diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc
index ad38d598ac..ea09a66717 100644
--- a/src/analyzer/protocol/imap/IMAP.cc
+++ b/src/analyzer/protocol/imap/IMAP.cc
@@ -77,7 +77,6 @@ void IMAP_Analyzer::StartTLS()
// StartTLS was called. This means we saw a client starttls followed
// by a server proceed. From here on, everything should be a binary
// TLS datastream.
-
tls_active = true;
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
diff --git a/src/analyzer/protocol/imap/Plugin.cc b/src/analyzer/protocol/imap/Plugin.cc
index 8660879bc3..63358f1aeb 100644
--- a/src/analyzer/protocol/imap/Plugin.cc
+++ b/src/analyzer/protocol/imap/Plugin.cc
@@ -1,8 +1,5 @@
// See the file in the main distribution directory for copyright.
-
-
#include "plugin/Plugin.h"
-
#include "IMAP.h"
namespace plugin {
@@ -14,10 +11,9 @@ public:
{
AddComponent(new ::analyzer::Component("IMAP", ::analyzer::imap::IMAP_Analyzer::Instantiate));
-
plugin::Configuration config;
config.name = "Bro::IMAP";
- config.description = "IMAP analyzer StartTLS only";
+ config.description = "IMAP analyzer (StartTLS only)";
return config;
}
} plugin;
diff --git a/src/analyzer/protocol/imap/events.bif b/src/analyzer/protocol/imap/events.bif
index ba83791b13..8d70dda26f 100644
--- a/src/analyzer/protocol/imap/events.bif
+++ b/src/analyzer/protocol/imap/events.bif
@@ -1,14 +1,13 @@
-## Generated for an SSL/TLS client's initial *hello* message. SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
-## of that as it can. This event provides access to the initial information
-## sent by the client.
+## Generated when a server sends a capability list to the client,
+## after being queried using the CAPABILITY command.
##
## c: The connection.
##
## capabilities: The list of IMAP capabilities as sent by the server.
event imap_capabilities%(c: connection, capabilities: string_vec%);
-## Generated when a IMAP connection goes encrypted
+## Generated when a IMAP connection goes encrypted after a successful
+## StartTLS exchange between the client and the server.
##
## c: The connection.
event imap_starttls%(c: connection%);
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index ac140925fc..d0f448441b 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -1,5 +1,6 @@
2 1080
1 137
+1 143
1 1434
1 161
1 162
@@ -47,8 +48,8 @@
1 992
1 993
1 995
-54 and
-53 or
-54 port
-36 tcp
+55 and
+54 or
+55 port
+37 tcp
18 udp
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index b5107374d1..0427e043e1 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2016-04-22-23-21-01
+#open 2016-04-26-18-11-39
#fields name
#types string
scripts/base/init-bare.bro
@@ -76,6 +76,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
+ build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro
build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro
@@ -131,4 +132,4 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
scripts/policy/misc/loaded-scripts.bro
scripts/base/utils/paths.bro
-#close 2016-04-22-23-21-01
+#close 2016-04-26-18-11-39
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index c2db0ad12e..806f1c6b9b 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
#empty_field (empty)
#unset_field -
#path loaded_scripts
-#open 2016-04-22-23-21-18
+#open 2016-04-26-18-11-49
#fields name
#types string
scripts/base/init-bare.bro
@@ -76,6 +76,7 @@ scripts/base/init-bare.bro
build/scripts/base/bif/plugins/Bro_HTTP.functions.bif.bro
build/scripts/base/bif/plugins/Bro_ICMP.events.bif.bro
build/scripts/base/bif/plugins/Bro_Ident.events.bif.bro
+ build/scripts/base/bif/plugins/Bro_IMAP.events.bif.bro
build/scripts/base/bif/plugins/Bro_InterConn.events.bif.bro
build/scripts/base/bif/plugins/Bro_IRC.events.bif.bro
build/scripts/base/bif/plugins/Bro_KRB.events.bif.bro
@@ -252,6 +253,8 @@ scripts/base/init-default.bro
scripts/base/protocols/http/entities.bro
scripts/base/protocols/http/utils.bro
scripts/base/protocols/http/files.bro
+ scripts/base/protocols/imap/__load__.bro
+ scripts/base/protocols/imap/main.bro
scripts/base/protocols/irc/__load__.bro
scripts/base/protocols/irc/main.bro
scripts/base/protocols/irc/dcc-send.bro
@@ -302,4 +305,4 @@ scripts/base/init-default.bro
scripts/base/misc/find-checksum-offloading.bro
scripts/base/misc/find-filtered-trace.bro
scripts/policy/misc/loaded-scripts.bro
-#close 2016-04-22-23-21-18
+#close 2016-04-26-18-11-49
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index d4bd063e12..a30a37bf95 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -25,6 +25,7 @@
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 8080/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 81/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 8888/tcp)) ->
+0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IMAP, 143/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IRC, 6666/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IRC, 6667/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IRC, 6668/tcp)) ->
@@ -83,6 +84,7 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 8080/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 81/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 8888/tcp)) ->
+0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IMAP, 143/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IRC, 6666/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IRC, 6667/tcp)) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IRC, 6668/tcp)) ->
@@ -122,6 +124,7 @@
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {631<...>/tcp})) ->
+0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IRC, {6669<...>/tcp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_KRB, {88/udp})) ->
0.000000 MetaHookPost CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_KRB_TCP, {88/tcp})) ->
@@ -230,7 +233,7 @@
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Communication::LOG)) ->
0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Conn::LOG)) ->
@@ -351,7 +354,7 @@
0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509])) ->
0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])) ->
-0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])) ->
+0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])) ->
0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) ->
0.000000 MetaHookPost CallFunction(NetControl::init, , ()) ->
0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) ->
@@ -416,6 +419,7 @@
0.000000 MetaHookPost LoadFile(./Bro_HTTP.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_ICMP.events.bif.bro) -> -1
+0.000000 MetaHookPost LoadFile(./Bro_IMAP.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_IRC.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_Ident.events.bif.bro) -> -1
0.000000 MetaHookPost LoadFile(./Bro_InterConn.events.bif.bro) -> -1
@@ -587,6 +591,7 @@
0.000000 MetaHookPost LoadFile(base<...>/ftp) -> -1
0.000000 MetaHookPost LoadFile(base<...>/hash) -> -1
0.000000 MetaHookPost LoadFile(base<...>/http) -> -1
+0.000000 MetaHookPost LoadFile(base<...>/imap) -> -1
0.000000 MetaHookPost LoadFile(base<...>/input) -> -1
0.000000 MetaHookPost LoadFile(base<...>/input.bif) -> -1
0.000000 MetaHookPost LoadFile(base<...>/intel) -> -1
@@ -665,6 +670,7 @@
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 8080/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 81/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_HTTP, 8888/tcp))
+0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IMAP, 143/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IRC, 6666/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IRC, 6667/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_IRC, 6668/tcp))
@@ -723,6 +729,7 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 8080/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 81/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_HTTP, 8888/tcp))
+0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IMAP, 143/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IRC, 6666/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IRC, 6667/tcp))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_IRC, 6668/tcp))
@@ -762,6 +769,7 @@
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_HTTP, {631<...>/tcp}))
+0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IMAP, {143/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_IRC, {6669<...>/tcp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_KRB, {88/udp}))
0.000000 MetaHookPre CallFunction(Analyzer::register_for_ports, , (Analyzer::ANALYZER_KRB_TCP, {88/tcp}))
@@ -870,7 +878,7 @@
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Communication::LOG))
0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Conn::LOG))
@@ -991,7 +999,7 @@
0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=, ev=Weird::log_weird, path=weird]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=, ev=X509::log_x509, path=x509]))
0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql]))
-0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T]))
0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ())
0.000000 MetaHookPre CallFunction(NetControl::init, , ())
0.000000 MetaHookPre CallFunction(Notice::want_pp, , ())
@@ -1056,6 +1064,7 @@
0.000000 MetaHookPre LoadFile(./Bro_HTTP.events.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_HTTP.functions.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_ICMP.events.bif.bro)
+0.000000 MetaHookPre LoadFile(./Bro_IMAP.events.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_IRC.events.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_Ident.events.bif.bro)
0.000000 MetaHookPre LoadFile(./Bro_InterConn.events.bif.bro)
@@ -1227,6 +1236,7 @@
0.000000 MetaHookPre LoadFile(base<...>/ftp)
0.000000 MetaHookPre LoadFile(base<...>/hash)
0.000000 MetaHookPre LoadFile(base<...>/http)
+0.000000 MetaHookPre LoadFile(base<...>/imap)
0.000000 MetaHookPre LoadFile(base<...>/input)
0.000000 MetaHookPre LoadFile(base<...>/input.bif)
0.000000 MetaHookPre LoadFile(base<...>/intel)
@@ -1305,6 +1315,7 @@
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IMAP, 143/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
@@ -1363,6 +1374,7 @@
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IMAP, 143/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
@@ -1402,6 +1414,7 @@
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {631<...>/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6669<...>/tcp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_KRB, {88/udp})
0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_KRB_TCP, {88/tcp})
@@ -1509,7 +1522,7 @@
0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1630,7 +1643,7 @@
0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=, ev=Weird::log_weird, path=weird])
0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=, ev=X509::log_x509, path=x509])
0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461367323.154279, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461694342.200388, node=bro, filter=ip or not ip, init=T, success=T])
0.000000 | HookCallFunction NetControl::check_plugins()
0.000000 | HookCallFunction NetControl::init()
0.000000 | HookCallFunction Notice::want_pp()