;
+	ggsn_addr_user_traffic_len: uint8;
+	ggsn_addr_user_traffic: bytestring &length=ggsn_addr_user_traffic_len;
+	apn_len: uint8;
+	apn: AP_Name(apn_len);
+	spare_transaction_id: uint8;
+	transaction_id: uint8;
+};
+
+type AP_Name(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type ProtoConfigOpts(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type GSN_Addr(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type MSISDN(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type QoS_Profile(n: uint16) = record {
+	alloc_retention_priority: uint8;
+	data: bytestring &length=n-1;
+};
+
+type AuthN_Quintuplet(n: uint16) = record {
+	rand: bytestring &length=16;
+	xres_len: uint8;
+	xres: bytestring &length=xres_len;
+	ck: bytestring &length=16;
+	ik: bytestring &length=16;
+	autn_len: uint8;
+	autn: bytestring &length=autn_len;
+};
+
+type TrafficFlowTemplate(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type TargetID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type UTRAN_TransparentContainer(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type RAB_SetupInfo(n: uint16) = record {
+	xxxx_nsapi: uint8;
+
+	have_teid: case n of {
+		1 -> no_teid: empty;
+		default -> teid: TEID1;
+	};
+
+	have_addr: case n of {
+		1 -> no_addr: empty;
+		default -> rnc_addr: bytestring &length=n-5;
+	};
+};
+
+type ExtHdrTypeList(n: uint16) = record {
+	value: uint8[n];
+};
+
+type TriggerID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type OMC_ID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type ChargingGatewayAddr(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type PrivateExt(n: uint16) = record {
+	id: uint16;
+	value: bytestring &length=n-2;
+};
+
+function Get_IE_Len(t: uint8): uint16 =
+	case t of {
+	TYPE_CAUSE -> 1;
+	TYPE_IMSI -> 8;
+	TYPE_RAI -> 6;
+	TYPE_TLLI -> 4;
+	TYPE_P_TMSI -> 4;
+	TYPE_REORDER_REQ -> 1;
+	TYPE_AUTHN_TRIPLET -> 28;
+	TYPE_MAP_CAUSE -> 1;
+	TYPE_P_TMSI_SIG -> 3;
+	TYPE_MS_VALID -> 1;
+	TYPE_RECOVERY -> 1;
+	TYPE_SELECTION_MODE -> 1;
+	TYPE_TEID1 -> 4;
+	TYPE_TEID_CONTROL_PLANE -> 4;
+	TYPE_TEID2 -> 5;
+	TYPE_TEARDOWN_IND -> 1;
+	TYPE_NSAPI -> 1;
+	TYPE_RANAP_CAUSE -> 1;
+	TYPE_RAB_CTX -> 9;
+	TYPE_RADIO_PRIORITY_SMS -> 1;
+	TYPE_RADIO_PRIORITY -> 1;
+	TYPE_PACKET_FLOW_ID -> 2;
+	TYPE_CHARGING_CHARACTERISTICS -> 2;
+	TYPE_TRACE_REFERENCE -> 2;
+	TYPE_TRACE_TYPE -> 2;
+	TYPE_MS_NOT_REACHABLE_REASON -> 1;
+	TYPE_CHARGING_ID -> 4;
+	};

src/input/Manager.cc

@@ -483,7 +483,7 @@ bool Manager::CreateEventStream(RecordVal* fval)
 	Unref(fields); // ref'd by lookupwithdefault
 	stream->num_fields = fieldsV.size();
 	stream->fields = fields->Ref()->AsRecordType();
-	stream->event = event_registry->Lookup(event->GetID()->Name());
+	stream->event = event_registry->Lookup(event->Name());
 	stream->want_record = ( want_record->InternalInt() == 1 );
 	Unref(want_record); // ref'd by lookupwithdefault
 
@@ -644,7 +644,7 @@ bool Manager::CreateTableStream(RecordVal* fval)
 	stream->tab = dst->AsTableVal();
 	stream->rtype = val ? val->AsRecordType() : 0;
 	stream->itype = idx->AsRecordType();
-	stream->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
+	stream->event = event ? event_registry->Lookup(event->Name()) : 0;
 	stream->currDict = new PDict(InputHash);
 	stream->currDict->SetDeleteFunc(input_hash_delete_func);
 	stream->lastDict = new PDict(InputHash);
@@ -2107,7 +2107,7 @@ Val* Manager::ValueToVal(const Value* val, BroType* request_type)
 		VectorType* vt = new VectorType(type->Ref());
 		VectorVal* v = new VectorVal(vt);
 		for (  int i = 0; i < val->val.vector_val.size; i++ )
-			v->Assign(i, ValueToVal( val->val.set_val.vals[i], type ), 0);
+			v->Assign(i, ValueToVal( val->val.set_val.vals[i], type ));
 
 		Unref(vt);
 		return v;

src/logging/Manager.cc

@@ -365,7 +365,7 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 	streams[idx]->id = id->Ref()->AsEnumVal();
 	streams[idx]->enabled = true;
 	streams[idx]->name = id->Type()->AsEnumType()->Lookup(idx);
-	streams[idx]->event = event ? event_registry->Lookup(event->GetID()->Name()) : 0;
+	streams[idx]->event = event ? event_registry->Lookup(event->Name()) : 0;
 	streams[idx]->columns = columns->Ref()->AsRecordType();
 
 	DBG_LOG(DBG_LOGGING, "Created new logging stream '%s', raising event %s",

src/logging/writers/DataSeries.cc

@@ -167,7 +167,7 @@ string DataSeries::BuildDSSchemaFromFieldTypes(const vector<SchemaValue>& vals,
 
 	string xmlschema = "<ExtentType name=\""
 		+ sTitle
-		+ "\" version=\"1.0\" namespace=\"bro-ids.org\">\n";
+		+ "\" version=\"1.0\" namespace=\"bro.org\">\n";
 
 	for( size_t i = 0; i < vals.size(); ++i )
 		{

src/modbus-analyzer.pac

@@ -149,7 +149,7 @@ refine flow ModbusTCP_Flow += {
 			for ( unsigned int i=0; i < ${message.registers}->size(); ++i )
 				{
 				Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
-				t->Assign(i, r, 0, OP_ASSIGN);
+				t->Assign(i, r);
 				}
 
 			BifEvent::generate_modbus_read_holding_registers_response(connection()->bro_analyzer(),
@@ -192,7 +192,7 @@ refine flow ModbusTCP_Flow += {
 			for ( unsigned int i=0; i < (${message.registers})->size(); ++i )
 				{
 				Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
-				t->Assign(i, r, 0, OP_ASSIGN);
+				t->Assign(i, r);
 				}
 
 			BifEvent::generate_modbus_read_input_registers_response(connection()->bro_analyzer(),
@@ -335,7 +335,7 @@ refine flow ModbusTCP_Flow += {
 			for ( unsigned int i = 0; i < (${message.registers}->size()); ++i )
 				{
 				Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
-				t->Assign(i, r, 0, OP_ASSIGN);
+				t->Assign(i, r);
 				}
 
 				BifEvent::generate_modbus_write_multiple_registers_request(connection()->bro_analyzer(),
@@ -371,13 +371,13 @@ refine flow ModbusTCP_Flow += {
 			//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
 			//	{
 			//	Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
-			//	t->Assign(i, r, 0, OP_ASSIGN);
+			//	t->Assign(i, r);
 			//
 			//	Val* k = new Val((${message.references[i].file_num}), TYPE_COUNT);
-			//	t->Assign(i, k, 0, OP_ASSIGN);
+			//	t->Assign(i, k);
 			//
 			//	Val* l = new Val((${message.references[i].record_num}), TYPE_COUNT);
-			//	t->Assign(i, l, 0, OP_ASSIGN);
+			//	t->Assign(i, l);
 			//	}
 
 			BifEvent::generate_modbus_read_file_record_request(connection()->bro_analyzer(),
@@ -398,7 +398,7 @@ refine flow ModbusTCP_Flow += {
 			//	{
 			//	//TODO: work the reference type in here somewhere
 			//	Val* r = new Val(${message.references[i].record_data}), TYPE_COUNT);
-			//	t->Assign(i, r, 0, OP_ASSIGN);
+			//	t->Assign(i, r);
 			//	}
 
 			BifEvent::generate_modbus_read_file_record_response(connection()->bro_analyzer(),
@@ -418,18 +418,18 @@ refine flow ModbusTCP_Flow += {
 			//for ( unsigned int i = 0; i < (${message.references}->size()); ++i )
 			//	{
 			//	Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
-			//	t->Assign(i, r, 0, OP_ASSIGN);
+			//	t->Assign(i, r);
 			//
 			//	Val* k = new Val((${message.references[i].file_num}), TYPE_COUNT);
-			//	t->Assign(i, k, 0, OP_ASSIGN);
+			//	t->Assign(i, k);
 			//
 			//	Val* n = new Val((${message.references[i].record_num}), TYPE_COUNT);
-			//	t->Assign(i, n, 0, OP_ASSIGN);
+			//	t->Assign(i, n);
 			//
 			//	for ( unsigned int j = 0; j < (${message.references[i].register_value}->size()); ++j )
 			//		{
 			//		k = new Val((${message.references[i].register_value[j]}), TYPE_COUNT);
-			//		t->Assign(i, k, 0, OP_ASSIGN);
+			//		t->Assign(i, k);
 			//		}
 			//	}
 
@@ -451,18 +451,18 @@ refine flow ModbusTCP_Flow += {
 			//for ( unsigned int i = 0; i < (${messages.references}->size()); ++i )
 			//	{
 			//	Val* r = new Val((${message.references[i].ref_type}), TYPE_COUNT);
-			//	t->Assign(i, r, 0, OP_ASSIGN);
+			//	t->Assign(i, r);
 			//
 			//	Val* f = new Val((${message.references[i].file_num}), TYPE_COUNT);
-			//	t->Assign(i, f, 0, OP_ASSIGN);
+			//	t->Assign(i, f);
 			//
 			//	Val* rn = new Val((${message.references[i].record_num}), TYPE_COUNT);
-			//	t->Assign(i, rn, 0, OP_ASSIGN);
+			//	t->Assign(i, rn);
 			//
 			//	for ( unsigned int j = 0; j<(${message.references[i].register_value}->size()); ++j )
 			//		{
 			//		Val* k = new Val((${message.references[i].register_value[j]}), TYPE_COUNT);
-			//		t->Assign(i, k, 0, OP_ASSIGN);
+			//		t->Assign(i, k);
 			//		}
 
 			BifEvent::generate_modbus_write_file_record_response(connection()->bro_analyzer(),
@@ -519,7 +519,7 @@ refine flow ModbusTCP_Flow += {
 			for ( unsigned int i = 0; i < ${message.write_register_values}->size(); ++i )
 				{
 				Val* r = new Val(${message.write_register_values[i]}, TYPE_COUNT);
-				t->Assign(i, r, 0, OP_ASSIGN);
+				t->Assign(i, r);
 				}
 
 			BifEvent::generate_modbus_read_write_multiple_registers_request(connection()->bro_analyzer(),
@@ -550,7 +550,7 @@ refine flow ModbusTCP_Flow += {
 			for ( unsigned int i = 0; i < ${message.registers}->size(); ++i )
 				{
 				Val* r = new Val(${message.registers[i]}, TYPE_COUNT);
-				t->Assign(i, r, 0, OP_ASSIGN);
+				t->Assign(i, r);
 				}
 
 			BifEvent::generate_modbus_read_write_multiple_registers_response(connection()->bro_analyzer(),
@@ -593,7 +593,7 @@ refine flow ModbusTCP_Flow += {
 			for ( unsigned int i = 0; i < (${message.register_data})->size(); ++i )
 				{
 				Val* r = new Val(${message.register_data[i]}, TYPE_COUNT);
-				t->Assign(i, r, 0, OP_ASSIGN);
+				t->Assign(i, r);
 				}
 
 			BifEvent::generate_modbus_read_fifo_queue_response(connection()->bro_analyzer(),

src/netflow-analyzer.pac

@@ -38,7 +38,7 @@ flow NetFlow_Flow {
 	# %cleanup does not only put the cleanup code into the destructor,
 	# but also at the end of the catch clause in NewData().  This is
 	# different from the documentation at
-	# http://www.bro-ids.org/wiki/index.php/BinPAC_Userguide#.25cleanup.7B....25.7D
+	# http://www.bro.org/wiki/index.php/BinPAC_Userguide#.25cleanup.7B....25.7D
 	#
 	# Unfortunately this means that we cannot clean up the identifier
 	# string.  Note that IOSource destructors seemingly are never

src/patricia.c

@@ -336,7 +336,7 @@ ascii2prefix (int family, char *string)
 		memcpy (save, string, cp - string);
 		save[cp - string] = '\0';
 		string = save;
-		if (bitlen < 0 || bitlen > maxbitlen)
+		if (bitlen > maxbitlen)
 			bitlen = maxbitlen;
 		}
 		else {

src/strings.bif

@@ -265,19 +265,6 @@ function edit%(arg_s: string, arg_edit_char: string%): string
 	return new StringVal(new BroString(1, byte_vec(new_s), ind));
 	%}
 
-## Returns the number of characters (bytes) in the given string. The
-## length computation includes any embedded NULs, and also a trailing NUL,
-## if any (which is why the function isn't called ``strlen``; to remind
-## the user that Bro strings can include NULs).
-##
-## s: The string to compute the length for.
-##
-## Returns: The number of characters in *s*.
-function byte_len%(s: string%): count
-	%{
-	return new Val(s->Len(), TYPE_COUNT);
-	%}
-
 ## Get a substring from a string, given a starting position and length.
 ##
 ## s: The string to obtain a substring from.
@@ -866,7 +853,7 @@ function str_split%(s: string, idx: index_vec%): string_vec
 
 		for ( BroString::VecIt it = result->begin();
 		      it != result->end(); ++it, ++i )
-			result_v->Assign(i, new StringVal(*it), 0);
+			result_v->Assign(i, new StringVal(*it));
 			// StringVal now possesses string.
 
 		delete result;

src/threading/SerialTypes.h

@@ -2,6 +2,7 @@
 #ifndef THREADING_SERIALIZATIONTYPES_H
 #define THREADING_SERIALIZATIONTYPES_H
 
+#include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>

src/types.bif

@@ -211,3 +211,17 @@ enum Mode %{
 %}
 
 module GLOBAL;
+
+type gtpv1_hdr: record;
+type gtp_create_pdp_ctx_request_elements: record;
+type gtp_create_pdp_ctx_response_elements: record;
+type gtp_update_pdp_ctx_request_elements: record;
+type gtp_update_pdp_ctx_response_elements: record;
+type gtp_delete_pdp_ctx_request_elements: record;
+type gtp_delete_pdp_ctx_response_elements: record;
+
+type gtp_end_user_addr: record;
+type gtp_rai: record;
+type gtp_qos_profile: record;
+type gtp_private_extension: record;
+type gtp_gsn_addr: record;

src/util.cc

@@ -1527,3 +1527,37 @@ void operator delete[](void* v)
 	}
 
 #endif
+
+void bro_init_magic(magic_t* cookie_ptr, int flags)
+	{
+	if ( ! cookie_ptr || *cookie_ptr )
+		return;
+
+	*cookie_ptr = magic_open(flags);
+
+	if ( ! *cookie_ptr )
+		{
+		const char* err = magic_error(*cookie_ptr);
+		reporter->Error("can't init libmagic: %s", err ? err : "unknown");
+		}
+
+	else if ( magic_load(*cookie_ptr, 0) < 0 )
+		{
+		const char* err = magic_error(*cookie_ptr);
+		reporter->Error("can't load magic file: %s", err ? err : "unknown");
+		magic_close(*cookie_ptr);
+		*cookie_ptr = 0;
+		}
+	}
+
+const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length)
+	{
+	const char* rval = magic_buffer(cookie, buffer, length);
+	if ( ! rval )
+		{
+		const char* err = magic_error(cookie);
+		reporter->Error("magic_buffer error: %s", err ? err : "unknown");
+		}
+
+	return rval;
+	}

src/util.h

@@ -15,6 +15,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
+#include <magic.h>
 #include "config.h"
 
 #if __STDC__
@@ -75,7 +76,7 @@ typedef int32 ptr_compat_int;
 #define PRI_PTR_COMPAT_INT PRId32
 #define PRI_PTR_COMPAT_UINT PRIu32
 #else
-# error "Unusual pointer size. Please report to bro@bro-ids.org."
+# error "Unusual pointer size. Please report to bro@bro.org."
 #endif
 
 extern "C"
@@ -364,4 +365,7 @@ struct CompareString
 		}
 	};
 
+void bro_init_magic(magic_t* cookie_ptr, int flags);
+const char* bro_magic_buffer(magic_t cookie, const void* buffer, size_t length);
+
 #endif

testing/btest/Baseline/bifs.byte_len/out

@@ -1 +0,0 @@
-11

testing/btest/Baseline/bifs.length/out

@@ -1,6 +0,0 @@
-1
-4
-2
-0
-0
-0

testing/btest/Baseline/core.tunnels.gtp.ext_header/out

@@ -0,0 +1,2 @@
+gtpv1_message, [orig_h=10.155.148.149, orig_p=9000/udp, resp_h=10.155.148.157, resp_p=2152/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=T, s_flag=T, pn_flag=F, msg_type=255, length=1508, teid=1050199, seq=5, n_pdu=0, next_type=192]

testing/btest/Baseline/core.tunnels.gtp.non_recursive/out

@@ -1 +1 @@
-protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...]
+protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [\x80\xe1Bc.\xe20\xebn\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80...]

testing/btest/Baseline/core.tunnels.gtp.pdp_ctx_messages/out

@@ -0,0 +1,24 @@
+gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
+gtp create request, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=137, teid=0, seq=4875, n_pdu=0, next_type=0]
+[imsi=460004100000101, rai=[mcc=460, mnc=6, lac=65534, rac=255], recovery=176, select_mode=1, data1=854600697, cp=854600697, nsapi=5, linked_nsapi=<uninitialized>, charge_character=<uninitialized>, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Feetest, opts=\x80\x80!^V^A^A\0^V^C^F\0\0\0\0\x81^F\0\0\0\0\x83^F\0\0\0\0, signal_addr=[ip=192.169.100.1, other=<uninitialized>], user_addr=[ip=192.169.100.1, other=<uninitialized>], msisdn=\x91hQ"^A\0^A\xf1, qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=[id=10923, value=^B^A^C]]
+gtpv1_message, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
+gtp create response, [orig_h=192.169.100.1, orig_p=34273/udp, resp_h=10.100.200.33, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=101, teid=854600697, seq=4875, n_pdu=0, next_type=0]
+[cause=128, reorder_req=F, recovery=24, data1=268435589, cp=268435584, charging_id=103000009, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.252.130, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^D^A\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0\x80!^J^C^A\0^J^C^F\xc0\xa8\xfc\x82, cp_addr=[ip=10.100.200.34, other=<uninitialized>], user_addr=[ip=10.100.200.49, other=<uninitialized>], qos_prof=[priority=2, data=\x1bB\x1fs\x8c@@tK@@], charge_gateway=<uninitialized>, ext=<uninitialized>]
+gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=1, length=4, teid=0, seq=3072, n_pdu=0, next_type=0]
+gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=2, length=6, teid=0, seq=3072, n_pdu=0, next_type=0]
+gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
+gtp create request, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=16, length=104, teid=0, seq=3073, n_pdu=0, next_type=0]
+[imsi=240010123456789, rai=<uninitialized>, recovery=3, select_mode=1, data1=1, cp=1, nsapi=0, linked_nsapi=<uninitialized>, charge_character=2048, trace_ref=<uninitialized>, trace_type=<uninitialized>, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=<uninitialized>, pdp_other_addr=<uninitialized>], ap_name=^Hinternet, opts=\x80\xc0#^Q^A^A\0^Q^Cmig^Hhemmelig, signal_addr=[ip=127.0.0.2, other=<uninitialized>], user_addr=[ip=127.0.0.2, other=<uninitialized>], msisdn=\x91d^G^R2T\xf6, qos_prof=[priority=0, data=^K\x92\x1f], tft=<uninitialized>, trigger_id=<uninitialized>, omc_id=<uninitialized>, ext=<uninitialized>]
+gtpv1_message, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
+gtp create response, [orig_h=127.0.0.2, orig_p=2123/udp, resp_h=127.0.0.1, resp_p=2123/udp]
+[version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=17, length=78, teid=1, seq=3073, n_pdu=0, next_type=0]
+[cause=128, reorder_req=F, recovery=1, data1=1, cp=1, charging_id=1, end_user_addr=[pdp_type_org=1, pdp_type_num=33, pdp_ip=192.168.0.2, pdp_other_addr=<uninitialized>], opts=\x80\x80!^P^B\0\0^P\x81^F\0\0\0\0\x83^F\0\0\0\0, cp_addr=[ip=127.0.0.1, other=<uninitialized>], user_addr=[ip=127.0.0.1, other=<uninitialized>], qos_prof=[priority=0, data=^K\x92\x1f], charge_gateway=<uninitialized>, ext=<uninitialized>]

testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dpd
-#open	2012-10-19-17-38-54
+#open	2013-01-25-21-49-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
 #types	time	string	addr	port	addr	port	enum	string	string
-1333458853.075889	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...]
+1333458853.075889	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1 [0\xff\x00\xac\x98\x13\x01LE\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eV...]
-#close	2012-10-19-17-38-54
+#close	2013-01-25-21-49-19

testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	tunnel
-#open	2012-10-19-17-38-54
+#open	2013-01-25-21-49-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
 #types	time	string	addr	port	addr	port	enum	enum
 1333458853.034734	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	Tunnel::GTPv1	Tunnel::DISCOVER
 1333458853.108391	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	Tunnel::GTPv1	Tunnel::CLOSE
-#close	2012-10-19-17-38-54
+#close	2013-01-25-21-49-19

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2012-11-20-06-11-08
+#open	2013-02-11-18-44-43
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -54,6 +54,7 @@ scripts/base/init-default.bro
       scripts/base/frameworks/cluster/./main.bro
         scripts/base/frameworks/control/__load__.bro
           scripts/base/frameworks/control/./main.bro
+    scripts/base/frameworks/notice/./non-cluster.bro
     scripts/base/frameworks/notice/./actions/pp-alarms.bro
   scripts/base/frameworks/dpd/__load__.bro
     scripts/base/frameworks/dpd/./main.bro
@@ -119,4 +120,4 @@ scripts/base/init-default.bro
     scripts/base/protocols/syslog/./main.bro
   scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2012-11-20-06-11-08
+#close	2013-02-11-18-44-43

testing/btest/Baseline/language.container-ctor-scope/out

@@ -0,0 +1,44 @@
+{
+[2/tcp] = 2,
+[1/tcp] = 1,
+[3/tcp] = 3
+}
+{
+[2/tcp] = 2,
+[1/tcp] = 1,
+[3/tcp] = 3
+}
+{
+2/tcp,
+1/tcp,
+3/tcp
+}
+{
+2/tcp,
+1/tcp,
+3/tcp
+}
+[1/tcp, 2/tcp, 3/tcp, 1/tcp]
+[1/tcp, 2/tcp, 3/tcp, 1/tcp]
+{
+[2/tcp] = 2,
+[1/tcp] = 1,
+[3/tcp] = 3
+}
+{
+[2/tcp] = 2,
+[1/tcp] = 1,
+[3/tcp] = 3
+}
+{
+2/tcp,
+1/tcp,
+3/tcp
+}
+{
+2/tcp,
+1/tcp,
+3/tcp
+}
+[1/tcp, 2/tcp, 3/tcp, 1/tcp]
+[1/tcp, 2/tcp, 3/tcp, 1/tcp]

testing/btest/Baseline/language.func-assignment/out

@@ -0,0 +1,4 @@
+Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool.
+Brogrammers, like bowties, are cool. Brogrammers, like bowties, are cool.
+BROGRAMMERS, LIKE BOWTIES, ARE COOL.
+BROGRAMMERS, LIKE BOWTIES, ARE COOL.

testing/btest/Baseline/language.returnwhen/bro..stdout

@@ -0,0 +1,12 @@
+dummy from async_func() from bro_init()
+async_func() return result in bro_init(), flag in my_set
+dummy from bro_init() when block
+hi!
+dummy from async_func() from do_another()
+async_func() return result in do_another(), flag in my_set
+dummy from do_another() when block
+hi!
+dummy from async_func() from do_another()
+async_func() return result in do_another(), timeout
+dummy from do_another() when block
+hi!

testing/btest/Baseline/scripts.base.frameworks.input.tableevent/out

@@ -1,189 +1,21 @@
-[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
-[2] = T,
-[4] = F,
-[6] = F,
-[7] = T,
-[1] = T,
-[5] = F,
-[3] = F
-}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
-{ 
-print outfile, description;
-print outfile, tpe;
-print outfile, left;
-print outfile, right;
-try = try + 1;
-if (7 == try) 
-{ 
-close(outfile);
-terminate();
-}
-
-}, pred=<uninitialized>, config={
-
-}]
 Input::EVENT_NEW
 [i=1]
 T
-[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
-[2] = T,
-[4] = F,
-[6] = F,
-[7] = T,
-[1] = T,
-[5] = F,
-[3] = F
-}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
-{ 
-print outfile, description;
-print outfile, tpe;
-print outfile, left;
-print outfile, right;
-try = try + 1;
-if (7 == try) 
-{ 
-close(outfile);
-terminate();
-}
-
-}, pred=<uninitialized>, config={
-
-}]
 Input::EVENT_NEW
 [i=2]
 T
-[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
-[2] = T,
-[4] = F,
-[6] = F,
-[7] = T,
-[1] = T,
-[5] = F,
-[3] = F
-}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
-{ 
-print outfile, description;
-print outfile, tpe;
-print outfile, left;
-print outfile, right;
-try = try + 1;
-if (7 == try) 
-{ 
-close(outfile);
-terminate();
-}
-
-}, pred=<uninitialized>, config={
-
-}]
 Input::EVENT_NEW
 [i=3]
 F
-[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
-[2] = T,
-[4] = F,
-[6] = F,
-[7] = T,
-[1] = T,
-[5] = F,
-[3] = F
-}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
-{ 
-print outfile, description;
-print outfile, tpe;
-print outfile, left;
-print outfile, right;
-try = try + 1;
-if (7 == try) 
-{ 
-close(outfile);
-terminate();
-}
-
-}, pred=<uninitialized>, config={
-
-}]
 Input::EVENT_NEW
 [i=4]
 F
-[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
-[2] = T,
-[4] = F,
-[6] = F,
-[7] = T,
-[1] = T,
-[5] = F,
-[3] = F
-}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
-{ 
-print outfile, description;
-print outfile, tpe;
-print outfile, left;
-print outfile, right;
-try = try + 1;
-if (7 == try) 
-{ 
-close(outfile);
-terminate();
-}
-
-}, pred=<uninitialized>, config={
-
-}]
 Input::EVENT_NEW
 [i=5]
 F
-[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
-[2] = T,
-[4] = F,
-[6] = F,
-[7] = T,
-[1] = T,
-[5] = F,
-[3] = F
-}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
-{ 
-print outfile, description;
-print outfile, tpe;
-print outfile, left;
-print outfile, right;
-try = try + 1;
-if (7 == try) 
-{ 
-close(outfile);
-terminate();
-}
-
-}, pred=<uninitialized>, config={
-
-}]
 Input::EVENT_NEW
 [i=6]
 F
-[source=../input.log, reader=Input::READER_ASCII, mode=Input::MANUAL, name=input, destination={
-[2] = T,
-[4] = F,
-[6] = F,
-[7] = T,
-[1] = T,
-[5] = F,
-[3] = F
-}, idx=<no value description>, val=<no value description>, want_record=F, ev=line
-{ 
-print outfile, description;
-print outfile, tpe;
-print outfile, left;
-print outfile, right;
-try = try + 1;
-if (7 == try) 
-{ 
-close(outfile);
-terminate();
-}
-
-}, pred=<uninitialized>, config={
-
-}]
 Input::EVENT_NEW
 [i=7]
 T

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.options/ssh.ds.xml

@@ -1,4 +1,4 @@
-<ExtentType name="ssh" version="1.0" namespace="bro-ids.org">
+<ExtentType name="ssh" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.rotate/out

@@ -19,7 +19,7 @@ test.2011-03-07-12-00-05.ds test 11-03-07_12.00.05 11-03-07_12.59.55 1 dataserie
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -47,7 +47,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -75,7 +75,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -103,7 +103,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -131,7 +131,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -159,7 +159,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -187,7 +187,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -215,7 +215,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -243,7 +243,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />
@@ -271,7 +271,7 @@ t id.orig_h id.orig_p id.resp_h id.resp_p
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="test" version="1.0" namespace="bro-ids.org">
+<ExtentType name="test" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.test-logging/ssh.ds.txt

@@ -8,7 +8,7 @@
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="ssh" version="1.0" namespace="bro-ids.org">
+<ExtentType name="ssh" version="1.0" namespace="bro.org">
 	<field type="double" name="t" pack_relative="t" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>
 	<field type="int64" name="id.orig_p" />

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.time-as-int/conn.ds.txt

@@ -8,7 +8,7 @@
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="conn" version="1.0" namespace="bro-ids.org">
+<ExtentType name="conn" version="1.0" namespace="bro.org">
 	<field type="int64" name="ts" pack_relative="ts" units="microseconds" epoch="unix"/>
 	<field type="variable32" name="uid" pack_unique="yes"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/conn.ds.txt

@@ -8,7 +8,7 @@
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="conn" version="1.0" namespace="bro-ids.org">
+<ExtentType name="conn" version="1.0" namespace="bro.org">
 	<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="uid" pack_unique="yes"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>

testing/btest/Baseline/scripts.base.frameworks.logging.dataseries.wikipedia/http.ds.txt

@@ -8,7 +8,7 @@
   <field type="variable32" name="xmltype" />
 </ExtentType>
 
-<ExtentType name="http" version="1.0" namespace="bro-ids.org">
+<ExtentType name="http" version="1.0" namespace="bro.org">
 	<field type="double" name="ts" pack_relative="ts" pack_scale="1e-6" print_format="%.6f" pack_scale_warn="no"/>
 	<field type="variable32" name="uid" pack_unique="yes"/>
 	<field type="variable32" name="id.orig_h" pack_unique="yes"/>

testing/btest/Baseline/scripts.base.frameworks.metrics.cluster-intermediate-update/manager-1.notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2012-07-20-01-50-59
+#open	2013-02-11-18-41-03
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
-1342749059.978651	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 100/100	-	1.2.3.4	-	-	100	manager-1	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-	1.2.3.4	-	-
+1360608063.517719	-	-	-	-	-	-	Test_Notice	Threshold crossed by metric_index(host=1.2.3.4) 100/100	-	1.2.3.4	-	-	100	manager-1	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	1.2.3.4	-	-
-#close	2012-07-20-01-51-08
+#close	2013-02-11-18-41-03

testing/btest/Baseline/scripts.base.frameworks.notice.cluster/manager-1.notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2012-11-20-06-46-22
+#open	2013-02-11-18-45-43
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
-1353393982.260495	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-1	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-
+1360608343.088948	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-1	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
-#close	2012-11-20-06-46-22
+#close	2013-02-11-18-45-43

testing/btest/Baseline/scripts.base.frameworks.notice.suppression-cluster/manager-1.notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2012-11-20-06-45-52
+#open	2013-02-11-18-45-14
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
-1353393952.489496	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-2	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-
+1360608314.794257	-	-	-	-	-	-	Test_Notice	test notice!	-	-	-	-	-	worker-2	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
-#close	2012-11-20-06-45-56
+#close	2013-02-11-18-45-17

testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2012-07-20-01-49-23
+#open	2013-02-11-18-32-39
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double
-1342748963.685754	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-
+1360607559.193954	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2012-07-20-01-49-23
+#close	2013-02-11-18-32-39

testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2012-11-20-06-09-07
+#open	2013-02-11-18-33-41
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
-#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double
+#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	interval	bool	string	string	string	double	double	addr	string	subnet
-1348168976.558309	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	6	3600.000000	F	-	-	-	-	-
+1348168976.558309	arKYeMETxOg	192.168.57.103	35391	192.168.57.101	55968	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-	-	-	-
-#close	2012-11-20-06-09-07
+#close	2013-02-11-18-33-41