Merge remote-tracking branch 'origin/master' into topic/documentation

Conflicts:
	doc/index.rst

testing/btest/Baseline/core.pppoe/conn.log

@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-24-05-04-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1284385418.014560	TEfuqmmG4bh	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	0	D	2	288	0	0	(empty)
+1284385417.962560	j4u32Pc5bif	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	0	D	2	210	0	0	(empty)
+1284385411.091560	arKYeMETxOg	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
+1284385411.035560	UWkUyAuUGXf	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	0	-	8	608	0	0	(empty)
+1284385451.658560	FrJExwHcSal	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	0	-	5	500	5	500	(empty)
+1284385413.027560	nQcgTWjvg4c	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	0	-	1	64	0	0	(empty)
+1284385412.963560	k6kgXLOoSKl	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	48	0	0	(empty)
+#close	2012-10-24-05-04-16

testing/btest/Baseline/core.print-bpf-filters/output

@@ -3,38 +3,38 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-10-08-16-16-08
+#open	2012-11-06-00-53-09
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1349712968.812610	-	ip or not ip	T	T
-#close	2012-10-08-16-16-08
+1352163189.729807	-	ip or not ip	T	T
+#close	2012-11-06-00-53-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-10-08-16-16-09
+#open	2012-11-06-00-53-10
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1349712969.042094	-	(((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (tcp port 1080)) or (udp and port 5355)) or (tcp port 995)) or (tcp port 22)) or (port 21 and port 2811)) or (tcp port 25 or tcp port 587)) or (tcp port 614)) or (tcp port 990)) or (port 6667)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)	T	T
-#close	2012-10-08-16-16-09
+1352163190.114261	-	((((((((((((((((((((((((((port 53) or (tcp port 989)) or (tcp port 443)) or (port 6669)) or (udp and port 5353)) or (port 6668)) or (tcp port 1080)) or (udp and port 5355)) or (tcp port 502)) or (tcp port 995)) or (tcp port 22)) or (port 21 and port 2811)) or (tcp port 25 or tcp port 587)) or (tcp port 614)) or (tcp port 990)) or (port 6667)) or (udp port 137)) or (tcp port 993)) or (tcp port 5223)) or (port 514)) or (tcp port 585)) or (tcp port 992)) or (tcp port 563)) or (tcp port 994)) or (tcp port 636)) or (tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888))) or (port 6666)	T	T
+#close	2012-11-06-00-53-10
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-10-08-16-16-09
+#open	2012-11-06-00-53-10
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1349712969.270826	-	port 42	T	T
-#close	2012-10-08-16-16-09
+1352163190.484506	-	port 42	T	T
+#close	2012-11-06-00-53-10
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2012-10-08-16-16-09
+#open	2012-11-06-00-53-10
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1349712969.499878	-	port 56730	T	T
-#close	2012-10-08-16-16-09
+1352163190.855090	-	port 56730	T	T
+#close	2012-11-06-00-53-10

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2012-07-20-14-34-40
+#open	2012-11-05-23-29-45
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -40,6 +40,7 @@ scripts/base/init-default.bro
   scripts/base/utils/paths.bro
   scripts/base/utils/strings.bro
   scripts/base/utils/thresholds.bro
+  scripts/base/utils/urls.bro
   scripts/base/frameworks/notice/__load__.bro
     scripts/base/frameworks/notice/./main.bro
     scripts/base/frameworks/notice/./weird.bro
@@ -69,6 +70,7 @@ scripts/base/init-default.bro
     scripts/base/frameworks/metrics/./non-cluster.bro
   scripts/base/frameworks/intel/__load__.bro
     scripts/base/frameworks/intel/./main.bro
+    scripts/base/frameworks/intel/./input.bro
   scripts/base/frameworks/reporter/__load__.bro
     scripts/base/frameworks/reporter/./main.bro
   scripts/base/frameworks/tunnels/__load__.bro
@@ -99,6 +101,9 @@ scripts/base/init-default.bro
   scripts/base/protocols/irc/__load__.bro
     scripts/base/protocols/irc/./main.bro
     scripts/base/protocols/irc/./dcc-send.bro
+  scripts/base/protocols/modbus/__load__.bro
+    scripts/base/protocols/modbus/./consts.bro
+    scripts/base/protocols/modbus/./main.bro
   scripts/base/protocols/smtp/__load__.bro
     scripts/base/protocols/smtp/./main.bro
     scripts/base/protocols/smtp/./entities.bro
@@ -111,5 +116,6 @@ scripts/base/init-default.bro
   scripts/base/protocols/syslog/__load__.bro
     scripts/base/protocols/syslog/./consts.bro
     scripts/base/protocols/syslog/./main.bro
+  scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2012-07-20-14-34-40
+#close	2012-11-05-23-29-45

testing/btest/Baseline/coverage.init-default/missing_loads

@@ -2,5 +2,6 @@
 -./frameworks/cluster/nodes/proxy.bro
 -./frameworks/cluster/nodes/worker.bro
 -./frameworks/cluster/setup-connections.bro
+-./frameworks/intel/cluster.bro
 -./frameworks/metrics/cluster.bro
 -./frameworks/notice/cluster.bro

testing/btest/Baseline/language.addr/out

@@ -13,3 +13,5 @@ IPv6 address not case-sensitive (PASS)
 size of IPv6 address (PASS)
 IPv6 address type inference (PASS)
 IPv4 and IPv6 address inequality (PASS)
+IPv4-mapped-IPv6 equality to IPv4 (PASS)
+IPv4-mapped-IPv6 is IPv4 (PASS)

testing/btest/Baseline/language.subnet/out

@@ -10,3 +10,11 @@ IPv6 subnet !in operator (PASS)
 IPv6 subnet type inference (PASS)
 IPv4 and IPv6 subnet inequality (PASS)
 IPv4 address and IPv6 subnet (PASS)
+IPv4 in IPv4-mapped-IPv6 subnet (PASS)
+IPv6 !in IPv4-mapped-IPv6 subnet (PASS)
+IPv4-mapped-IPv6 in IPv4-mapped-IPv6 subnet (PASS)
+IPv4-mapped-IPv6 subnet equality (PASS)
+subnet literal const whitespace (PASS)
+subnet literal const whitespace (PASS)
+subnet literal const whitespace (PASS)
+subnet literal const whitespace (PASS)

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout

@@ -0,0 +1,2 @@
+cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: worker-1)
+cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: worker-2)

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2012-10-03-20-20-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.host	seen.str	seen.str_type	seen.where	sources
+#types	time	string	addr	port	addr	port	addr	string	enum	enum	table[string]
+1349295639.424940	-	-	-	-	-	123.123.123.123	-	-	Intel::IN_ANYWHERE	worker-1
+#close	2012-10-03-20-20-49

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout

@@ -0,0 +1,3 @@
+cluster_new_item: 1.2.3.4 inserted by manager (from peer: manager-1)
+cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: manager-1)
+cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: manager-1)

testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout

@@ -0,0 +1,4 @@
+cluster_new_item: 1.2.3.4 inserted by manager (from peer: manager-1)
+cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: manager-1)
+cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: manager-1)
+Doing a lookup

testing/btest/Baseline/scripts.base.frameworks.intel.input-and-match/broproc.intel.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2012-10-03-20-18-05
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.host	seen.str	seen.str_type	seen.where	sources
+#types	time	string	addr	port	addr	port	addr	string	enum	enum	table[string]
+1349295485.114156	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	SOMEWHERE	source1
+1349295485.114156	-	-	-	-	-	1.2.3.4	-	-	SOMEWHERE	source1
+#close	2012-10-03-20-18-05

testing/btest/Baseline/scripts.base.frameworks.intel.insert-and-matcher/out

@@ -1,3 +0,0 @@
-VALID
-VALID
-VALID

testing/btest/Baseline/scripts.base.frameworks.intel.read-file-dist-cluster/manager-1.intel.log

@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2012-10-10-15-05-23
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.host	seen.str	seen.str_type	seen.where	sources
+#types	time	string	addr	port	addr	port	addr	string	enum	enum	table[string]
+1349881523.548946	-	-	-	-	-	1.2.3.4	-	-	Intel::IN_A_TEST	source1
+1349881523.548946	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
+1349881524.567896	-	-	-	-	-	1.2.3.4	-	-	Intel::IN_A_TEST	source1
+1349881524.567896	-	-	-	-	-	-	e@mail.com	Intel::EMAIL	Intel::IN_A_TEST	source1
+#close	2012-10-10-15-05-24

testing/btest/Baseline/scripts.base.protocols.modbus.events/coverage

@@ -0,0 +1 @@
+2 of 28 events triggered by trace

testing/btest/Baseline/scripts.base.protocols.modbus.policy/known_modbus.log

@@ -0,0 +1,17 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	known_modbus
+#open	2012-11-06-00-51-15
+#fields	ts	host	device_type
+#types	time	addr	enum
+1093521694.211940	10.0.0.57	Known::MODBUS_MASTER
+1093521694.211940	10.0.0.3	Known::MODBUS_SLAVE
+1093521958.375300	10.0.0.8	Known::MODBUS_SLAVE
+1093522338.985618	10.0.0.9	Known::MODBUS_MASTER
+1153491892.212845	192.168.66.235	Known::MODBUS_MASTER
+1153491892.212845	166.161.16.230	Known::MODBUS_SLAVE
+1342774499.589057	10.1.1.234	Known::MODBUS_MASTER
+1342774499.589057	10.10.5.85	Known::MODBUS_SLAVE
+#close	2012-11-06-00-51-23

testing/btest/Baseline/scripts.base.protocols.modbus.policy/modbus_register_change.log

@@ -0,0 +1,49 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	modbus_register_change
+#open	2012-11-06-00-51-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	register	old_val	new_val	delta
+#types	time	string	addr	port	addr	port	count	count	count	interval
+1342774501.024564	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	0	1	1.250066
+1342774540.946501	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	1	0	39.921937
+1342774540.946501	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	0	1	41.172003
+1342774811.727563	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	0	1	311.953065
+1342774811.727563	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	1	0	270.781062
+1342774831.727542	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	0	1	290.781041
+1342774831.727542	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	1	0	19.999979
+1342774872.821282	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	1	0	41.093740
+1342774872.821282	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	0	1	61.093719
+1342775143.602482	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	0	1	311.874940
+1342775143.602482	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	1	0	270.781200
+1342775164.774350	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	0	1	291.953068
+1342775164.774350	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	1	0	21.171868
+1342775204.696194	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	1	0	39.921844
+1342775204.696194	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	0	1	61.093712
+1342775475.477365	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	0	1	310.703015
+1342775475.477365	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	1	0	270.781171
+1342775495.477389	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	0	1	290.781195
+1342775495.477389	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	1	0	20.000024
+1342775535.399236	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	1	0	39.921847
+1342775535.399236	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	0	1	59.921871
+1342775806.180404	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	0	1	310.703015
+1342775806.180404	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	1	0	270.781168
+1342775826.180415	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	0	1	290.781179
+1342775826.180415	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	1	0	20.000011
+1342775848.508596	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	501	80	90	1348.671590
+1342775871.961652	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	1	0	45.781237
+1342775871.961652	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	0	1	65.781248
+1342776142.758456	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	0	1	316.578041
+1342776142.758456	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	1	0	270.796804
+1342776167.445943	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	0	1	295.484291
+1342776167.445943	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	1	0	24.687487
+1342776213.274085	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	1	0	45.828142
+1342776213.274085	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	0	1	70.515629
+1342776484.055366	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	0	1	316.609423
+1342776484.055366	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	1	0	270.781281
+1342776507.570851	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	0	1	294.296766
+1342776507.570851	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	102	1	0	23.515485
+1342776553.352098	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	101	1	0	45.781247
+1342776553.352098	3PKsZ2Uye21	10.1.1.234	51411	10.10.5.85	502	103	0	1	69.296732
+#close	2012-11-06-00-51-23

testing/btest/core/pppoe.test

@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/pppoe.trace %INPUT 
+# @TEST-EXEC: btest-diff conn.log

testing/btest/language/addr.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 function test_case(msg: string, expect: bool)
@@ -43,5 +43,10 @@ event bro_init()
 
 	test_case( "IPv4 and IPv6 address inequality", a1 != b1 );
 
+	# IPv4-mapped-IPv6 (internally treated as IPv4)
+	local c1: addr = [::ffff:1.2.3.4];
+
+	test_case( "IPv4-mapped-IPv6 equality to IPv4", c1 == 1.2.3.4 );
+	test_case( "IPv4-mapped-IPv6 is IPv4", is_v4_addr(c1) == T );
 }
 

testing/btest/language/subnet.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 function test_case(msg: string, expect: bool)
@@ -43,5 +43,22 @@ event bro_init()
 	test_case( "IPv4 and IPv6 subnet inequality", s1 != t1 );
 	test_case( "IPv4 address and IPv6 subnet", a1 !in t2 );
 
+	# IPv4-mapped-IPv6 subnets
+	local u1: subnet = [::ffff:0:0]/96;
+
+	test_case( "IPv4 in IPv4-mapped-IPv6 subnet", 1.2.3.4 in u1 );
+	test_case( "IPv6 !in IPv4-mapped-IPv6 subnet", [fe80::1] !in u1 );
+	test_case( "IPv4-mapped-IPv6 in IPv4-mapped-IPv6 subnet",
+	           [::ffff:1.2.3.4] in u1 );
+	test_case( "IPv4-mapped-IPv6 subnet equality",
+	           [::ffff:1.2.3.4]/112 == 1.2.0.0/16 );
+	test_case( "subnet literal const whitespace",
+	           [::ffff:1.2.3.4] / 112 == 1.2.0.0 / 16 );
+	test_case( "subnet literal const whitespace",
+	           [::ffff:1.2.3.4]/ 128 == 1.2.3.4/ 32 );
+	test_case( "subnet literal const whitespace",
+	           [::ffff:1.2.3.4] /96 == 1.2.3.4 /0 );
+	test_case( "subnet literal const whitespace",
+	           [::ffff:1.2.3.4]   /    92 == [::fffe:1.2.3.4]    /   92 );
 }
 

testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro

@@ -0,0 +1,80 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff manager-1/intel.log
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
+};
+@TEST-END-FILE
+
+@load base/frameworks/control
+
+module Intel;
+
+redef Log::default_rotation_interval=0sec;
+
+event remote_connection_handshake_done(p: event_peer)
+	{
+	# Insert the data once both workers are connected.
+	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 2 )
+		{
+		Intel::insert([$host=1.2.3.4,$meta=[$source="manager"]]);
+		}
+	}
+
+global worker2_data = 0;
+global sent_data = F;
+event Intel::cluster_new_item(item: Intel::Item)
+	{
+	if ( ! is_remote_event() )
+		return;
+
+	print fmt("cluster_new_item: %s inserted by %s (from peer: %s)", item$host, item$meta$source, get_event_peer()$descr);
+
+	if ( ! sent_data )
+		{
+		# We wait to insert data here because we can now be sure the 
+		# full cluster is constructed.
+		sent_data = T;
+		if ( Cluster::node == "worker-1" )
+			Intel::insert([$host=123.123.123.123,$meta=[$source="worker-1"]]);
+		if ( Cluster::node == "worker-2" )
+			Intel::insert([$host=4.3.2.1,$meta=[$source="worker-2"]]);
+		}
+
+	# We're forcing worker-2 to do a lookup when it has three intelligence items
+	# which were distributed over the cluster (data inserted locally is resent).
+	if ( Cluster::node == "worker-2" )
+		{
+		++worker2_data;
+		if ( worker2_data == 3 )
+			{
+			# Now that everything is inserted, see if we can match on the data inserted
+			# by worker-1.
+			print "Doing a lookup";
+			Intel::seen([$host=123.123.123.123, $where=Intel::IN_ANYWHERE]);
+			}
+		}
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	event Control::shutdown_request();
+	}
+
+event remote_connection_closed(p: event_peer)
+	{
+	# Cascading termination
+	#print fmt("disconnected from: %s", p);
+	terminate_communication();
+	}

testing/btest/scripts/base/frameworks/intel/input-and-match.bro

@@ -0,0 +1,40 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: btest-bg-run broproc bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff broproc/intel.log
+
+@TEST-START-FILE intel.dat
+#fields	host	net	str	str_type	meta.source	meta.desc	meta.url
+1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+-	-	e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
+@TEST-END-FILE
+
+@load frameworks/communication/listen
+
+redef Intel::read_files += { "../intel.dat" };
+redef enum Intel::Where += { SOMEWHERE };
+
+event do_it()
+	{
+	Intel::seen([$str="e@mail.com",
+	             $str_type=Intel::EMAIL,
+	             $where=SOMEWHERE]);
+
+	Intel::seen([$host=1.2.3.4,
+	             $where=SOMEWHERE]);
+	}
+
+global log_lines = 0;
+event Intel::log_intel(rec: Intel::Info)
+	{
+	++log_lines;
+	if ( log_lines == 2 )
+		terminate();
+	}
+
+event bro_init() &priority=-10
+	{
+	schedule 1sec { do_it() };
+	}

testing/btest/scripts/base/frameworks/intel/insert-and-matcher.bro

@@ -1,34 +0,0 @@
-#
-# @TEST-EXEC: bro %INPUT >out
-# @TEST-EXEC: btest-diff out
-
-event bro_init()
-	{
-	Intel::insert([$ip=1.2.3.4, $tags=set("zeustracker.abuse.ch", "malicious")]);
-	Intel::insert([$str="http://www.google.com/", $subtype="url", $tags=set("infrastructure", "google")]);
-	Intel::insert([$str="Ab439G32F...", $subtype="x509_cert", $tags=set("bad")]);
-	Intel::insert([$str="Ab439G32F...", $tags=set("bad")]);
-	}
-
-event bro_done()
-	{
-	local orig_h = 1.2.3.4;
-	
-	if ( Intel::matcher([$ip=orig_h, $and_tags=set("malicious")]) )
-		print "VALID";
-	
-	if ( Intel::matcher([$ip=orig_h, $and_tags=set("don't match")]) )
-		print "INVALID";
-	
-	if ( Intel::matcher([$ip=orig_h, $pred=function(meta: Intel::MetaData): bool { return T; } ]) )
-		print "VALID";
-		
-	if ( Intel::matcher([$ip=orig_h, $pred=function(meta: Intel::MetaData): bool { return F; } ]) )
-		print "INVALID";
-		
-	if ( Intel::matcher([$str="http://www.google.com/", $subtype="url", $tags=set("google")]) )
-		print "VALID";
-		
-	if ( Intel::matcher([$str="http://www.example.com", $subtype="url"]) )
-		print "INVALID";
-	}

testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro

@@ -0,0 +1,66 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff manager-1/intel.log
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
+};
+@TEST-END-FILE
+
+@TEST-START-FILE intel.dat
+#fields	host	net	str	str_type	meta.source	meta.desc	meta.url
+1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+1.2.3.4	-	-	-	source1	this host is just plain baaad	http://some-data-distributor.com/1234
+-	-	e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
+@TEST-END-FILE
+
+@load base/frameworks/control
+redef Log::default_rotation_interval=0sec;
+
+module Intel;
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+redef Intel::read_files += { "../intel.dat" };
+@endif
+
+redef enum Intel::Where += {
+	Intel::IN_A_TEST,
+};
+
+event do_it()
+	{
+	Intel::seen([$host=1.2.3.4, $where=Intel::IN_A_TEST]);
+	Intel::seen([$str="e@mail.com", $str_type=Intel::EMAIL, $where=Intel::IN_A_TEST]);
+	}
+
+event bro_init()
+	{
+	# Delay the workers searching for hits briefly to allow for the data distribution
+	# mechanism to distribute the data to the workers.
+	if ( Cluster::local_node_type() == Cluster::WORKER )
+		schedule 2sec { do_it() };
+	}
+
+global intel_hits=0;
+event Intel::log_intel(rec: Intel::Info)
+	{
+	++intel_hits;
+	# There should be 4 hits since each worker is "seeing" 2 things.
+	if ( intel_hits == 4 )
+		{
+		# We're delaying shutdown for a second here to make sure that no other
+		# matches happen (which would be wrong!).
+		schedule 1sec { Control::shutdown_request() };
+		}
+	}

testing/btest/scripts/base/protocols/modbus/events.bro

@@ -0,0 +1,148 @@
+#
+# @TEST-EXEC: bro -r $TRACES/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
+# @TEST-EXEC: cat ${DIST}/src/event.bif  | grep "^event modbus_" | wc -l >total
+# @TEST-EXEC: echo `cat covered` of `cat total` events triggered by trace >coverage
+# @TEST-EXEC: btest-diff coverage
+
+event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
+{
+    print "modbus_message", c, headers, is_orig;
+}
+
+event modbus_exception(c: connection, headers: ModbusHeaders, code: count)
+{
+    print "modbus_exception", c, headers, code;
+}
+
+event modbus_read_coils_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_read_coils_request", c, headers, start_address, quantity;
+}
+
+event modbus_read_coils_response(c: connection, headers: ModbusHeaders, coils: ModbusCoils)
+{
+    print "modbus_read_coils_response", c, headers, coils;
+}
+
+event modbus_read_discrete_inputs_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_read_discrete_inputs_request", c, headers, start_address, quantity;
+}
+
+event modbus_read_discrete_inputs_response(c: connection, headers: ModbusHeaders, coils: ModbusCoils)
+{
+    print "modbus_read_discrete_inputs_response", c, headers, coils;
+}
+
+event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_read_holding_registers_request", c, headers, start_address, quantity;
+}
+
+event modbus_read_holding_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters)
+{
+    print "modbus_read_holding_registers_response", c, headers, registers;
+}
+
+event modbus_read_input_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_read_input_registers_request", c, headers, start_address, quantity;
+}
+
+event modbus_read_input_registers_response(c: connection, headers: ModbusHeaders, registers: ModbusRegisters)
+{
+    print "modbus_read_input_registers_response", c, headers, registers;
+}
+
+event modbus_write_single_coil_request(c: connection, headers: ModbusHeaders, address: count, value: bool)
+{
+    print "modbus_write_single_coil_request", c, headers, address, value;
+}
+
+event modbus_write_single_coil_response(c: connection, headers: ModbusHeaders, address: count, value: bool)
+{
+    print "modbus_write_single_coil_response", c, headers, address, value;
+}
+
+event modbus_write_single_register_request(c: connection, headers: ModbusHeaders, address: count, value: count)
+{
+    print "modbus_write_single_register_request", c, headers, address, value;
+}
+
+event modbus_write_single_register_response(c: connection, headers: ModbusHeaders, address: count, value: count)
+{
+    print "modbus_write_single_register_response", c, headers, address, value;
+}
+
+event modbus_write_multiple_coils_request(c: connection, headers: ModbusHeaders, start_address: count, coils: ModbusCoils)
+{
+    print "modbus_write_multiple_coils_request", c, headers, start_address, coils;
+}
+
+event modbus_write_multiple_coils_response(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_write_multiple_coils_response", c, headers, start_address, quantity;
+}
+
+event modbus_write_multiple_registers_request(c: connection, headers: ModbusHeaders, start_address: count, registers: ModbusRegisters)
+{
+    print "modbus_write_multiple_registers_request", c, headers, start_address, registers;
+}
+
+event modbus_write_multiple_registers_response(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
+{
+    print "modbus_write_multiple_registers_response", c, headers, start_address, quantity;
+}
+
+event modbus_read_file_record_request(c: connection, headers: ModbusHeaders)
+{
+    print "modbus_read_file_record_request", c, headers;
+}
+
+event modbus_read_file_record_response(c: connection, headers: ModbusHeaders)
+{
+    print "modbus_read_file_record_response", c, headers;
+}
+
+event modbus_write_file_record_request(c: connection, headers: ModbusHeaders)
+{
+    print "modbus_write_file_record_request", c, headers;
+}
+
+event modbus_write_file_record_response(c: connection, headers: ModbusHeaders)
+{
+    print "modbus_write_file_record_response", c, headers;
+}
+
+event modbus_mask_write_register_request(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count)
+{
+    print "modbus_mask_write_register_request", c, headers, address, and_mask, or_mask;
+}
+
+event modbus_mask_write_register_response(c: connection, headers: ModbusHeaders, address: count, and_mask: count, or_mask: count)
+{
+    print "modbus_mask_write_register_response", c, headers, address, and_mask, or_mask;
+}
+
+event modbus_read_write_multiple_registers_request(c: connection, headers: ModbusHeaders, read_start_address: count, read_quantity: count, write_start_address: count, write_registers: ModbusRegisters)
+{
+    print "modbus_read_write_multiple_registers_request", c, headers, read_start_address, read_quantity, write_start_address, write_registers;
+}
+
+event modbus_read_write_multiple_registers_response(c: connection, headers: ModbusHeaders, written_registers: ModbusRegisters)
+{
+    print "modbus_read_write_multiple_registers_response", c, headers, written_registers;
+}
+
+event modbus_read_fifo_queue_request(c: connection, headers: ModbusHeaders, start_address: count)
+{
+    print "modbus_read_fifo_queue_request", c, headers, start_address;
+}
+
+event modbus_read_fifo_queue_response(c: connection, headers: ModbusHeaders, fifos: ModbusRegisters)
+{
+    print "modbus_read_fifo_queue_response", c, headers, fifos;
+}
+

testing/btest/scripts/base/protocols/modbus/policy.bro

@@ -0,0 +1,9 @@
+#
+# @TEST-EXEC: bro -r $TRACES/modbus.trace %INPUT 
+# @TEST-EXEC: btest-diff modbus.log
+# @TEST-EXEC: btest-diff modbus_register_change.log
+# @TEST-EXEC: btest-diff known_modbus.log
+#
+
+@load protocols/modbus/known-masters-slaves.bro
+@load protocols/modbus/track-memmap.bro