From 25495e576af5a3604c993ba5918f7a7a48909f86 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Mon, 3 Oct 2016 14:23:58 -0500
Subject: [PATCH] Add DCE-RPC and NTLM abbreviation documentation for their
 events.

---
 src/analyzer/protocol/dce-rpc/events.bif | 38 +++++++++++++-----------
 src/analyzer/protocol/ntlm/events.bif    | 15 ++++++----
 2 files changed, 30 insertions(+), 23 deletions(-)

diff --git a/src/analyzer/protocol/dce-rpc/events.bif b/src/analyzer/protocol/dce-rpc/events.bif
index 7d4274c1df..b2a5ef1c4d 100644
--- a/src/analyzer/protocol/dce-rpc/events.bif
+++ b/src/analyzer/protocol/dce-rpc/events.bif
@@ -1,11 +1,12 @@
-## Generated for every DCE-RPC message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` message.
 ##
 ## c: The connection.
 ##
 ## is_orig: True if the message was sent by the originator of the TCP connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
-##      DCE-RPC was not transported over a pipe.
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## ptype_id: Numeric representation of the procedure type of the message.
 ##
@@ -14,14 +15,15 @@
 ## .. bro:see:: dce_rpc_bind dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count, ptype: DCE_RPC::PType%);
 
-## Generated for every DCE-RPC bind request message. Since RPC offers the ability 
-## for a client to request connections to multiple endpoints, this event can occur 
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request message.
+## Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur 
 ## multiple times for a single RPC message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
-##      DCE-RPC was not transported over a pipe.
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## uuid: The string interpretted uuid of the endpoint being requested.
 ##
@@ -32,24 +34,26 @@ event dce_rpc_message%(c: connection, is_orig: bool, fid: count, ptype_id: count
 ## .. bro:see:: dce_rpc_message dce_rpc_bind_ack dce_rpc_request dce_rpc_response
 event dce_rpc_bind%(c: connection, fid: count, uuid: string, ver_major: count, ver_minor: count%);
 
-## Generated for every DCE-RPC bind request ack message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` bind request ack message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
-##      DCE-RPC was not transported over a pipe.
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## sec_addr: Secondary address for the ack.
 ##
 ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_request dce_rpc_response
 event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
 
-## Generated for every DCE-RPC request message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` request message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
-##      DCE-RPC was not transported over a pipe.
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## opnum: Number of the RPC operation.
 ##
@@ -58,12 +62,13 @@ event dce_rpc_bind_ack%(c: connection, fid: count, sec_addr: string%);
 ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_response
 event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%);
 
-## Generated for every DCE-RPC response message.
+## Generated for every :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` response message.
 ##
 ## c: The connection.
 ##
-## fid: File ID of the PIPE that carried the DCE-RPC message. Zero will be used if the
-##      DCE-RPC was not transported over a pipe.
+## fid: File ID of the PIPE that carried the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)`
+##      message. Zero will be used if the :abbr:`DCE-RPC (Distributed Computing Environment/Remote Procedure Calls)` was
+##      not transported over a pipe.
 ##
 ## opnum: Number of the RPC operation.
 ##
@@ -71,4 +76,3 @@ event dce_rpc_request%(c: connection, fid: count, opnum: count, stub_len: count%
 ##
 ## .. bro:see:: dce_rpc_message dce_rpc_bind dce_rpc_bind_ack dce_rpc_request
 event dce_rpc_response%(c: connection, fid: count, opnum: count, stub_len: count%);
-
diff --git a/src/analyzer/protocol/ntlm/events.bif b/src/analyzer/protocol/ntlm/events.bif
index 4c99fc561e..a36d653968 100644
--- a/src/analyzer/protocol/ntlm/events.bif
+++ b/src/analyzer/protocol/ntlm/events.bif
@@ -1,23 +1,26 @@
-## Generated for NTLM messages of type *negotiate*.
+## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *negotiate*.
 ##
 ## c: The connection.
 ##
-## negotiate: The parsed data of the NTLM message. See init-bare for more details.
+## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
+## .. bro:see:: ntlm_challenge ntlm_authenticate
 event ntlm_negotiate%(c: connection, negotiate: NTLM::Negotiate%);
 
-## Generated for NTLM messages of type *challenge*.
+## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *challenge*.
 ##
 ## c: The connection.
 ##
-## negotiate: The parsed data of the NTLM message. See init-bare for more details.
+## negotiate: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
+## .. bro:see:: ntlm_negotiate ntlm_authenticate
 event ntlm_challenge%(c: connection, challenge: NTLM::Challenge%);
 
-## Generated for NTLM messages of type *authenticate*.
+## Generated for :abbr:`NTLM (NT LAN Manager)` messages of type *authenticate*.
 ##
 ## c: The connection.
 ##
-## request: The parsed data of the NTLM message. See init-bare for more details.
+## request: The parsed data of the :abbr:`NTLM (NT LAN Manager)` message. See init-bare for more details.
 ##
+## .. bro:see:: ntlm_negotiate ntlm_challenge
 event ntlm_authenticate%(c: connection, request: NTLM::Authenticate%);