From 1efaf8d7a4321ba06e967142d71dd398ccc7e01a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Thu, 7 Oct 2021 09:59:15 +0200 Subject: [PATCH 1/3] Move logic to execute `HookLoadFile` for signatures into rule matcher code. This (1) fixes an issue where signature files supplied on the command line wouldn't pass through the hooks, and (2) prepares for allowing hooks to supply the content of a signature file directly. --- src/RuleMatcher.cc | 47 +++++++++++++++++-- src/RuleMatcher.h | 3 +- src/ScannedFile.cc | 12 ++++- src/ScannedFile.h | 13 ++++- src/scan.l | 28 +---------- src/zeek-setup.cc | 10 ++-- testing/btest/Baseline/plugins.hooks/output | 6 +++ .../Baseline/signatures.udp-state/reject | 2 +- testing/btest/plugins/hooks.zeek | 13 ++++- 9 files changed, 94 insertions(+), 40 deletions(-) diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index 4cf0c15214..cd2455c074 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -24,6 +24,7 @@ #include "zeek/ZeekString.h" #include "zeek/analyzer/Analyzer.h" #include "zeek/module_util.h" +#include "zeek/plugin/Manager.h" using namespace std; @@ -248,7 +249,7 @@ void RuleMatcher::Delete(RuleHdrTest* node) delete node; } -bool RuleMatcher::ReadFiles(const std::vector& files) +bool RuleMatcher::ReadFiles(const std::vector& files) { #ifdef USE_PERFTOOLS_DEBUG HeapLeakChecker::Disabler disabler; @@ -256,18 +257,54 @@ bool RuleMatcher::ReadFiles(const std::vector& files) parse_error = false; - for ( const auto& f : files ) + for ( auto f : files ) { - rules_in = util::open_file(util::find_file(f, util::zeek_path(), ".sig")); + if ( ! f.full_path ) + f.full_path = util::find_file(f.file, util::zeek_path(), ".sig"); + + int rc = PLUGIN_HOOK_WITH_RESULT( + HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SIGNATURES, f.file, *f.full_path), + -1); + + switch ( rc ) + { + case -1: + // No plugin in charge of this file. + if ( f.full_path->empty() ) + { + zeek::reporter->Error("failed to find file associated with @load-sigs %s", + f.file.c_str()); + continue; + } + break; + + case 0: + if ( ! zeek::reporter->Errors() ) + zeek::reporter->Error("Plugin reported error loading signatures %s", + f.file.c_str()); + + exit(1); + break; + + case 1: + // A plugin took care of it, just skip. + continue; + + default: + assert(false); + break; + } + + rules_in = util::open_file(*f.full_path); if ( ! rules_in ) { - reporter->Error("Can't open signature file %s", f.data()); + reporter->Error("Can't open signature file %s", f.file.c_str()); return false; } rules_line_number = 0; - current_rule_file = f.data(); + current_rule_file = f.full_path->c_str(); rules_parse(); fclose(rules_in); } diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index 9a89d39efd..f64a7bc97e 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -11,6 +11,7 @@ #include "zeek/CCL.h" #include "zeek/RE.h" #include "zeek/Rule.h" +#include "zeek/ScannedFile.h" //#define MATCHER_PRINT_STATS @@ -259,7 +260,7 @@ public: ~RuleMatcher(); // Parse the given files and built up data structures. - bool ReadFiles(const std::vector& files); + bool ReadFiles(const std::vector& files); /** * Inititialize a state object for matching file magic signatures. diff --git a/src/ScannedFile.cc b/src/ScannedFile.cc index c5367748e4..8050f0fc12 100644 --- a/src/ScannedFile.cc +++ b/src/ScannedFile.cc @@ -10,7 +10,7 @@ namespace zeek::detail { std::list files_scanned; -std::vector sig_files; +std::vector sig_files; ScannedFile::ScannedFile(int arg_include_level, std::string arg_name, bool arg_skipped, bool arg_prefixes_checked) @@ -47,4 +47,14 @@ bool ScannedFile::AlreadyScanned() const return rval; } +SignatureFile::SignatureFile(std::string file) + : file(std::move(file)) + { + } + +SignatureFile::SignatureFile(std::string file, std::string full_path) + : file(std::move(file)), full_path(std::move(full_path)) + { + } + } // namespace zeek::detail diff --git a/src/ScannedFile.h b/src/ScannedFile.h index 902d627f7d..9829b2c1d2 100644 --- a/src/ScannedFile.h +++ b/src/ScannedFile.h @@ -3,6 +3,7 @@ #pragma once #include +#include #include #include @@ -34,6 +35,16 @@ public: }; extern std::list files_scanned; -extern std::vector sig_files; + +struct SignatureFile + { + std::string file; + std::optional full_path; + + SignatureFile(std::string file); + SignatureFile(std::string file, std::string full_path); + }; + +extern std::vector sig_files; } // namespace zeek::detail diff --git a/src/scan.l b/src/scan.l index e6af14cd89..dbcb3fcfd3 100644 --- a/src/scan.l +++ b/src/scan.l @@ -348,33 +348,7 @@ when return TOK_WHEN; @load-sigs{WS}{FILE} { const char* file = zeek::util::skip_whitespace(yytext + 10); std::string path = find_relative_file(file, ".sig"); - int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SIGNATURES, file, path), -1); - - switch ( rc ) { - case -1: - // No plugin in charge of this file. - if ( path.empty() ) - zeek::reporter->Error("failed to find file associated with @load-sigs %s", - file); - else - zeek::detail::sig_files.push_back(std::move(path)); - break; - - case 0: - if ( ! zeek::reporter->Errors() ) - zeek::reporter->Error("Plugin reported error loading signatures %s", file); - - exit(1); - break; - - case 1: - // A plugin took care of it, just skip. - break; - - default: - assert(false); - break; - } + sig_files.emplace_back(file, path); } @load-plugin{WS}{ID} { diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index dad543c282..b2e77df628 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -737,15 +737,19 @@ SetupResult setup(int argc, char** argv, Options* zopts) id->SetVal(make_intrusive(*options.pcap_filter)); } - auto all_signature_files = options.signature_files; + std::vector all_signature_files; + + // Append signature files given on the command line + for ( const auto& sf : options.signature_files ) + all_signature_files.push_back(sf); // Append signature files defined in "signature_files" script option for ( auto&& sf : get_script_signature_files() ) - all_signature_files.emplace_back(std::move(sf)); + all_signature_files.push_back(std::move(sf)); // Append signature files defined in @load-sigs for ( const auto& sf : zeek::detail::sig_files ) - all_signature_files.emplace_back(sf); + all_signature_files.push_back(sf); if ( ! all_signature_files.empty() ) { diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index e16e7c63b6..e340ed914b 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -1034,6 +1034,7 @@ 0.000000 MetaHookPost LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) -> -1 +0.000000 MetaHookPost LoadFile(0, s1.sig, ./s1.sig) -> -1 0.000000 MetaHookPost LoadFile(1, ./archive, <...>/archive.sig) -> -1 0.000000 MetaHookPost LoadFile(1, ./audio, <...>/audio.sig) -> -1 0.000000 MetaHookPost LoadFile(1, ./dpd.sig, <...>/dpd.sig) -> -1 @@ -1046,6 +1047,7 @@ 0.000000 MetaHookPost LoadFile(1, ./office, <...>/office.sig) -> -1 0.000000 MetaHookPost LoadFile(1, ./programming, <...>/programming.sig) -> -1 0.000000 MetaHookPost LoadFile(1, ./video, <...>/video.sig) -> -1 +0.000000 MetaHookPost LoadFile(1, s2, ./s2.sig) -> -1 0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> 0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false @@ -2086,6 +2088,7 @@ 0.000000 MetaHookPre LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) 0.000000 MetaHookPre LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) 0.000000 MetaHookPre LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) +0.000000 MetaHookPre LoadFile(0, s1.sig, ./s1.sig) 0.000000 MetaHookPre LoadFile(1, ./archive, <...>/archive.sig) 0.000000 MetaHookPre LoadFile(1, ./audio, <...>/audio.sig) 0.000000 MetaHookPre LoadFile(1, ./dpd.sig, <...>/dpd.sig) @@ -2098,6 +2101,7 @@ 0.000000 MetaHookPre LoadFile(1, ./office, <...>/office.sig) 0.000000 MetaHookPre LoadFile(1, ./programming, <...>/programming.sig) 0.000000 MetaHookPre LoadFile(1, ./video, <...>/video.sig) +0.000000 MetaHookPre LoadFile(1, s2, ./s2.sig) 0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) 0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) 0.000000 MetaHookPre QueueEvent(NetControl::init()) @@ -3149,6 +3153,8 @@ 0.000000 | HookLoadFile base<...>/zeek.bif <...>/zeek.bif.zeek 0.000000 | HookLoadFile builtin-plugins/__load__.zeek <...>/__load__.zeek 0.000000 | HookLoadFile builtin-plugins/__preload__.zeek <...>/__preload__.zeek +0.000000 | HookLoadFile s1.sig ./s1.sig +0.000000 | HookLoadFile s2 ./s2.sig 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} 0.000000 | HookLogWrite packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() diff --git a/testing/btest/Baseline/signatures.udp-state/reject b/testing/btest/Baseline/signatures.udp-state/reject index aaeba4be58..9d97a9ac45 100644 --- a/testing/btest/Baseline/signatures.udp-state/reject +++ b/testing/btest/Baseline/signatures.udp-state/reject @@ -1,3 +1,3 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error: Error in signature (udp-established.sig:5): 'established' is not a valid 'udp-state' +error: Error in signature (./udp-established.sig:5): 'established' is not a valid 'udp-state' diff --git a/testing/btest/plugins/hooks.zeek b/testing/btest/plugins/hooks.zeek index cfff751eca..992d305f14 100644 --- a/testing/btest/plugins/hooks.zeek +++ b/testing/btest/plugins/hooks.zeek @@ -1,8 +1,19 @@ # @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Hooks # @TEST-EXEC: cp -r %DIR/hooks-plugin/* . # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make -# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Hooks" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq >output +# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Hooks" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT s1.sig 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq >output # @TEST-EXEC: btest-diff output @unload base/misc/version @load base/init-default + +@load-sigs s2 + +@TEST-START-FILE s1.sig +# Just empty. +@TEST-END-FILE + +@TEST-START-FILE s2.sig +# Just empty. +@TEST-END-FILE + From 34eaf42b926c64424a6bd5060ce59e16c5baa37d Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Fri, 24 Sep 2021 12:50:27 +0200 Subject: [PATCH 2/3] Add new hook `HookLoadFileExtended` that allows plugins to supply Zeek script code to parse. The new hooks works similar to the existing `HookLoadFile` but, additionally, allows the plugin to return a string that contains the code to be used for the file being loaded. If the plugin does so, the content of any actual file on disk will be ignored (in fact, there doesn't even need to be a file on disk in that case). This works for both Zeek scripts and signatures. There's a new test that covers the new functionality, testing loading both scripts and signatures from memory. I also manually tested that the debugger integration works, but I don't see much of a way to add a regression test for that part. We keep the existing hook as well for backwards compatibility. We could decide to deprecate it, but not sure that buys us much, so left that out. Closes #1757. --- src/PolicyFile.cc | 65 +- src/PolicyFile.h | 6 +- src/RuleMatcher.cc | 52 +- src/RuleMatcher.h | 2 +- src/ScannedFile.cc | 5 +- src/plugin/Manager.cc | 35 + src/plugin/Manager.h | 26 + src/plugin/Plugin.cc | 23 + src/plugin/Plugin.h | 52 +- src/rule-scan.l | 20 + src/scan.l | 104 +- src/zeek-setup.cc | 6 +- .../missing-sig-file | 2 +- testing/btest/Baseline/plugins.hooks/output | 1098 +++++++++++++++++ .../plugins.plugin-load-file-extended/output | 7 + .../btest/plugins/hooks-plugin/src/Plugin.cc | 8 + .../btest/plugins/hooks-plugin/src/Plugin.h | 1 + .../plugins/plugin-load-file-extended.zeek | 17 + .../plugin-load-file-extended/.btest-ignore | 0 .../plugin-load-file-extended/src/Plugin.cc | 70 ++ .../plugin-load-file-extended/src/Plugin.h | 18 + 21 files changed, 1525 insertions(+), 92 deletions(-) create mode 100644 testing/btest/Baseline/plugins.plugin-load-file-extended/output create mode 100644 testing/btest/plugins/plugin-load-file-extended.zeek create mode 100644 testing/btest/plugins/plugin-load-file-extended/.btest-ignore create mode 100644 testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc create mode 100644 testing/btest/plugins/plugin-load-file-extended/src/Plugin.h diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc index 3d7592f52b..eaee5a9916 100644 --- a/src/PolicyFile.cc +++ b/src/PolicyFile.cc @@ -72,49 +72,60 @@ int how_many_lines_in(const char* policy_filename) return pf->lines.size(); } -bool LoadPolicyFileText(const char* policy_filename) +bool LoadPolicyFileText(const char* policy_filename, + const std::optional& preloaded_content) { if ( ! policy_filename ) return true; - FILE* f = fopen(policy_filename, "r"); - - if ( ! f ) - { - debug_msg("No such policy file: %s.\n", policy_filename); - return false; - } - - PolicyFile* pf = new PolicyFile; - if ( policy_files.find(policy_filename) != policy_files.end() ) debug_msg("Policy file %s already loaded\n", policy_filename); + PolicyFile* pf = new PolicyFile; policy_files.insert(PolicyFileMap::value_type(policy_filename, pf)); - struct stat st; - if ( fstat(fileno(f), &st) != 0 ) + if ( preloaded_content ) { - char buf[256]; - util::zeek_strerror_r(errno, buf, sizeof(buf)); - reporter->Error("fstat failed on %s: %s", policy_filename, buf); - fclose(f); - return false; + auto size = preloaded_content->size(); + pf->filedata = new char[size + 1]; + memcpy(pf->filedata, preloaded_content->data(), size); + pf->filedata[size] = '\0'; } + else + { + FILE* f = fopen(policy_filename, "r"); - pf->lmtime = st.st_mtime; - off_t size = st.st_size; + if ( ! f ) + { + debug_msg("No such policy file: %s.\n", policy_filename); + return false; + } - // ### This code is not necessarily Unicode safe! - // (probably fine with UTF-8) - pf->filedata = new char[size + 1]; - if ( fread(pf->filedata, size, 1, f) != 1 ) - reporter->InternalError("Failed to fread() file data"); - pf->filedata[size] = 0; - fclose(f); + struct stat st; + if ( fstat(fileno(f), &st) != 0 ) + { + char buf[256]; + util::zeek_strerror_r(errno, buf, sizeof(buf)); + reporter->Error("fstat failed on %s: %s", policy_filename, buf); + fclose(f); + return false; + } + + pf->lmtime = st.st_mtime; + off_t size = st.st_size; + + // ### This code is not necessarily Unicode safe! + // (probably fine with UTF-8) + pf->filedata = new char[size + 1]; + if ( fread(pf->filedata, size, 1, f) != 1 ) + reporter->InternalError("Failed to fread() file data"); + pf->filedata[size] = 0; + fclose(f); + } // Separate the string by newlines. pf->lines.push_back(pf->filedata); + for ( char* iter = pf->filedata; *iter; ++iter ) { if ( *iter == '\n' ) diff --git a/src/PolicyFile.h b/src/PolicyFile.h index bda675638e..d85883cb0b 100644 --- a/src/PolicyFile.h +++ b/src/PolicyFile.h @@ -14,12 +14,16 @@ // policy_filename arguments should be absolute or relative paths; // no expansion is done. +#include +#include + namespace zeek::detail { int how_many_lines_in(const char* policy_filename); -bool LoadPolicyFileText(const char* policy_filename); +bool LoadPolicyFileText(const char* policy_filename, + const std::optional& preloaded_content = {}); // start_line is 1-based (the intuitive way) bool PrintLines(const char* policy_filename, unsigned int start_line, unsigned int how_many_lines, diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc index cd2455c074..42c3c568b0 100644 --- a/src/RuleMatcher.cc +++ b/src/RuleMatcher.cc @@ -24,10 +24,14 @@ #include "zeek/ZeekString.h" #include "zeek/analyzer/Analyzer.h" #include "zeek/module_util.h" -#include "zeek/plugin/Manager.h" using namespace std; +// Functions exposed by rule-scan.l +extern void rules_set_input_from_buffer(const char* data, size_t size); +extern void rules_set_input_from_file(FILE* f); +extern void rules_parse_input(); + namespace zeek::detail { @@ -262,11 +266,18 @@ bool RuleMatcher::ReadFiles(const std::vector& files) if ( ! f.full_path ) f.full_path = util::find_file(f.file, util::zeek_path(), ".sig"); - int rc = PLUGIN_HOOK_WITH_RESULT( + std::pair> rc = {-1, std::nullopt}; + rc.first = PLUGIN_HOOK_WITH_RESULT( HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SIGNATURES, f.file, *f.full_path), -1); - switch ( rc ) + if ( rc.first < 0 ) + rc = PLUGIN_HOOK_WITH_RESULT( + HOOK_LOAD_FILE_EXT, + HookLoadFileExtended(zeek::plugin::Plugin::SIGNATURES, f.file, *f.full_path), + std::make_pair(-1, std::nullopt)); + + switch ( rc.first ) { case -1: // No plugin in charge of this file. @@ -287,26 +298,45 @@ bool RuleMatcher::ReadFiles(const std::vector& files) break; case 1: - // A plugin took care of it, just skip. - continue; + if ( ! rc.second ) + // A plugin took care of it, just skip. + continue; + + break; default: assert(false); break; } - rules_in = util::open_file(*f.full_path); + FILE* rules_in = nullptr; - if ( ! rules_in ) + if ( rc.first == 1 ) { - reporter->Error("Can't open signature file %s", f.file.c_str()); - return false; + // Parse code provided by plugin. + assert(rc.second); + rules_set_input_from_buffer(rc.second->data(), rc.second->size()); + } + else + { + // Parse from file. + rules_in = util::open_file(*f.full_path); + + if ( ! rules_in ) + { + reporter->Error("Can't open signature file %s", f.file.c_str()); + return false; + } + + rules_set_input_from_file(rules_in); } rules_line_number = 0; current_rule_file = f.full_path->c_str(); - rules_parse(); - fclose(rules_in); + rules_parse_input(); + + if ( rules_in ) + fclose(rules_in); } if ( parse_error ) diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h index f64a7bc97e..76599c117a 100644 --- a/src/RuleMatcher.h +++ b/src/RuleMatcher.h @@ -12,6 +12,7 @@ #include "zeek/RE.h" #include "zeek/Rule.h" #include "zeek/ScannedFile.h" +#include "zeek/plugin/Manager.h" //#define MATCHER_PRINT_STATS @@ -23,7 +24,6 @@ extern void rules_error(zeek::detail::Rule* id, const char* msg); extern int rules_lex(void); extern int rules_parse(void); extern "C" int rules_wrap(void); -extern FILE* rules_in; extern int rules_line_number; extern const char* current_rule_file; diff --git a/src/ScannedFile.cc b/src/ScannedFile.cc index 8050f0fc12..590511050e 100644 --- a/src/ScannedFile.cc +++ b/src/ScannedFile.cc @@ -47,10 +47,7 @@ bool ScannedFile::AlreadyScanned() const return rval; } -SignatureFile::SignatureFile(std::string file) - : file(std::move(file)) - { - } +SignatureFile::SignatureFile(std::string file) : file(std::move(file)) { } SignatureFile::SignatureFile(std::string file, std::string full_path) : file(std::move(file)), full_path(std::move(full_path)) diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc index f8f9783894..8215c5c56c 100644 --- a/src/plugin/Manager.cc +++ b/src/plugin/Manager.cc @@ -692,6 +692,41 @@ int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const return rc; } +std::pair> +Manager::HookLoadFileExtended(const Plugin::LoadType type, const string& file, + const string& resolved) + { + HookArgumentList args; + + if ( HavePluginForHook(META_HOOK_PRE) ) + { + args.push_back(HookArgument(type)); + args.push_back(HookArgument(file)); + args.push_back(HookArgument(resolved)); + MetaHookPre(HOOK_LOAD_FILE_EXT, args); + } + + hook_list* l = hooks[HOOK_LOAD_FILE_EXT]; + + std::pair> rc = {-1, std::nullopt}; + + if ( l ) + for ( hook_list::iterator i = l->begin(); i != l->end(); ++i ) + { + Plugin* p = (*i).second; + + rc = p->HookLoadFileExtended(type, file, resolved); + + if ( rc.first >= 0 ) + break; + } + + if ( HavePluginForHook(META_HOOK_POST) ) + MetaHookPost(HOOK_LOAD_FILE_EXT, args, HookArgument(rc)); + + return rc; + } + std::pair Manager::HookCallFunction(const Func* func, zeek::detail::Frame* parent, Args* vecargs) const { diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h index 92b28d7b62..4873a271ba 100644 --- a/src/plugin/Manager.h +++ b/src/plugin/Manager.h @@ -245,6 +245,32 @@ public: virtual int HookLoadFile(const Plugin::LoadType type, const std::string& file, const std::string& resolved); + /** + * Hook that gives plugins a chance to take over loading an input file, + * including replacing the file's content. This method must be called + * between InitPreScript() and InitPostScript() for each input file Bro is + * about to load, either given on the command line or via @load script + * directives. The hook can take over the file, in which case Bro must not + * further process it otherwise; or provide its content, in which case Bro + * must use that and ignore the original file. + * + * @return tuple where the first element is 1 if a plugin took over the + * file; 0 if a plugin took over the file but had trouble loading it; and + * -1 if no plugin was interested in the file at all. + * + * If the plugins takes over by returning 1, there are two cases: if the + * second tuple element remains unset, the plugin handled the loading + * completely internally; the caller must not process it any further. + * Alternatively, the plugin may optionally return the acutal content to + * use for the file as a string through the tuple's second element. If so, + * the caller must ignore the file on disk and use that provided content + * instead (including when there's actually no physical file in place on + * disk at all). + */ + virtual std::pair> + HookLoadFileExtended(const Plugin::LoadType type, const std::string& file, + const std::string& resolved); + /** * Hook that filters calls to a script function/event/hook. * diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc index c569b1afeb..315a844a3b 100644 --- a/src/plugin/Plugin.cc +++ b/src/plugin/Plugin.cc @@ -22,6 +22,7 @@ const char* hook_name(HookType h) static constexpr const char* hook_names[int(NUM_HOOKS) + 1] = { // Order must match that of HookType. "LoadFile", + "LoadFileExtended", "CallFunction", "QueueEvent", "DrainEvents", @@ -230,6 +231,21 @@ void HookArgument::Describe(ODesc* d) const { d->Add(""); } + break; + + case INPUT_FILE: + { + d->Add("("); + d->Add(input_file.first); + d->Add(", "); + if ( input_file.second ) + d->Add(input_file.second->substr(0, 20)); // cut content off + else + d->Add(""); + + d->Add(")"); + } + break; } } @@ -368,6 +384,13 @@ int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std return -1; } +std::pair> Plugin::HookLoadFileExtended(const LoadType type, + const std::string& file, + const std::string& resolved) + { + return std::make_pair(-1, std::nullopt); + } + std::pair Plugin::HookFunctionCall(const Func* func, zeek::detail::Frame* parent, Args* args) { diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h index b9dc8a6a22..f625fc1a49 100644 --- a/src/plugin/Plugin.h +++ b/src/plugin/Plugin.h @@ -5,6 +5,7 @@ #include "zeek/zeek-config.h" #include +#include #include #include @@ -57,6 +58,7 @@ enum HookType { // Note: when changing this table, update hook_name() in Plugin.cc. HOOK_LOAD_FILE, //< Activates Plugin::HookLoadFile(). + HOOK_LOAD_FILE_EXT, //< Activates Plugin::HookLoadFileExtended(). HOOK_CALL_FUNCTION, //< Activates Plugin::HookCallFunction(). HOOK_QUEUE_EVENT, //< Activates Plugin::HookQueueEvent(). HOOK_DRAIN_EVENTS, //< Activates Plugin::HookDrainEvents() @@ -205,7 +207,8 @@ public: CONN, THREAD_FIELDS, LOCATION, - ARG_LIST + ARG_LIST, + INPUT_FILE }; /** @@ -357,6 +360,15 @@ public: arg.args = args; } + /** + * Constructor with HookLoadFileExtended result describing an input file. + */ + explicit HookArgument(std::pair> file) + { + type = INPUT_FILE; + input_file = std::move(file); + } + /** * Returns the value for a boolen argument. The argument's type must * match accordingly. @@ -540,6 +552,7 @@ private: std::pair func_result; std::pair tfields; std::string arg_string; + std::pair> input_file; }; using HookArgumentList = std::list; @@ -815,6 +828,43 @@ protected: virtual int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved); + /** + * Hook into loading input files, with extended capabilities. This method + * will be called between InitPreScript() and InitPostScript(), but with no + * further order or timing guaranteed. It will be called once for each + * input file Bro is about to load, either given on the command line or via + * @load script directives. The hook can take over the file, in which case + * Bro will not further process it otherwise. It can, alternatively, also + * provide the file content as a string, which Bro will then process just + * as if it had read it from a file. + * + * @param type The type of load encountered: script load, signatures load, + * or plugin load. + * + * @param file The filename that was passed to @load. Only includes + * an extension if it was given in @load. + * + * @param resolved The file or directory name Bro resolved from + * the given path and is going to load. Empty string + * if Bro was not able to resolve a path. + * + * @return tuple of an integer and an optional string, where: the integer + * must be 1 if the plugin takes over loading the file (see below); 0 if + * the plugin wanted to take over the file but had trouble loading it + * (processing will abort in this case, and the plugin should have printed + * an error message); and -1 if the plugin wants Bro to proceeed processing + * the file normally. If the plugins takes over by returning 1, there are + * two cases: if the second tuple element remains unset, the plugin handled + * the loading completely internally; Bro will not do anything further with + * it. Alternatively, the plugin may optionally return the acutal content + * to use for the file as a string through the tuple's second element. If + * so, Bro will ignore the file on disk and use that provided content + * instead (including when there's actually no physical file in place on + * disk at all, and loading would have hence failed otherwise). + */ + virtual std::pair> + HookLoadFileExtended(const LoadType type, const std::string& file, const std::string& resolved); + /** * Hook into executing a script-level function/event/hook. Whenever * the script interpreter is about to execution a function, it first diff --git a/src/rule-scan.l b/src/rule-scan.l index 2b424d2ee5..3d9bc6da84 100644 --- a/src/rule-scan.l +++ b/src/rule-scan.l @@ -228,3 +228,23 @@ void end_PS() { BEGIN(INITIAL); } + +static YY_BUFFER_STATE rules_buffer; + +void rules_set_input_from_buffer(const char* data, size_t size) + { + rules_buffer = yy_scan_bytes(data, size); // this copies the data + } + +void rules_set_input_from_file(FILE* f) + { + rules_buffer = yy_create_buffer(f, YY_BUF_SIZE); + } + +void rules_parse_input() + { + yy_switch_to_buffer(rules_buffer); + rules_parse(); + yy_delete_buffer(rules_buffer); + } + diff --git a/src/scan.l b/src/scan.l index dbcb3fcfd3..0301494e2f 100644 --- a/src/scan.l +++ b/src/scan.l @@ -353,11 +353,14 @@ when return TOK_WHEN; @load-plugin{WS}{ID} { const char* plugin = zeek::util::skip_whitespace(yytext + 12); - int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::PLUGIN, plugin, ""), -1); + std::pair> rc; + rc.first = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::PLUGIN, plugin, ""), -1); + if ( rc.first < 0 ) + rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE_EXT, HookLoadFileExtended(zeek::plugin::Plugin::PLUGIN, plugin, ""), std::make_pair(-1, std::nullopt)); - switch ( rc ) { + switch ( rc.first ) { case -1: - // No plugin in charge of this file. + // No plugin in charge of this file. (We ignore any returned content.) zeek::plugin_mgr->ActivateDynamicPlugin(plugin); break; @@ -560,12 +563,13 @@ YYLTYPE zeek::detail::GetCurrentLocation() static int load_files(const char* orig_file) { std::string file_path = find_relative_script_file(orig_file); - int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SCRIPT, orig_file, file_path), -1); - if ( rc == 1 ) - return 0; // A plugin took care of it, just skip. + std::pair> rc = {-1, std::nullopt}; + rc.first = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SCRIPT, orig_file, file_path), -1); + if ( rc.first < 0 ) + rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE_EXT, HookLoadFileExtended(zeek::plugin::Plugin::SCRIPT, orig_file, file_path), std::make_pair(-1, std::nullopt)); - if ( rc == 0 ) + if ( rc.first == 0 ) { if ( ! zeek::reporter->Errors() ) // This is just in case the plugin failed to report @@ -576,55 +580,57 @@ static int load_files(const char* orig_file) exit(1); } - assert(rc == -1); // No plugin in charge of this file. + if ( rc.first == 1 && ! rc.second ) + return 0; // A plugin took care of it, just skip. FILE* f = nullptr; - if ( zeek::util::streq(orig_file, "-") ) + if ( rc.first == -1 ) { - f = stdin; - file_path = zeek::detail::ScannedFile::canonical_stdin_path; - - if ( zeek::detail::g_policy_debug ) + if ( zeek::util::streq(orig_file, "-") ) { - zeek::detail::debug_msg("Warning: can't use debugger while reading policy from stdin; turning off debugging.\n"); - zeek::detail::g_policy_debug = false; + f = stdin; + file_path = zeek::detail::ScannedFile::canonical_stdin_path; + + if ( zeek::detail::g_policy_debug ) + { + zeek::detail::debug_msg("Warning: can't use debugger while reading policy from stdin; turning off debugging.\n"); + zeek::detail::g_policy_debug = false; + } } - } - else - { - if ( file_path.empty() ) - zeek::reporter->FatalError("can't find %s", orig_file); - - if ( zeek::util::is_dir(file_path.c_str()) ) - f = zeek::util::detail::open_package(file_path); else - f = zeek::util::open_file(file_path); + { + if ( file_path.empty() ) + zeek::reporter->FatalError("can't find %s", orig_file); - if ( ! f ) - zeek::reporter->FatalError("can't open %s", file_path.c_str()); + if ( zeek::util::is_dir(file_path.c_str()) ) + f = zeek::util::detail::open_package(file_path); + else + f = zeek::util::open_file(file_path); + + if ( ! f ) + zeek::reporter->FatalError("can't open %s", file_path.c_str()); + } + + zeek::detail::ScannedFile sf(file_stack.length(), file_path); + if ( sf.AlreadyScanned() ) + { + if ( rc.first == -1 && f != stdin ) + fclose(f); + + return 0; + } + + zeek::detail::files_scanned.push_back(std::move(sf)); } - zeek::detail::ScannedFile sf(file_stack.length(), file_path); - - if ( sf.AlreadyScanned() ) - { - if ( f != stdin ) - fclose(f); - - return 0; - } - - zeek::detail::files_scanned.push_back(std::move(sf)); - if ( zeek::detail::g_policy_debug && ! file_path.empty() ) { // Add the filename to the file mapping table (Debug.h). zeek::detail::Filemap* map = new zeek::detail::Filemap; - zeek::detail::HashKey* key = new zeek::detail::HashKey(file_path.c_str()); zeek::detail::g_dbgfilemaps.emplace(file_path, map); - LoadPolicyFileText(file_path.c_str()); + LoadPolicyFileText(file_path.c_str(), rc.second); } // Remember where we were to restore the module scope in which @@ -633,12 +639,24 @@ static int load_files(const char* orig_file) zeek::detail::zeekygen_mgr->Script(file_path); - DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s", file_path.c_str()); - // "orig_file", could be an alias for yytext, which is ephemeral // and will be zapped after the yy_switch_to_buffer() below. - yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE)); + YY_BUFFER_STATE buffer; + if ( rc.first == 1 ) { + // Parse code provided by plugin. + assert(rc.second); + DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s from code supplied by plugin ", file_path.c_str()); + buffer = yy_scan_bytes(rc.second->data(), rc.second->size()); // this copies the data + } + else { + // Parse from file. + assert(f); + DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s", file_path.c_str()); + buffer = yy_create_buffer(f, YY_BUF_SIZE); + } + + yy_switch_to_buffer(buffer); yylloc.first_line = yylloc.last_line = line_number = 1; // Don't delete the old filename - it's pointed to by diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc index b2e77df628..2e38a48d45 100644 --- a/src/zeek-setup.cc +++ b/src/zeek-setup.cc @@ -741,15 +741,15 @@ SetupResult setup(int argc, char** argv, Options* zopts) // Append signature files given on the command line for ( const auto& sf : options.signature_files ) - all_signature_files.push_back(sf); + all_signature_files.emplace_back(sf); // Append signature files defined in "signature_files" script option for ( auto&& sf : get_script_signature_files() ) - all_signature_files.push_back(std::move(sf)); + all_signature_files.emplace_back(std::move(sf)); // Append signature files defined in @load-sigs for ( const auto& sf : zeek::detail::sig_files ) - all_signature_files.push_back(sf); + all_signature_files.emplace_back(sf); if ( ! all_signature_files.empty() ) { diff --git a/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file b/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file index 3fc89824f4..aaaa346b61 100644 --- a/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file +++ b/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file @@ -1,2 +1,2 @@ ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -error: Can't open signature file nope +error: failed to find file associated with @load-sigs nope diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index e340ed914b..898f73cb3b 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -1048,6 +1048,372 @@ 0.000000 MetaHookPost LoadFile(1, ./programming, <...>/programming.sig) -> -1 0.000000 MetaHookPost LoadFile(1, ./video, <...>/video.sig) -> -1 0.000000 MetaHookPost LoadFile(1, s2, ./s2.sig) -> -1 +0.000000 MetaHookPost LoadFileExtended(0, ../main, <...>/main.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ../plugin, <...>/plugin.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./acld, <...>/acld.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./addrs, <...>/addrs.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./api, <...>/api.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./average, <...>/average.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./broker, <...>/broker.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./const-dos-error, <...>/const-dos-error.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./const-nt-status, <...>/const-nt-status.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./consts, <...>/consts.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./contents, <...>/contents.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./control, <...>/control.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./ct-list, <...>/ct-list.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./dcc-send, <...>/dcc-send.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./debug, <...>/debug.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./drop, <...>/drop.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./entities, <...>/entities.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./event.bif.zeek, <...>/event.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./exec, <...>/exec.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./files, <...>/files.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./gridftp, <...>/gridftp.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./hll_unique, <...>/hll_unique.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./inactivity, <...>/inactivity.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./info, <...>/info.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./input, <...>/input.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./input.bif.zeek, <...>/input.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./last, <...>/last.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./log, <...>/log.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./magic, <...>/magic) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./main, <...>/main.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./max, <...>/max.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./min, <...>/min.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./netstats, <...>/netstats.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./non-cluster, <...>/non-cluster.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./openflow, <...>/openflow.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./option.bif.zeek, <...>/option.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./packetfilter, <...>/packetfilter.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./patterns, <...>/patterns.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./plugin, <...>/plugin.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./plugins, <...>/plugins) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./polling, <...>/polling.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./pools, <...>/pools.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./postprocessors, <...>/postprocessors) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./removal-hooks, <...>/removal-hooks.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./ryu, <...>/ryu.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./sample, <...>/sample.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./scp, <...>/scp.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./sftp, <...>/sftp.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./shunt, <...>/shunt.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./site, <...>/site.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./store, <...>/store.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./store.bif.zeek, <...>/store.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./strings.bif.zeek, <...>/strings.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./sum, <...>/sum.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./thresholds, <...>/thresholds.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./topk, <...>/topk.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./types, <...>/types.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./types.bif.zeek, <...>/types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./unique, <...>/unique.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./utils, <...>/utils.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./utils-commands, <...>/utils-commands.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./variance, <...>/variance.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./weird, <...>/weird.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/add-geodata, <...>/add-geodata.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/ascii, <...>/ascii.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/benchmark, <...>/benchmark.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/binary, <...>/binary.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/config, <...>/config.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/email_admin, <...>/email_admin.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/none, <...>/none.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/page, <...>/page.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/pp-alarms, <...>/pp-alarms.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/raw, <...>/raw.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, .<...>/sqlite, <...>/sqlite.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base/bif, <...>/bif) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base/init-default, <...>/init-default.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/api, <...>/api.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/broker, <...>/broker) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/cluster, <...>/cluster) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/comm.bif, <...>/comm.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/config, <...>/config) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/conn, <...>/conn) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/conn-ids, <...>/conn-ids.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/const.bif, <...>/const.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/control, <...>/control) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/data.bif, <...>/data.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/dce-rpc, <...>/dce-rpc) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/dhcp, <...>/dhcp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/dir, <...>/dir.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/dnp3, <...>/dnp3) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/dns, <...>/dns) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/dpd, <...>/dpd) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/email, <...>/email.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ethernet, <...>/ethernet) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/event.bif, <...>/event.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/exec, <...>/exec.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/extract, <...>/extract) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/fddi, <...>/fddi) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/files, <...>/files) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/files, <...>/files.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ftp, <...>/ftp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/http, <...>/http) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/icmp, <...>/icmp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/imap, <...>/imap) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/input, <...>/input) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/intel, <...>/intel) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ip, <...>/ip) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/iptunnel, <...>/iptunnel) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/irc, <...>/irc) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/modbus, <...>/modbus) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/mpls, <...>/mpls) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/mqtt, <...>/mqtt) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/mysql, <...>/mysql) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/nflog, <...>/nflog) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/notice, <...>/notice) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ntlm, <...>/ntlm) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ntp, <...>/ntp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/null, <...>/null) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/numbers, <...>/numbers.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/openflow, <...>/openflow) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/option.bif, <...>/option.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/packet-filter, <...>/packet-filter) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/paths, <...>/paths.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/pe, <...>/pe) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/plugins, <...>/plugins) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/pop3, <...>/pop3) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/pppoe, <...>/pppoe) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/queue, <...>/queue.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/radius, <...>/radius) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/rdp, <...>/rdp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/reporter, <...>/reporter) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/rfb, <...>/rfb) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/root, <...>/root) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/signatures, <...>/signatures) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/sip, <...>/sip) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/site, <...>/site.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/skip, <...>/skip) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/smb, <...>/smb) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/smtp, <...>/smtp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/snmp, <...>/snmp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/socks, <...>/socks) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/software, <...>/software) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ssh, <...>/ssh) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/ssl, <...>/ssl) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/store.bif, <...>/store.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/strings, <...>/strings.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/strings.bif, <...>/strings.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/sumstats, <...>/sumstats) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/supervisor, <...>/supervisor) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/syslog, <...>/syslog) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/tcp, <...>/tcp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/time, <...>/time.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/udp, <...>/udp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/urls, <...>/urls.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/utils, <...>/utils.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/version, <...>/version.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/vlan, <...>/vlan) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/vntag, <...>/vntag) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/x509, <...>/x509) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(0, s1.sig, ./s1.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./archive, <...>/archive.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./audio, <...>/audio.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./dpd.sig, <...>/dpd.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./executable, <...>/executable.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./font, <...>/font.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./general, <...>/general.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./image, <...>/image.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./java, <...>/java.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./libmagic, <...>/libmagic.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./office, <...>/office.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./programming, <...>/programming.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, ./video, <...>/video.sig) -> (-1, ) +0.000000 MetaHookPost LoadFileExtended(1, s2, ./s2.sig) -> (-1, ) 0.000000 MetaHookPost LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> 0.000000 MetaHookPost LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) -> true 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false @@ -2102,6 +2468,372 @@ 0.000000 MetaHookPre LoadFile(1, ./programming, <...>/programming.sig) 0.000000 MetaHookPre LoadFile(1, ./video, <...>/video.sig) 0.000000 MetaHookPre LoadFile(1, s2, ./s2.sig) +0.000000 MetaHookPre LoadFileExtended(0, ../main, <...>/main.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ../plugin, <...>/plugin.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./acld, <...>/acld.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./addrs, <...>/addrs.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./api, <...>/api.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./average, <...>/average.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./broker, <...>/broker.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./const-dos-error, <...>/const-dos-error.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./const-nt-status, <...>/const-nt-status.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./consts, <...>/consts.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./contents, <...>/contents.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./control, <...>/control.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./ct-list, <...>/ct-list.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./dcc-send, <...>/dcc-send.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./debug, <...>/debug.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./drop, <...>/drop.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./entities, <...>/entities.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./event.bif.zeek, <...>/event.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./exec, <...>/exec.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./files, <...>/files.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./gridftp, <...>/gridftp.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./hll_unique, <...>/hll_unique.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./inactivity, <...>/inactivity.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./info, <...>/info.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./input, <...>/input.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./input.bif.zeek, <...>/input.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./last, <...>/last.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./log, <...>/log.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./magic, <...>/magic) +0.000000 MetaHookPre LoadFileExtended(0, ./main, <...>/main.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./max, <...>/max.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./min, <...>/min.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./netstats, <...>/netstats.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./non-cluster, <...>/non-cluster.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./openflow, <...>/openflow.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./option.bif.zeek, <...>/option.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./packetfilter, <...>/packetfilter.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./patterns, <...>/patterns.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./plugin, <...>/plugin.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./plugins, <...>/plugins) +0.000000 MetaHookPre LoadFileExtended(0, ./polling, <...>/polling.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./pools, <...>/pools.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./postprocessors, <...>/postprocessors) +0.000000 MetaHookPre LoadFileExtended(0, ./removal-hooks, <...>/removal-hooks.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./ryu, <...>/ryu.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./sample, <...>/sample.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./scp, <...>/scp.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./sftp, <...>/sftp.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./shunt, <...>/shunt.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./site, <...>/site.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./store, <...>/store.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./store.bif.zeek, <...>/store.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./strings.bif.zeek, <...>/strings.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./sum, <...>/sum.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./thresholds, <...>/thresholds.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./topk, <...>/topk.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./types, <...>/types.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./types.bif.zeek, <...>/types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./unique, <...>/unique.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./utils, <...>/utils.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./utils-commands, <...>/utils-commands.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./variance, <...>/variance.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./weird, <...>/weird.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/add-geodata, <...>/add-geodata.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/ascii, <...>/ascii.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/benchmark, <...>/benchmark.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/binary, <...>/binary.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/config, <...>/config.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/email_admin, <...>/email_admin.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/none, <...>/none.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/page, <...>/page.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/pp-alarms, <...>/pp-alarms.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/raw, <...>/raw.zeek) +0.000000 MetaHookPre LoadFileExtended(0, .<...>/sqlite, <...>/sqlite.zeek) +0.000000 MetaHookPre LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek) +0.000000 MetaHookPre LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek) +0.000000 MetaHookPre LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base/bif, <...>/bif) +0.000000 MetaHookPre LoadFileExtended(0, base/init-default, <...>/init-default.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/api, <...>/api.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/broker, <...>/broker) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/cluster, <...>/cluster) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/comm.bif, <...>/comm.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/config, <...>/config) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/conn, <...>/conn) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/conn-ids, <...>/conn-ids.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/const.bif, <...>/const.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/control, <...>/control) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/data.bif, <...>/data.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/dce-rpc, <...>/dce-rpc) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/dhcp, <...>/dhcp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/dir, <...>/dir.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/dnp3, <...>/dnp3) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/dns, <...>/dns) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/dpd, <...>/dpd) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/email, <...>/email.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ethernet, <...>/ethernet) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/event.bif, <...>/event.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/exec, <...>/exec.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/extract, <...>/extract) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/fddi, <...>/fddi) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/files, <...>/files) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/files, <...>/files.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ftp, <...>/ftp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/gre, <...>/gre) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash, <...>/hash) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/http, <...>/http) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/icmp, <...>/icmp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/imap, <...>/imap) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/input, <...>/input) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/intel, <...>/intel) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ip, <...>/ip) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/iptunnel, <...>/iptunnel) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/irc, <...>/irc) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/krb, <...>/krb) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/logging, <...>/logging) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/main, <...>/main.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/modbus, <...>/modbus) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/mpls, <...>/mpls) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/mqtt, <...>/mqtt) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/mysql, <...>/mysql) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/nflog, <...>/nflog) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/notice, <...>/notice) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ntlm, <...>/ntlm) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ntp, <...>/ntp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/null, <...>/null) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/numbers, <...>/numbers.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/openflow, <...>/openflow) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/option.bif, <...>/option.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/packet-filter, <...>/packet-filter) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/paths, <...>/paths.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/pe, <...>/pe) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/plugins, <...>/plugins) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/pop3, <...>/pop3) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/pppoe, <...>/pppoe) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/queue, <...>/queue.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/radius, <...>/radius) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/rdp, <...>/rdp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/reporter, <...>/reporter) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/rfb, <...>/rfb) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/root, <...>/root) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/signatures, <...>/signatures) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/sip, <...>/sip) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/site, <...>/site.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/skip, <...>/skip) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/smb, <...>/smb) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/smtp, <...>/smtp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/snmp, <...>/snmp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/socks, <...>/socks) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/software, <...>/software) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ssh, <...>/ssh) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/ssl, <...>/ssl) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/store.bif, <...>/store.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/strings, <...>/strings.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/strings.bif, <...>/strings.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/sumstats, <...>/sumstats) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/supervisor, <...>/supervisor) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/syslog, <...>/syslog) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/tcp, <...>/tcp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/time, <...>/time.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/udp, <...>/udp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/urls, <...>/urls.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/utils, <...>/utils.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/version, <...>/version.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/vlan, <...>/vlan) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/vntag, <...>/vntag) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/x509, <...>/x509) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) +0.000000 MetaHookPre LoadFileExtended(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) +0.000000 MetaHookPre LoadFileExtended(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) +0.000000 MetaHookPre LoadFileExtended(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) +0.000000 MetaHookPre LoadFileExtended(0, s1.sig, ./s1.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./archive, <...>/archive.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./audio, <...>/audio.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./dpd.sig, <...>/dpd.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./executable, <...>/executable.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./font, <...>/font.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./general, <...>/general.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./image, <...>/image.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./java, <...>/java.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./libmagic, <...>/libmagic.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./office, <...>/office.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./programming, <...>/programming.sig) +0.000000 MetaHookPre LoadFileExtended(1, ./video, <...>/video.sig) +0.000000 MetaHookPre LoadFileExtended(1, s2, ./s2.sig) 0.000000 MetaHookPre LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) 0.000000 MetaHookPre LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, ) 0.000000 MetaHookPre QueueEvent(NetControl::init()) @@ -3155,6 +3887,372 @@ 0.000000 | HookLoadFile builtin-plugins/__preload__.zeek <...>/__preload__.zeek 0.000000 | HookLoadFile s1.sig ./s1.sig 0.000000 | HookLoadFile s2 ./s2.sig +0.000000 | HookLoadFileExtended ../main <...>/main.zeek +0.000000 | HookLoadFileExtended ../plugin <...>/plugin.zeek +0.000000 | HookLoadFileExtended ./CPP-load.bif.zeek <...>/CPP-load.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_ARP.events.bif.zeek <...>/Zeek_ARP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_AsciiReader.ascii.bif.zeek <...>/Zeek_AsciiReader.ascii.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_AsciiWriter.ascii.bif.zeek <...>/Zeek_AsciiWriter.ascii.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_BenchmarkReader.benchmark.bif.zeek <...>/Zeek_BenchmarkReader.benchmark.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_BinaryReader.binary.bif.zeek <...>/Zeek_BinaryReader.binary.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_BitTorrent.events.bif.zeek <...>/Zeek_BitTorrent.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_ConfigReader.config.bif.zeek <...>/Zeek_ConfigReader.config.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_ConnSize.events.bif.zeek <...>/Zeek_ConnSize.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_ConnSize.functions.bif.zeek <...>/Zeek_ConnSize.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.consts.bif.zeek <...>/Zeek_DCE_RPC.consts.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.events.bif.zeek <...>/Zeek_DCE_RPC.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.types.bif.zeek <...>/Zeek_DCE_RPC.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_DHCP.events.bif.zeek <...>/Zeek_DHCP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_DHCP.types.bif.zeek <...>/Zeek_DHCP.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_DNP3.events.bif.zeek <...>/Zeek_DNP3.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_DNS.events.bif.zeek <...>/Zeek_DNS.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_FTP.events.bif.zeek <...>/Zeek_FTP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_FTP.functions.bif.zeek <...>/Zeek_FTP.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_File.events.bif.zeek <...>/Zeek_File.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_FileEntropy.events.bif.zeek <...>/Zeek_FileEntropy.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_HTTP.functions.bif.zeek <...>/Zeek_HTTP.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_ICMP.events.bif.zeek <...>/Zeek_ICMP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_IMAP.events.bif.zeek <...>/Zeek_IMAP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_IRC.events.bif.zeek <...>/Zeek_IRC.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Ident.events.bif.zeek <...>/Zeek_Ident.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_KRB.events.bif.zeek <...>/Zeek_KRB.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_KRB.types.bif.zeek <...>/Zeek_KRB.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Login.events.bif.zeek <...>/Zeek_Login.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Login.functions.bif.zeek <...>/Zeek_Login.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_MIME.events.bif.zeek <...>/Zeek_MIME.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_MQTT.events.bif.zeek <...>/Zeek_MQTT.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_MQTT.types.bif.zeek <...>/Zeek_MQTT.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Modbus.events.bif.zeek <...>/Zeek_Modbus.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_MySQL.events.bif.zeek <...>/Zeek_MySQL.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NCP.consts.bif.zeek <...>/Zeek_NCP.consts.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NCP.events.bif.zeek <...>/Zeek_NCP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NTLM.events.bif.zeek <...>/Zeek_NTLM.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NTLM.types.bif.zeek <...>/Zeek_NTLM.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NTP.events.bif.zeek <...>/Zeek_NTP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NTP.types.bif.zeek <...>/Zeek_NTP.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.events.bif.zeek <...>/Zeek_NetBIOS.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_RFB.events.bif.zeek <...>/Zeek_RFB.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_RPC.events.bif.zeek <...>/Zeek_RPC.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_RawReader.raw.bif.zeek <...>/Zeek_RawReader.raw.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SIP.events.bif.zeek <...>/Zeek_SIP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.consts.bif.zeek <...>/Zeek_SMB.consts.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.events.bif.zeek <...>/Zeek_SMB.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_check_directory.bif.zeek <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_close.bif.zeek <...>/Zeek_SMB.smb1_com_close.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_create_directory.bif.zeek <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_echo.bif.zeek <...>/Zeek_SMB.smb1_com_echo.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_negotiate.bif.zeek <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_query_information.bif.zeek <...>/Zeek_SMB.smb1_com_query_information.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_read_andx.bif.zeek <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction.bif.zeek <...>/Zeek_SMB.smb1_com_transaction.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction2.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_write_andx.bif.zeek <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_events.bif.zeek <...>/Zeek_SMB.smb1_events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_close.bif.zeek <...>/Zeek_SMB.smb2_com_close.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_create.bif.zeek <...>/Zeek_SMB.smb2_com_create.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_negotiate.bif.zeek <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_read.bif.zeek <...>/Zeek_SMB.smb2_com_read.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_session_setup.bif.zeek <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_set_info.bif.zeek <...>/Zeek_SMB.smb2_com_set_info.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_transform_header.bif.zeek <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_tree_connect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_write.bif.zeek <...>/Zeek_SMB.smb2_com_write.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_events.bif.zeek <...>/Zeek_SMB.smb2_events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMB.types.bif.zeek <...>/Zeek_SMB.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMTP.events.bif.zeek <...>/Zeek_SMTP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SMTP.functions.bif.zeek <...>/Zeek_SMTP.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SNMP.events.bif.zeek <...>/Zeek_SNMP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SNMP.types.bif.zeek <...>/Zeek_SNMP.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SOCKS.events.bif.zeek <...>/Zeek_SOCKS.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SQLiteReader.sqlite.bif.zeek <...>/Zeek_SQLiteReader.sqlite.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SQLiteWriter.sqlite.bif.zeek <...>/Zeek_SQLiteWriter.sqlite.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SSH.events.bif.zeek <...>/Zeek_SSH.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SSH.types.bif.zeek <...>/Zeek_SSH.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SSL.consts.bif.zeek <...>/Zeek_SSL.consts.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_VXLAN.events.bif.zeek <...>/Zeek_VXLAN.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_X509.events.bif.zeek <...>/Zeek_X509.events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_X509.functions.bif.zeek <...>/Zeek_X509.functions.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_X509.ocsp_events.bif.zeek <...>/Zeek_X509.ocsp_events.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_X509.types.bif.zeek <...>/Zeek_X509.types.bif.zeek +0.000000 | HookLoadFileExtended ./Zeek_XMPP.events.bif.zeek <...>/Zeek_XMPP.events.bif.zeek +0.000000 | HookLoadFileExtended ./acld <...>/acld.zeek +0.000000 | HookLoadFileExtended ./addrs <...>/addrs.zeek +0.000000 | HookLoadFileExtended ./analyzer.bif.zeek <...>/analyzer.bif.zeek +0.000000 | HookLoadFileExtended ./api <...>/api.zeek +0.000000 | HookLoadFileExtended ./archive <...>/archive.sig +0.000000 | HookLoadFileExtended ./audio <...>/audio.sig +0.000000 | HookLoadFileExtended ./average <...>/average.zeek +0.000000 | HookLoadFileExtended ./bloom-filter.bif.zeek <...>/bloom-filter.bif.zeek +0.000000 | HookLoadFileExtended ./broker <...>/broker.zeek +0.000000 | HookLoadFileExtended ./cardinality-counter.bif.zeek <...>/cardinality-counter.bif.zeek +0.000000 | HookLoadFileExtended ./certificate-event-cache <...>/certificate-event-cache.zeek +0.000000 | HookLoadFileExtended ./comm.bif.zeek <...>/comm.bif.zeek +0.000000 | HookLoadFileExtended ./const-dos-error <...>/const-dos-error.zeek +0.000000 | HookLoadFileExtended ./const-nt-status <...>/const-nt-status.zeek +0.000000 | HookLoadFileExtended ./const.bif.zeek <...>/const.bif.zeek +0.000000 | HookLoadFileExtended ./consts <...>/consts.zeek +0.000000 | HookLoadFileExtended ./contents <...>/contents.zeek +0.000000 | HookLoadFileExtended ./control <...>/control.zeek +0.000000 | HookLoadFileExtended ./ct-list <...>/ct-list.zeek +0.000000 | HookLoadFileExtended ./data.bif.zeek <...>/data.bif.zeek +0.000000 | HookLoadFileExtended ./dcc-send <...>/dcc-send.zeek +0.000000 | HookLoadFileExtended ./debug <...>/debug.zeek +0.000000 | HookLoadFileExtended ./dpd.sig <...>/dpd.sig +0.000000 | HookLoadFileExtended ./drop <...>/drop.zeek +0.000000 | HookLoadFileExtended ./entities <...>/entities.zeek +0.000000 | HookLoadFileExtended ./event.bif.zeek <...>/event.bif.zeek +0.000000 | HookLoadFileExtended ./exec <...>/exec.zeek +0.000000 | HookLoadFileExtended ./executable <...>/executable.sig +0.000000 | HookLoadFileExtended ./file_analysis.bif.zeek <...>/file_analysis.bif.zeek +0.000000 | HookLoadFileExtended ./files <...>/files.zeek +0.000000 | HookLoadFileExtended ./font <...>/font.sig +0.000000 | HookLoadFileExtended ./general <...>/general.sig +0.000000 | HookLoadFileExtended ./gridftp <...>/gridftp.zeek +0.000000 | HookLoadFileExtended ./hll_unique <...>/hll_unique.zeek +0.000000 | HookLoadFileExtended ./hooks.bif.zeek <...>/hooks.bif.zeek +0.000000 | HookLoadFileExtended ./image <...>/image.sig +0.000000 | HookLoadFileExtended ./inactivity <...>/inactivity.zeek +0.000000 | HookLoadFileExtended ./info <...>/info.zeek +0.000000 | HookLoadFileExtended ./input <...>/input.zeek +0.000000 | HookLoadFileExtended ./input.bif.zeek <...>/input.bif.zeek +0.000000 | HookLoadFileExtended ./java <...>/java.sig +0.000000 | HookLoadFileExtended ./last <...>/last.zeek +0.000000 | HookLoadFileExtended ./libmagic <...>/libmagic.sig +0.000000 | HookLoadFileExtended ./log <...>/log.zeek +0.000000 | HookLoadFileExtended ./log-ocsp <...>/log-ocsp.zeek +0.000000 | HookLoadFileExtended ./logging.bif.zeek <...>/logging.bif.zeek +0.000000 | HookLoadFileExtended ./magic <...>/magic +0.000000 | HookLoadFileExtended ./main <...>/main.zeek +0.000000 | HookLoadFileExtended ./max <...>/max.zeek +0.000000 | HookLoadFileExtended ./messaging.bif.zeek <...>/messaging.bif.zeek +0.000000 | HookLoadFileExtended ./min <...>/min.zeek +0.000000 | HookLoadFileExtended ./mozilla-ca-list <...>/mozilla-ca-list.zeek +0.000000 | HookLoadFileExtended ./netstats <...>/netstats.zeek +0.000000 | HookLoadFileExtended ./non-cluster <...>/non-cluster.zeek +0.000000 | HookLoadFileExtended ./office <...>/office.sig +0.000000 | HookLoadFileExtended ./openflow <...>/openflow.zeek +0.000000 | HookLoadFileExtended ./option.bif.zeek <...>/option.bif.zeek +0.000000 | HookLoadFileExtended ./packet_analysis.bif.zeek <...>/packet_analysis.bif.zeek +0.000000 | HookLoadFileExtended ./packetfilter <...>/packetfilter.zeek +0.000000 | HookLoadFileExtended ./patterns <...>/patterns.zeek +0.000000 | HookLoadFileExtended ./pcap.bif.zeek <...>/pcap.bif.zeek +0.000000 | HookLoadFileExtended ./plugin <...>/plugin.zeek +0.000000 | HookLoadFileExtended ./plugins <...>/plugins +0.000000 | HookLoadFileExtended ./polling <...>/polling.zeek +0.000000 | HookLoadFileExtended ./pools <...>/pools.zeek +0.000000 | HookLoadFileExtended ./postprocessors <...>/postprocessors +0.000000 | HookLoadFileExtended ./programming <...>/programming.sig +0.000000 | HookLoadFileExtended ./removal-hooks <...>/removal-hooks.zeek +0.000000 | HookLoadFileExtended ./reporter.bif.zeek <...>/reporter.bif.zeek +0.000000 | HookLoadFileExtended ./ryu <...>/ryu.zeek +0.000000 | HookLoadFileExtended ./sample <...>/sample.zeek +0.000000 | HookLoadFileExtended ./scp <...>/scp.zeek +0.000000 | HookLoadFileExtended ./sftp <...>/sftp.zeek +0.000000 | HookLoadFileExtended ./shunt <...>/shunt.zeek +0.000000 | HookLoadFileExtended ./site <...>/site.zeek +0.000000 | HookLoadFileExtended ./smb1-main <...>/smb1-main.zeek +0.000000 | HookLoadFileExtended ./smb2-main <...>/smb2-main.zeek +0.000000 | HookLoadFileExtended ./stats.bif.zeek <...>/stats.bif.zeek +0.000000 | HookLoadFileExtended ./std-dev <...>/std-dev.zeek +0.000000 | HookLoadFileExtended ./store <...>/store.zeek +0.000000 | HookLoadFileExtended ./store.bif.zeek <...>/store.bif.zeek +0.000000 | HookLoadFileExtended ./strings.bif.zeek <...>/strings.bif.zeek +0.000000 | HookLoadFileExtended ./sum <...>/sum.zeek +0.000000 | HookLoadFileExtended ./supervisor.bif.zeek <...>/supervisor.bif.zeek +0.000000 | HookLoadFileExtended ./telemetry.bif.zeek <...>/telemetry.bif.zeek +0.000000 | HookLoadFileExtended ./thresholds <...>/thresholds.zeek +0.000000 | HookLoadFileExtended ./top-k.bif.zeek <...>/top-k.bif.zeek +0.000000 | HookLoadFileExtended ./topk <...>/topk.zeek +0.000000 | HookLoadFileExtended ./types <...>/types.zeek +0.000000 | HookLoadFileExtended ./types.bif.zeek <...>/types.bif.zeek +0.000000 | HookLoadFileExtended ./unique <...>/unique.zeek +0.000000 | HookLoadFileExtended ./utils <...>/utils.zeek +0.000000 | HookLoadFileExtended ./utils-commands <...>/utils-commands.zeek +0.000000 | HookLoadFileExtended ./variance <...>/variance.zeek +0.000000 | HookLoadFileExtended ./video <...>/video.sig +0.000000 | HookLoadFileExtended ./weird <...>/weird.zeek +0.000000 | HookLoadFileExtended ./zeek.bif.zeek <...>/zeek.bif.zeek +0.000000 | HookLoadFileExtended ./zeekygen.bif.zeek <...>/zeekygen.bif.zeek +0.000000 | HookLoadFileExtended .<...>/add-geodata <...>/add-geodata.zeek +0.000000 | HookLoadFileExtended .<...>/ascii <...>/ascii.zeek +0.000000 | HookLoadFileExtended .<...>/benchmark <...>/benchmark.zeek +0.000000 | HookLoadFileExtended .<...>/binary <...>/binary.zeek +0.000000 | HookLoadFileExtended .<...>/config <...>/config.zeek +0.000000 | HookLoadFileExtended .<...>/email_admin <...>/email_admin.zeek +0.000000 | HookLoadFileExtended .<...>/none <...>/none.zeek +0.000000 | HookLoadFileExtended .<...>/page <...>/page.zeek +0.000000 | HookLoadFileExtended .<...>/pp-alarms <...>/pp-alarms.zeek +0.000000 | HookLoadFileExtended .<...>/raw <...>/raw.zeek +0.000000 | HookLoadFileExtended .<...>/sqlite <...>/sqlite.zeek +0.000000 | HookLoadFileExtended <...>/__load__.zeek <...>/__load__.zeek +0.000000 | HookLoadFileExtended <...>/__preload__.zeek <...>/__preload__.zeek +0.000000 | HookLoadFileExtended <...>/hooks.zeek <...>/hooks.zeek +0.000000 | HookLoadFileExtended base/bif <...>/bif +0.000000 | HookLoadFileExtended base/init-default <...>/init-default.zeek +0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek +0.000000 | HookLoadFileExtended base/packet-protocols <...>/packet-protocols +0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek +0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek +0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek +0.000000 | HookLoadFileExtended base<...>/active-http <...>/active-http.zeek +0.000000 | HookLoadFileExtended base<...>/addrs <...>/addrs.zeek +0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer +0.000000 | HookLoadFileExtended base<...>/analyzer.bif <...>/analyzer.bif.zeek +0.000000 | HookLoadFileExtended base<...>/api <...>/api.zeek +0.000000 | HookLoadFileExtended base<...>/backtrace <...>/backtrace.zeek +0.000000 | HookLoadFileExtended base<...>/broker <...>/broker +0.000000 | HookLoadFileExtended base<...>/cluster <...>/cluster +0.000000 | HookLoadFileExtended base<...>/comm.bif <...>/comm.bif.zeek +0.000000 | HookLoadFileExtended base<...>/config <...>/config +0.000000 | HookLoadFileExtended base<...>/conn <...>/conn +0.000000 | HookLoadFileExtended base<...>/conn-ids <...>/conn-ids.zeek +0.000000 | HookLoadFileExtended base<...>/const.bif <...>/const.bif.zeek +0.000000 | HookLoadFileExtended base<...>/control <...>/control +0.000000 | HookLoadFileExtended base<...>/data.bif <...>/data.bif.zeek +0.000000 | HookLoadFileExtended base<...>/dce-rpc <...>/dce-rpc +0.000000 | HookLoadFileExtended base<...>/dhcp <...>/dhcp +0.000000 | HookLoadFileExtended base<...>/dir <...>/dir.zeek +0.000000 | HookLoadFileExtended base<...>/directions-and-hosts <...>/directions-and-hosts.zeek +0.000000 | HookLoadFileExtended base<...>/dnp3 <...>/dnp3 +0.000000 | HookLoadFileExtended base<...>/dns <...>/dns +0.000000 | HookLoadFileExtended base<...>/dpd <...>/dpd +0.000000 | HookLoadFileExtended base<...>/email <...>/email.zeek +0.000000 | HookLoadFileExtended base<...>/ethernet <...>/ethernet +0.000000 | HookLoadFileExtended base<...>/event.bif <...>/event.bif.zeek +0.000000 | HookLoadFileExtended base<...>/exec <...>/exec.zeek +0.000000 | HookLoadFileExtended base<...>/extract <...>/extract +0.000000 | HookLoadFileExtended base<...>/fddi <...>/fddi +0.000000 | HookLoadFileExtended base<...>/file_analysis.bif <...>/file_analysis.bif.zeek +0.000000 | HookLoadFileExtended base<...>/files <...>/files +0.000000 | HookLoadFileExtended base<...>/files <...>/files.zeek +0.000000 | HookLoadFileExtended base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek +0.000000 | HookLoadFileExtended base<...>/find-filtered-trace <...>/find-filtered-trace.zeek +0.000000 | HookLoadFileExtended base<...>/ftp <...>/ftp +0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek +0.000000 | HookLoadFileExtended base<...>/gre <...>/gre +0.000000 | HookLoadFileExtended base<...>/hash <...>/hash +0.000000 | HookLoadFileExtended base<...>/hash_hrw <...>/hash_hrw.zeek +0.000000 | HookLoadFileExtended base<...>/http <...>/http +0.000000 | HookLoadFileExtended base<...>/icmp <...>/icmp +0.000000 | HookLoadFileExtended base<...>/ieee802_11 <...>/ieee802_11 +0.000000 | HookLoadFileExtended base<...>/ieee802_11_radio <...>/ieee802_11_radio +0.000000 | HookLoadFileExtended base<...>/imap <...>/imap +0.000000 | HookLoadFileExtended base<...>/input <...>/input +0.000000 | HookLoadFileExtended base<...>/input.bif <...>/input.bif.zeek +0.000000 | HookLoadFileExtended base<...>/intel <...>/intel +0.000000 | HookLoadFileExtended base<...>/ip <...>/ip +0.000000 | HookLoadFileExtended base<...>/iptunnel <...>/iptunnel +0.000000 | HookLoadFileExtended base<...>/irc <...>/irc +0.000000 | HookLoadFileExtended base<...>/krb <...>/krb +0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll +0.000000 | HookLoadFileExtended base<...>/logging <...>/logging +0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek +0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek +0.000000 | HookLoadFileExtended base<...>/messaging.bif <...>/messaging.bif.zeek +0.000000 | HookLoadFileExtended base<...>/modbus <...>/modbus +0.000000 | HookLoadFileExtended base<...>/mpls <...>/mpls +0.000000 | HookLoadFileExtended base<...>/mqtt <...>/mqtt +0.000000 | HookLoadFileExtended base<...>/mysql <...>/mysql +0.000000 | HookLoadFileExtended base<...>/netcontrol <...>/netcontrol +0.000000 | HookLoadFileExtended base<...>/nflog <...>/nflog +0.000000 | HookLoadFileExtended base<...>/notice <...>/notice +0.000000 | HookLoadFileExtended base<...>/ntlm <...>/ntlm +0.000000 | HookLoadFileExtended base<...>/ntp <...>/ntp +0.000000 | HookLoadFileExtended base<...>/null <...>/null +0.000000 | HookLoadFileExtended base<...>/numbers <...>/numbers.zeek +0.000000 | HookLoadFileExtended base<...>/openflow <...>/openflow +0.000000 | HookLoadFileExtended base<...>/option.bif <...>/option.bif.zeek +0.000000 | HookLoadFileExtended base<...>/packet-filter <...>/packet-filter +0.000000 | HookLoadFileExtended base<...>/packet_analysis.bif <...>/packet_analysis.bif.zeek +0.000000 | HookLoadFileExtended base<...>/paths <...>/paths.zeek +0.000000 | HookLoadFileExtended base<...>/patterns <...>/patterns.zeek +0.000000 | HookLoadFileExtended base<...>/pe <...>/pe +0.000000 | HookLoadFileExtended base<...>/plugins <...>/plugins +0.000000 | HookLoadFileExtended base<...>/pop3 <...>/pop3 +0.000000 | HookLoadFileExtended base<...>/ppp_serial <...>/ppp_serial +0.000000 | HookLoadFileExtended base<...>/pppoe <...>/pppoe +0.000000 | HookLoadFileExtended base<...>/queue <...>/queue.zeek +0.000000 | HookLoadFileExtended base<...>/radius <...>/radius +0.000000 | HookLoadFileExtended base<...>/rdp <...>/rdp +0.000000 | HookLoadFileExtended base<...>/removal-hooks <...>/removal-hooks.zeek +0.000000 | HookLoadFileExtended base<...>/reporter <...>/reporter +0.000000 | HookLoadFileExtended base<...>/reporter.bif <...>/reporter.bif.zeek +0.000000 | HookLoadFileExtended base<...>/rfb <...>/rfb +0.000000 | HookLoadFileExtended base<...>/root <...>/root +0.000000 | HookLoadFileExtended base<...>/signatures <...>/signatures +0.000000 | HookLoadFileExtended base<...>/sip <...>/sip +0.000000 | HookLoadFileExtended base<...>/site <...>/site.zeek +0.000000 | HookLoadFileExtended base<...>/skip <...>/skip +0.000000 | HookLoadFileExtended base<...>/smb <...>/smb +0.000000 | HookLoadFileExtended base<...>/smtp <...>/smtp +0.000000 | HookLoadFileExtended base<...>/snmp <...>/snmp +0.000000 | HookLoadFileExtended base<...>/socks <...>/socks +0.000000 | HookLoadFileExtended base<...>/software <...>/software +0.000000 | HookLoadFileExtended base<...>/ssh <...>/ssh +0.000000 | HookLoadFileExtended base<...>/ssl <...>/ssl +0.000000 | HookLoadFileExtended base<...>/stats.bif <...>/stats.bif.zeek +0.000000 | HookLoadFileExtended base<...>/store.bif <...>/store.bif.zeek +0.000000 | HookLoadFileExtended base<...>/strings <...>/strings.zeek +0.000000 | HookLoadFileExtended base<...>/strings.bif <...>/strings.bif.zeek +0.000000 | HookLoadFileExtended base<...>/sumstats <...>/sumstats +0.000000 | HookLoadFileExtended base<...>/supervisor <...>/supervisor +0.000000 | HookLoadFileExtended base<...>/supervisor.bif <...>/supervisor.bif.zeek +0.000000 | HookLoadFileExtended base<...>/syslog <...>/syslog +0.000000 | HookLoadFileExtended base<...>/tcp <...>/tcp +0.000000 | HookLoadFileExtended base<...>/thresholds <...>/thresholds.zeek +0.000000 | HookLoadFileExtended base<...>/time <...>/time.zeek +0.000000 | HookLoadFileExtended base<...>/tunnels <...>/tunnels +0.000000 | HookLoadFileExtended base<...>/types.bif <...>/types.bif.zeek +0.000000 | HookLoadFileExtended base<...>/udp <...>/udp +0.000000 | HookLoadFileExtended base<...>/urls <...>/urls.zeek +0.000000 | HookLoadFileExtended base<...>/utils <...>/utils.zeek +0.000000 | HookLoadFileExtended base<...>/version <...>/version.zeek +0.000000 | HookLoadFileExtended base<...>/vlan <...>/vlan +0.000000 | HookLoadFileExtended base<...>/vntag <...>/vntag +0.000000 | HookLoadFileExtended base<...>/weird <...>/weird.zeek +0.000000 | HookLoadFileExtended base<...>/x509 <...>/x509 +0.000000 | HookLoadFileExtended base<...>/xmpp <...>/xmpp +0.000000 | HookLoadFileExtended base<...>/zeek.bif <...>/zeek.bif.zeek +0.000000 | HookLoadFileExtended builtin-plugins/__load__.zeek <...>/__load__.zeek +0.000000 | HookLoadFileExtended builtin-plugins/__preload__.zeek <...>/__preload__.zeek +0.000000 | HookLoadFileExtended s1.sig ./s1.sig +0.000000 | HookLoadFileExtended s2 ./s2.sig 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} 0.000000 | HookLogWrite packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() diff --git a/testing/btest/Baseline/plugins.plugin-load-file-extended/output b/testing/btest/Baseline/plugins.plugin-load-file-extended/output new file mode 100644 index 0000000000..d32f2141d1 --- /dev/null +++ b/testing/btest/Baseline/plugins.plugin-load-file-extended/output @@ -0,0 +1,7 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +HookLoadExtended/script: file=|xxx| resolved=|./xxx.zeek| +HookLoadExtended/script: file=|yyy| resolved=|| +HookLoadExtended/signature: file=|abc.sig| resolved=|./abc.sig| +new zeek_init(): script has been replaced +new zeek_init(): script has been added +signature works! diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc index 852d9656bf..1fd4054f38 100644 --- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc +++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc @@ -15,6 +15,7 @@ using namespace btest::plugin::Demo_Hooks; zeek::plugin::Configuration Plugin::Configure() { EnableHook(zeek::plugin::HOOK_LOAD_FILE); + EnableHook(zeek::plugin::HOOK_LOAD_FILE_EXT); EnableHook(zeek::plugin::HOOK_CALL_FUNCTION); EnableHook(zeek::plugin::HOOK_QUEUE_EVENT); EnableHook(zeek::plugin::HOOK_DRAIN_EVENTS); @@ -56,6 +57,13 @@ int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std return -1; } +std::pair> Plugin::HookLoadFileExtended(const LoadType type, const std::string& file, const std::string& resolved) + { + fprintf(stderr, "%.6f %-15s %s %s\n", zeek::run_state::network_time, "| HookLoadFileExtended", + file.c_str(), resolved.c_str()); + return std::make_pair(-1, std::nullopt); + } + std::pair Plugin::HookFunctionCall(const zeek::Func* func, zeek::detail::Frame* frame, zeek::Args* args) { diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h index 94a7f16aee..b721608a6f 100644 --- a/testing/btest/plugins/hooks-plugin/src/Plugin.h +++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h @@ -9,6 +9,7 @@ class Plugin : public zeek::plugin::Plugin { protected: int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) override; + std::pair> HookLoadFileExtended(const LoadType type, const std::string& file, const std::string& resolved) override; std::pair HookFunctionCall(const zeek::Func* func, zeek::detail::Frame* parent, zeek::Args* args) override; bool HookQueueEvent(zeek::Event* event) override; diff --git a/testing/btest/plugins/plugin-load-file-extended.zeek b/testing/btest/plugins/plugin-load-file-extended.zeek new file mode 100644 index 0000000000..0d3d297c5a --- /dev/null +++ b/testing/btest/plugins/plugin-load-file-extended.zeek @@ -0,0 +1,17 @@ +# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing LoadFileExtended +# @TEST-EXEC: cp -r %DIR/plugin-load-file-extended/* . +# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make +# @TEST-EXEC: ZEEK_PLUGIN_PATH=$(pwd) zeek -r $TRACES/wikipedia.trace -b Testing::LoadFileExtended xxx yyy -s abc.sig >> output +# @TEST-EXEC: btest-diff output + +# @TEST-START-FILE xxx.zeek + +event zeek_init() { + print "original script"; +} + +# @TEST-END-FILE + +# @TEST-START-FILE abc.sig +# empty +# @TEST-END-FILE diff --git a/testing/btest/plugins/plugin-load-file-extended/.btest-ignore b/testing/btest/plugins/plugin-load-file-extended/.btest-ignore new file mode 100644 index 0000000000..e69de29bb2 diff --git a/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc new file mode 100644 index 0000000000..a86d4f50f2 --- /dev/null +++ b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc @@ -0,0 +1,70 @@ + +#include "Plugin.h" + +namespace btest::plugin::Testing_LoadFileExtended + { +Plugin plugin; + } + +using namespace btest::plugin::Testing_LoadFileExtended; + +zeek::plugin::Configuration Plugin::Configure() + { + EnableHook(zeek::plugin::HOOK_LOAD_FILE_EXT); + + zeek::plugin::Configuration config; + config.name = "Testing::LoadFileExtended"; + config.version.major = 0; + config.version.minor = 1; + config.version.patch = 4; + return config; + } + +#include + +std::pair> Plugin::HookLoadFileExtended(const LoadType type, + const std::string& file, + const std::string& resolved) + { + if ( type == LoadType::SCRIPT && file == "xxx" ) + { + printf("HookLoadExtended/script: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str()); + + return std::make_pair(1, R"( + event zeek_init() { + print "new zeek_init(): script has been replaced"; + } + + event signature_match(state: signature_state, msg: string, data: string) { + print msg; + } + )"); + } + + if ( type == LoadType::SCRIPT && file == "yyy" ) + { + printf("HookLoadExtended/script: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str()); + + return std::make_pair(1, R"( + event zeek_init() { + print "new zeek_init(): script has been added"; + } + )"); + } + + if ( type == LoadType::SIGNATURES && file == "abc.sig" ) + { + printf("HookLoadExtended/signature: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str()); + + return std::make_pair(1, R"( + signature my-sig { + ip-proto == tcp + payload /GET \/images/ + event "signature works!" + } + )"); + } + + return std::make_pair(-1, std::nullopt); + } + diff --git a/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h new file mode 100644 index 0000000000..83137bce6f --- /dev/null +++ b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h @@ -0,0 +1,18 @@ + +#pragma once + +#include + +namespace btest::plugin::Testing_LoadFileExtended { + +class Plugin : public zeek::plugin::Plugin +{ +protected: + // Overridden from zeek::plugin::Plugin. + zeek::plugin::Configuration Configure() override; + std::pair> HookLoadFileExtended(const Plugin::LoadType type, const std::string& file, const std::string& resolved) override; +}; + +extern Plugin plugin; + +} From 64e34b52aaad860c7437aab765e85310dafb3f5a Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Wed, 10 Nov 2021 09:39:16 +0100 Subject: [PATCH 3/3] Tweaking a couple of debug message. As suggested during review. --- src/PolicyFile.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc index eaee5a9916..c1bd4eac42 100644 --- a/src/PolicyFile.cc +++ b/src/PolicyFile.cc @@ -49,7 +49,7 @@ int how_many_lines_in(const char* policy_filename) FILE* throwaway = fopen(policy_filename, "r"); if ( ! throwaway ) { - debug_msg("No such policy file: %s.\n", policy_filename); + debug_msg("Could not open policy file: %s.\n", policy_filename); return -1; } @@ -97,7 +97,7 @@ bool LoadPolicyFileText(const char* policy_filename, if ( ! f ) { - debug_msg("No such policy file: %s.\n", policy_filename); + debug_msg("Could not open policy file: %s.\n", policy_filename); return false; } @@ -152,7 +152,7 @@ bool PrintLines(const char* policy_filename, unsigned int start_line, unsigned i FILE* throwaway = fopen(policy_filename, "r"); if ( ! throwaway ) { - debug_msg("No such policy file: %s.\n", policy_filename); + debug_msg("Could not open policy file: %s.\n", policy_filename); return false; }