Merge remote-tracking branch 'origin/master' into topic/johanna/tls13-details

CHANGES

@@ -1,4 +1,27 @@
 
+2.6-249 | 2019-04-26 19:26:44 -0700
+
+  * Fix parsing of hybrid IPv6-IPv4 addr literals with no zero compression (Jon Siwek, Corelight)
+
+2.6-246 | 2019-04-25 10:22:11 -0700
+
+  * Add Zeexygen cross-reference links for some events (Jon Siwek, Corelight)
+
+2.6-245 | 2019-04-23 18:42:02 -0700
+
+  * Expose TCP analyzer utility functions to derived classes (Vern Paxson, Corelight)
+
+2.6-243 | 2019-04-22 19:42:52 -0700
+
+  * GH-234: rename Broxygen to Zeexygen along with roles/directives (Jon Siwek, Corelight)
+
+    * All "Broxygen" usages have been replaced in
+      code, documentation, filenames, etc.
+
+    * Sphinx roles/directives like ":bro:see" are now ":zeek:see"
+
+    * The "--broxygen" command-line option is now "--zeexygen"
+
 2.6-242 | 2019-04-22 22:43:09 +0200
 
   * update SSL consts from TLS 1.3 (Johanna Amann)

NEWS

@@ -175,6 +175,14 @@ Changed Functionality
   the end of a connection (in a FIN or RST) are considered unreliable
   and aren't counted as true gaps.
 
+- The Broxygen component, which is used to generate our Doxygen-like
+  scripting API documentation has been renamed to Zeexygen.  This likely has
+  no breaking or visible changes for most users, except in the case one
+  used it to generate their own documentation via the ``--broxygen`` flag,
+  which is now named ``--zeexygen``.  Besides that, the various documentation
+  in scripts has also been updated to replace Sphinx cross-referencing roles
+  and directives like ":bro:see:" with ":zeek:zee:".
+
 Removed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-2.6-242
+2.6-249

aux/bifcl

@@ -1 +1 @@
-Subproject commit 1dea95dd7819cb6b80291d5830e2b7d04b14abd0
+Subproject commit 1b5375e9f81ecec59f983e6abe86300c6bbbcb8f

aux/binpac

@@ -1 +1 @@
-Subproject commit f648419d796f8ab9f36991062ae790174e084aee
+Subproject commit 04c7e27a22491a91ee309877253da0922d0822bc

aux/broccoli

@@ -1 +1 @@
-Subproject commit 0ec42e5f54b7f0a65e35213d709ae19499526647
+Subproject commit 8668422406cb74f4f0c574a0c9b6365a21f3e81a

aux/broctl

@@ -1 +1 @@
-Subproject commit 5698525ae41c397c18eba1d5350cca18fa081665
+Subproject commit 39ae4a469d6ae86c12b49020b361da4fcab24b5b

aux/broker

@@ -1 +1 @@
-Subproject commit 1ab04b7bd893f65c1339b2ac92596dca6ed66412
+Subproject commit 56408c5582c80db6774c8b25642149dfb542345a

aux/zeek-aux

@@ -1 +1 @@
-Subproject commit 0ec8103a698ae71ff23d4dfa9e38b624c22ae718
+Subproject commit ba482418c4e16551fd7b9128a4082348ef2842f0

cmake

@@ -1 +1 @@
-Subproject commit 8554b602eed13076484fdac18fbdd934b061bed7
+Subproject commit 5521da04df0190e3362e4c5164df5c2c8884dd2c

doc

@@ -1 +1 @@
-Subproject commit 38f6edaf273401eef51cf754010f144be6398066
+Subproject commit 073bb08473b8172b8bb175e0702204f15f522392

man/bro.8

@@ -99,7 +99,7 @@ Record process status in file
 \fB\-W\fR,\ \-\-watchdog
 activate watchdog timer
 .TP
-\fB\-X\fR,\ \-\-broxygen <cfgfile>
+\fB\-X\fR,\ \-\-zeexygen <cfgfile>
 generate documentation based on config file
 .TP
 \fB\-\-pseudo\-realtime[=\fR<speedup>]
@@ -150,7 +150,7 @@ ASCII log file extension
 Output file for script execution statistics
 .TP
 .B BRO_DISABLE_BROXYGEN
-Disable Broxygen documentation support
+Disable Zeexygen (Broxygen) documentation support
 .SH AUTHOR
 .B bro
 was written by The Bro Project <info@bro.org>.

scripts/base/files/extract/main.zeek

@@ -29,12 +29,12 @@ export {
 		## to know where to write the file to.  If not specified, then
 		## a filename in the format "extract-<source>-<id>" is
 		## automatically assigned (using the *source* and *id*
-		## fields of :bro:see:`fa_file`).
+		## fields of :zeek:see:`fa_file`).
 		extract_filename: string &optional;
 		## The maximum allowed file size in bytes of *extract_filename*.
-		## Once reached, a :bro:see:`file_extraction_limit` event is
+		## Once reached, a :zeek:see:`file_extraction_limit` event is
 		## raised and the analyzer will be removed unless
-		## :bro:see:`FileExtract::set_limit` is called to increase the
+		## :zeek:see:`FileExtract::set_limit` is called to increase the
 		## limit.  A value of zero means "no limit".
 		extract_limit: count &default=default_limit;
 	};

scripts/base/frameworks/analyzer/main.zeek

@@ -5,7 +5,7 @@
 ##! particular analyzer for new connections.
 ##!
 ##! Protocol analyzers are identified by unique tags of type
-##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP`.
+##! :zeek:type:`Analyzer::Tag`, such as :zeek:enum:`Analyzer::ANALYZER_HTTP`.
 ##! These tags are defined internally by
 ##! the analyzers themselves, and documented in their analyzer-specific
 ##! description along with the events that they generate.
@@ -17,7 +17,7 @@ module Analyzer;
 export {
 	## If true, all available analyzers are initially disabled at startup.
 	## One can then selectively enable them with
-	## :bro:id:`Analyzer::enable_analyzer`.
+	## :zeek:id:`Analyzer::enable_analyzer`.
 	global disable_all = F &redef;
 
 	## Enables an analyzer. Once enabled, the analyzer may be used for analysis
@@ -109,7 +109,7 @@ export {
 
 	## Automatically creates a BPF filter for the specified protocol based
 	## on the data supplied for the protocol through the
-	## :bro:see:`Analyzer::register_for_ports` function.
+	## :zeek:see:`Analyzer::register_for_ports` function.
 	##
 	## tag: The analyzer tag.
 	##

scripts/base/frameworks/broker/main.zeek

@@ -10,19 +10,19 @@ export {
 	## Default interval to retry listening on a port if it's currently in
 	## use already.  Use of the BRO_DEFAULT_LISTEN_RETRY environment variable
 	## (set as a number of seconds) will override this option and also
-	## any values given to :bro:see:`Broker::listen`.
+	## any values given to :zeek:see:`Broker::listen`.
 	const default_listen_retry = 30sec &redef;
 
 	## Default address on which to listen.
 	##
-	## .. bro:see:: Broker::listen
+	## .. zeek:see:: Broker::listen
 	const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
 
 	## Default interval to retry connecting to a peer if it cannot be made to
 	## work initially, or if it ever becomes disconnected.  Use of the
 	## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of
 	## seconds) will override this option and also any values given to
-	## :bro:see:`Broker::peer`.
+	## :zeek:see:`Broker::peer`.
 	const default_connect_retry = 30sec &redef;
 
 	## If true, do not use SSL for network connections. By default, SSL will
@@ -47,7 +47,7 @@ export {
 	const ssl_certificate = "" &redef;
 
 	## Passphrase to decrypt the private key specified by
-	## :bro:see:`Broker::ssl_keyfile`. If set, Bro will require valid
+	## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid
 	## certificates for all peers.
 	const ssl_passphrase = "" &redef;
 
@@ -96,7 +96,7 @@ export {
 	## Forward all received messages to subscribing peers.
 	const forward_messages = F &redef;
 
-	## Whether calling :bro:see:`Broker::peer` will register the Broker
+	## Whether calling :zeek:see:`Broker::peer` will register the Broker
 	## system as an I/O source that will block the process from shutting
 	## down.  For example, set this to false when you are reading pcaps,
 	## but also want to initaiate a Broker peering and still shutdown after
@@ -107,7 +107,7 @@ export {
 	## id is appended when writing to a particular stream.
 	const default_log_topic_prefix = "bro/logs/" &redef;
 
-	## The default implementation for :bro:see:`Broker::log_topic`.
+	## The default implementation for :zeek:see:`Broker::log_topic`.
 	function default_log_topic(id: Log::ID, path: string): string
 		{
 		return default_log_topic_prefix + cat(id);
@@ -116,7 +116,7 @@ export {
 	## A function that will be called for each log entry to determine what
 	## broker topic string will be used for sending it to peers.  The
 	## default implementation will return a value based on
-	## :bro:see:`Broker::default_log_topic_prefix`.
+	## :zeek:see:`Broker::default_log_topic_prefix`.
 	##
 	## id: the ID associated with the log stream entry that will be sent.
 	##
@@ -232,7 +232,7 @@ export {
 	##
 	## Returns: the bound port or 0/? on failure.
 	##
-	## .. bro:see:: Broker::status
+	## .. zeek:see:: Broker::status
 	global listen: function(a: string &default = default_listen_address,
 	                        p: port &default = default_port,
 	                        retry: interval &default = default_listen_retry): port;
@@ -252,7 +252,7 @@ export {
 	##          it's a new peer. The actual connection may not be established
 	##          until a later point in time.
 	##
-	## .. bro:see:: Broker::status
+	## .. zeek:see:: Broker::status
 	global peer: function(a: string, p: port &default=default_port,
 	                      retry: interval &default=default_connect_retry): bool;
 
@@ -262,12 +262,12 @@ export {
 	## just means that we won't exchange any further information with it
 	## unless peering resumes later.
 	##
-	## a: the address used in previous successful call to :bro:see:`Broker::peer`.
+	## a: the address used in previous successful call to :zeek:see:`Broker::peer`.
 	##
-	## p: the port used in previous successful call to :bro:see:`Broker::peer`.
+	## p: the port used in previous successful call to :zeek:see:`Broker::peer`.
 	##
 	## Returns: true if the arguments match a previously successful call to
-	##          :bro:see:`Broker::peer`.
+	##          :zeek:see:`Broker::peer`.
 	##
 	## TODO: We do not have a function yet to terminate a connection.
 	global unpeer: function(a: string, p: port): bool;
@@ -298,7 +298,7 @@ export {
 
 	## Register interest in all peer event messages that use a certain topic
 	## prefix.  Note that subscriptions may not be altered immediately after
-	## calling (except during :bro:see:`zeek_init`).
+	## calling (except during :zeek:see:`zeek_init`).
 	##
 	## topic_prefix: a prefix to match against remote message topics.
 	##               e.g. an empty prefix matches everything and "a" matches
@@ -309,10 +309,10 @@ export {
 
 	## Unregister interest in all peer event messages that use a topic prefix.
 	## Note that subscriptions may not be altered immediately after calling
-	## (except during :bro:see:`zeek_init`).
+	## (except during :zeek:see:`zeek_init`).
 	##
 	## topic_prefix: a prefix previously supplied to a successful call to
-	##               :bro:see:`Broker::subscribe` or :bro:see:`Broker::forward`.
+	##               :zeek:see:`Broker::subscribe` or :zeek:see:`Broker::forward`.
 	##
 	## Returns: true if interest in the topic prefix is no longer advertised.
 	global unsubscribe: function(topic_prefix: string): bool;
@@ -320,8 +320,8 @@ export {
 	## Register a topic prefix subscription for events that should only be
 	## forwarded to any subscribing peers and not raise any event handlers
 	## on the receiving/forwarding node.  i.e. it's the same as
-	## :bro:see:`Broker::subscribe` except matching events are not raised
+	## :zeek:see:`Broker::subscribe` except matching events are not raised
-	## on the receiver, just forwarded.  Use :bro:see:`Broker::unsubscribe`
+	## on the receiver, just forwarded.  Use :zeek:see:`Broker::unsubscribe`
 	## with the same argument to undo this operation.
 	##
 	## topic_prefix: a prefix to match against remote message topics.
@@ -346,9 +346,9 @@ export {
 
 	## Stop automatically sending an event to peers upon local dispatch.
 	##
-	## topic: a topic originally given to :bro:see:`Broker::auto_publish`.
+	## topic: a topic originally given to :zeek:see:`Broker::auto_publish`.
 	##
-	## ev: an event originally given to :bro:see:`Broker::auto_publish`.
+	## ev: an event originally given to :zeek:see:`Broker::auto_publish`.
 	##
 	## Returns: true if automatic events will not occur for the topic/event
 	##          pair.

scripts/base/frameworks/broker/store.zeek

@@ -353,7 +353,7 @@ export {
 	##
 	## Returns: a set with the keys.  If you expect the keys to be of
 	##          non-uniform type, consider using
-	##          :bro:see:`Broker::set_iterator` to iterate over the result.
+	##          :zeek:see:`Broker::set_iterator` to iterate over the result.
 	global keys: function(h: opaque of Broker::Store): QueryResult;
 
 	## Deletes all of a store's content, it will be empty afterwards.

scripts/base/frameworks/cluster/__load__.zeek

@@ -17,7 +17,7 @@ redef Broker::log_topic = Cluster::rr_log_topic;
 # If this script isn't found anywhere, the cluster bombs out.
 # Loading the cluster framework requires that a script by this name exists
 # somewhere in the BROPATH.  The only thing in the file should be the
-# cluster definition in the :bro:id:`Cluster::nodes` variable.
+# cluster definition in the :zeek:id:`Cluster::nodes` variable.
 @load cluster-layout
 
 @if ( Cluster::node in Cluster::nodes )

scripts/base/frameworks/cluster/main.zeek

@@ -1,8 +1,8 @@
 ##! A framework for establishing and controlling a cluster of Bro instances.
 ##! In order to use the cluster framework, a script named
 ##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path
-##! which has a cluster definition of the :bro:id:`Cluster::nodes` variable.
+##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable.
-##! The ``CLUSTER_NODE`` environment variable or :bro:id:`Cluster::node`
+##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node`
 ##! must also be sent and the cluster framework loaded as a package like
 ##! ``@load base/frameworks/cluster``.
 
@@ -44,23 +44,23 @@ export {
 	const nodeid_topic_prefix = "bro/cluster/nodeid/" &redef;
 
 	## Name of the node on which master data stores will be created if no other
-	## has already been specified by the user in :bro:see:`Cluster::stores`.
+	## has already been specified by the user in :zeek:see:`Cluster::stores`.
 	## An empty value means "use whatever name corresponds to the manager
 	## node".
 	const default_master_node = "" &redef;
 
 	## The type of data store backend that will be used for all data stores if
-	## no other has already been specified by the user in :bro:see:`Cluster::stores`.
+	## no other has already been specified by the user in :zeek:see:`Cluster::stores`.
 	const default_backend = Broker::MEMORY &redef;
 
 	## The type of persistent data store backend that will be used for all data
 	## stores if no other has already been specified by the user in
-	## :bro:see:`Cluster::stores`.  This will be used when script authors call
+	## :zeek:see:`Cluster::stores`.  This will be used when script authors call
-	## :bro:see:`Cluster::create_store` with the *persistent* argument set true.
+	## :zeek:see:`Cluster::create_store` with the *persistent* argument set true.
 	const default_persistent_backend = Broker::SQLITE &redef;
 
 	## Setting a default dir will, for persistent backends that have not
-	## been given an explicit file path via :bro:see:`Cluster::stores`,
+	## been given an explicit file path via :zeek:see:`Cluster::stores`,
 	## automatically create a path within this dir that is based on the name of
 	## the data store.
 	const default_store_dir = "" &redef;
@@ -81,21 +81,21 @@ export {
 		## Parameters used for configuring the backend.
 		options: Broker::BackendOptions &default=Broker::BackendOptions();
 		## A resync/reconnect interval to pass through to
-		## :bro:see:`Broker::create_clone`.
+		## :zeek:see:`Broker::create_clone`.
 		clone_resync_interval: interval &default=Broker::default_clone_resync_interval;
 		## A staleness duration to pass through to
-		## :bro:see:`Broker::create_clone`.
+		## :zeek:see:`Broker::create_clone`.
 		clone_stale_interval: interval &default=Broker::default_clone_stale_interval;
 		## A mutation buffer interval to pass through to
-		## :bro:see:`Broker::create_clone`.
+		## :zeek:see:`Broker::create_clone`.
 		clone_mutation_buffer_interval: interval &default=Broker::default_clone_mutation_buffer_interval;
 	};
 
 	## A table of cluster-enabled data stores that have been created, indexed
 	## by their name.  This table will be populated automatically by
-	## :bro:see:`Cluster::create_store`, but if you need to customize
+	## :zeek:see:`Cluster::create_store`, but if you need to customize
 	## the options related to a particular data store, you may redef this
-	## table.  Calls to :bro:see:`Cluster::create_store` will first check
+	## table.  Calls to :zeek:see:`Cluster::create_store` will first check
 	## the table for an entry of the same name and, if found, will use the
 	## predefined options there when setting up the store.
 	global stores: table[string] of StoreInfo &default=StoreInfo() &redef;
@@ -174,15 +174,15 @@ export {
 	## This function can be called at any time to determine if the cluster
 	## framework is being enabled for this run.
 	##
-	## Returns: True if :bro:id:`Cluster::node` has been set.
+	## Returns: True if :zeek:id:`Cluster::node` has been set.
 	global is_enabled: function(): bool;
 
 	## This function can be called at any time to determine what type of
 	## cluster node the current Bro instance is going to be acting as.
-	## If :bro:id:`Cluster::is_enabled` returns false, then
+	## If :zeek:id:`Cluster::is_enabled` returns false, then
-	## :bro:enum:`Cluster::NONE` is returned.
+	## :zeek:enum:`Cluster::NONE` is returned.
 	##
-	## Returns: The :bro:type:`Cluster::NodeType` the calling node acts as.
+	## Returns: The :zeek:type:`Cluster::NodeType` the calling node acts as.
 	global local_node_type: function(): NodeType;
 
 	## This gives the value for the number of workers currently connected to,
@@ -241,8 +241,8 @@ export {
 
 	## Retrieve the topic associated with a specific node in the cluster.
 	##
-	## id: the id of the cluster node (from :bro:see:`Broker::EndpointInfo`
+	## id: the id of the cluster node (from :zeek:see:`Broker::EndpointInfo`
-	##     or :bro:see:`Broker::node_id`.
+	##     or :zeek:see:`Broker::node_id`.
 	##
 	## Returns: a topic string that may used to send a message exclusively to
 	##          a given cluster node.

scripts/base/frameworks/cluster/pools.zeek

@@ -58,17 +58,17 @@ export {
 		alive_count: count &default = 0;
 	};
 
-	## The specification for :bro:see:`Cluster::proxy_pool`.
+	## The specification for :zeek:see:`Cluster::proxy_pool`.
 	global proxy_pool_spec: PoolSpec =
 		PoolSpec($topic = "bro/cluster/pool/proxy",
 				 $node_type = Cluster::PROXY) &redef;
 
-	## The specification for :bro:see:`Cluster::worker_pool`.
+	## The specification for :zeek:see:`Cluster::worker_pool`.
 	global worker_pool_spec: PoolSpec =
 		PoolSpec($topic = "bro/cluster/pool/worker",
 				 $node_type = Cluster::WORKER) &redef;
 
-	## The specification for :bro:see:`Cluster::logger_pool`.
+	## The specification for :zeek:see:`Cluster::logger_pool`.
 	global logger_pool_spec: PoolSpec =
 		PoolSpec($topic = "bro/cluster/pool/logger",
 				 $node_type = Cluster::LOGGER) &redef;
@@ -120,10 +120,10 @@ export {
 	global rr_topic: function(pool: Pool, key: string &default=""): string;
 
 	## Distributes log message topics among logger nodes via round-robin.
-	## This will be automatically assigned to :bro:see:`Broker::log_topic`
+	## This will be automatically assigned to :zeek:see:`Broker::log_topic`
-	## if :bro:see:`Cluster::enable_round_robin_logging` is enabled.
+	## if :zeek:see:`Cluster::enable_round_robin_logging` is enabled.
 	## If no logger nodes are active, then this will return the value
-	## of :bro:see:`Broker::default_log_topic`.
+	## of :zeek:see:`Broker::default_log_topic`.
 	global rr_log_topic: function(id: Log::ID, path: string): string;
 }
 
@@ -136,7 +136,7 @@ export {
 ## Returns: F if a node of the same name already exists in the pool, else T.
 global init_pool_node: function(pool: Pool, name: string): bool;
 
-## Mark a pool node as alive/online/available. :bro:see:`Cluster::hrw_topic`
+## Mark a pool node as alive/online/available. :zeek:see:`Cluster::hrw_topic`
 ## will distribute keys to nodes marked as alive.
 ##
 ## pool: the pool to which the node belongs.
@@ -146,7 +146,7 @@ global init_pool_node: function(pool: Pool, name: string): bool;
 ## Returns: F if the node does not exist in the pool, else T.
 global mark_pool_node_alive: function(pool: Pool, name: string): bool;
 
-## Mark a pool node as dead/offline/unavailable. :bro:see:`Cluster::hrw_topic`
+## Mark a pool node as dead/offline/unavailable. :zeek:see:`Cluster::hrw_topic`
 ## will not distribute keys to nodes marked as dead.
 ##
 ## pool: the pool to which the node belongs.

scripts/base/frameworks/cluster/setup-connections.zeek

@@ -1,5 +1,5 @@
 ##! This script establishes communication among all nodes in a cluster
-##! as defined by :bro:id:`Cluster::nodes`.
+##! as defined by :zeek:id:`Cluster::nodes`.
 
 @load ./main
 @load ./pools

scripts/base/frameworks/config/main.zeek

@@ -24,14 +24,14 @@ export {
 		location: string &optional &log;
 	};
 
-	## Event that can be handled to access the :bro:type:`Config::Info`
+	## Event that can be handled to access the :zeek:type:`Config::Info`
 	## record as it is sent on to the logging framework.
 	global log_config: event(rec: Info);
 
 	## This function is the config framework layer around the lower-level
-	## :bro:see:`Option::set` call. Config::set_value will set the configuration
+	## :zeek:see:`Option::set` call. Config::set_value will set the configuration
 	## value for all nodes in the cluster, no matter where it was called. Note
-	## that :bro:see:`Option::set` does not distribute configuration changes
+	## that :zeek:see:`Option::set` does not distribute configuration changes
 	## to other nodes.
 	##
 	## ID: The ID of the option to update.

scripts/base/frameworks/control/main.zeek

@@ -8,7 +8,7 @@ export {
 	## The topic prefix used for exchanging control messages via Broker.
 	const topic_prefix = "bro/control";
 
-	## Whether the controllee should call :bro:see:`Broker::listen`.
+	## Whether the controllee should call :zeek:see:`Broker::listen`.
 	## In a cluster, this isn't needed since the setup process calls it.
 	const controllee_listen = T &redef;
 
@@ -18,7 +18,7 @@ export {
 	## The port of the host that will be controlled.
 	const host_port = 0/tcp &redef;
 
-	## If :bro:id:`Control::host` is a non-global IPv6 address and
+	## If :zeek:id:`Control::host` is a non-global IPv6 address and
 	## requires a specific :rfc:`4007` ``zone_id``, it can be set here.
 	const zone_id = "" &redef;
 
@@ -45,7 +45,7 @@ export {
 	## Event for requesting the value of an ID (a variable).
 	global id_value_request: event(id: string);
 	## Event for returning the value of an ID after an
-	## :bro:id:`Control::id_value_request` event.
+	## :zeek:id:`Control::id_value_request` event.
 	global id_value_response: event(id: string, val: string);
 
 	## Requests the current communication status.
@@ -62,7 +62,7 @@ export {
 	## updated.
 	global configuration_update_request: event();
 	## This event is a wrapper and alias for the
-	## :bro:id:`Control::configuration_update_request` event.
+	## :zeek:id:`Control::configuration_update_request` event.
 	## This event is also a primary hooking point for the control framework.
 	global configuration_update: event();
 	## Message in response to a configuration update request.

scripts/base/frameworks/files/main.zeek

@@ -18,19 +18,19 @@ export {
 	type AnalyzerArgs: record {
 		## An event which will be generated for all new file contents,
 		## chunk-wise.  Used when *tag* (in the
-		## :bro:see:`Files::add_analyzer` function) is
+		## :zeek:see:`Files::add_analyzer` function) is
-		## :bro:see:`Files::ANALYZER_DATA_EVENT`.
+		## :zeek:see:`Files::ANALYZER_DATA_EVENT`.
 		chunk_event: event(f: fa_file, data: string, off: count) &optional;
 
 		## An event which will be generated for all new file contents,
 		## stream-wise.  Used when *tag* is
-		## :bro:see:`Files::ANALYZER_DATA_EVENT`.
+		## :zeek:see:`Files::ANALYZER_DATA_EVENT`.
 		stream_event: event(f: fa_file, data: string) &optional;
 	} &redef;
 
 	## Contains all metadata related to the analysis of a given file.
 	## For the most part, fields here are derived from ones of the same name
-	## in :bro:see:`fa_file`.
+	## in :zeek:see:`fa_file`.
 	type Info: record {
 		## The time when the file was first seen.
 		ts: time &log;
@@ -66,7 +66,7 @@ export {
 		analyzers: set[string] &default=string_set() &log;
 
 		## A mime type provided by the strongest file magic signature
-		## match against the *bof_buffer* field of :bro:see:`fa_file`,
+		## match against the *bof_buffer* field of :zeek:see:`fa_file`,
 		## or in the cases where no buffering of the beginning of file
 		## occurs, an initial guess of the mime type based on the first
 		## data seen.
@@ -82,7 +82,7 @@ export {
 
 		## If the source of this file is a network connection, this field
 		## indicates if the data originated from the local network or not as
-		## determined by the configured :bro:see:`Site::local_nets`.
+		## determined by the configured :zeek:see:`Site::local_nets`.
 		local_orig: bool &log &optional;
 
 		## If the source of this file is a network connection, this field
@@ -118,8 +118,8 @@ export {
 	const disable: table[Files::Tag] of bool = table() &redef;
 
 	## The salt concatenated to unique file handle strings generated by
-	## :bro:see:`get_file_handle` before hashing them in to a file id
+	## :zeek:see:`get_file_handle` before hashing them in to a file id
-	## (the *id* field of :bro:see:`fa_file`).
+	## (the *id* field of :zeek:see:`fa_file`).
 	## Provided to help mitigate the possibility of manipulating parts of
 	## network connections that factor in to the file handle in order to
 	## generate two handles that would hash to the same file id.
@@ -142,11 +142,11 @@ export {
 	## Returns: T if the file uid is known.
 	global file_exists: function(fuid: string): bool;
 
-	## Lookup an :bro:see:`fa_file` record with the file id.
+	## Lookup an :zeek:see:`fa_file` record with the file id.
 	##
 	## fuid: the file id.
 	##
-	## Returns: the associated :bro:see:`fa_file` record.
+	## Returns: the associated :zeek:see:`fa_file` record.
 	global lookup_file: function(fuid: string): fa_file;
 
 	## Allows the file reassembler to be used if it's necessary because the
@@ -169,10 +169,10 @@ export {
 	## max: Maximum allowed size of the reassembly buffer.
 	global set_reassembly_buffer_size: function(f: fa_file, max: count);
 
-	## Sets the *timeout_interval* field of :bro:see:`fa_file`, which is
+	## Sets the *timeout_interval* field of :zeek:see:`fa_file`, which is
 	## used to determine the length of inactivity that is allowed for a file
 	## before internal state related to it is cleaned up.  When used within
-	## a :bro:see:`file_timeout` handler, the analysis will delay timing out
+	## a :zeek:see:`file_timeout` handler, the analysis will delay timing out
 	## again for the period specified by *t*.
 	##
 	## f: the file.
@@ -255,7 +255,7 @@ export {
 	##
 	## tag: Tag for the protocol analyzer having a callback being registered.
 	##
-	## reg: A :bro:see:`Files::ProtoRegistration` record.
+	## reg: A :zeek:see:`Files::ProtoRegistration` record.
 	##
 	## Returns: true if the protocol being registered was not previously registered.
 	global register_protocol: function(tag: Analyzer::Tag, reg: ProtoRegistration): bool;

scripts/base/frameworks/input/main.zeek

@@ -193,7 +193,7 @@ export {
 		## Descriptive name that uniquely identifies the input source.
 		## Can be used to remove a stream at a later time.
 		## This will also be used for the unique *source* field of
-		## :bro:see:`fa_file`.  Most of the time, the best choice for this
+		## :zeek:see:`fa_file`.  Most of the time, the best choice for this
 		## field will be the same value as the *source* field.
 		name: string;
 

scripts/base/frameworks/intel/main.zeek

@@ -35,7 +35,7 @@ export {
 	## Set of intelligence data types.
 	type TypeSet: set[Type];
 
-	## Data about an :bro:type:`Intel::Item`.
+	## Data about an :zeek:type:`Intel::Item`.
 	type MetaData: record {
 		## An arbitrary string value representing the data source. This
 		## value is used as unique key to identify a metadata record in
@@ -75,7 +75,7 @@ export {
 		## The type of data that the indicator represents.
 		indicator_type:  Type          &log &optional;
 
-		## If the indicator type was :bro:enum:`Intel::ADDR`, then this
+		## If the indicator type was :zeek:enum:`Intel::ADDR`, then this
 		## field will be present.
 		host:            addr          &optional;
 
@@ -155,7 +155,7 @@ export {
 	global extend_match: hook(info: Info, s: Seen, items: set[Item]);
 
 	## The expiration timeout for intelligence items. Once an item expires, the
-	## :bro:id:`Intel::item_expired` hook is called. Reinsertion of an item 
+	## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item 
 	## resets the timeout. A negative value disables expiration of intelligence 
 	## items.
 	const item_expiration = -1 min &redef;

scripts/base/frameworks/logging/main.zeek

@@ -176,7 +176,7 @@ export {
 		## easy to flood the disk by returning a new string for each
 		## connection.  Upon adding a filter to a stream, if neither
 		## ``path`` nor ``path_func`` is explicitly set by them, then
-		## :bro:see:`Log::default_path_func` is used.
+		## :zeek:see:`Log::default_path_func` is used.
 		##
 		## id: The ID associated with the log stream.
 		##
@@ -191,7 +191,7 @@ export {
 		##
 		## Returns: The path to be used for the filter, which will be
 		##          subject to the same automatic correction rules as
-		##          the *path* field of :bro:type:`Log::Filter` in the
+		##          the *path* field of :zeek:type:`Log::Filter` in the
 		##          case of conflicts with other filters trying to use
 		##          the same writer/path pair.
 		path_func: function(id: ID, path: string, rec: any): string &optional;
@@ -232,7 +232,7 @@ export {
 		interv: interval &default=default_rotation_interval;
 
 		## Callback function to trigger for rotated files. If not set, the
-		## default comes out of :bro:id:`Log::default_rotation_postprocessors`.
+		## default comes out of :zeek:id:`Log::default_rotation_postprocessors`.
 		postprocessor: function(info: RotationInfo) : bool &optional;
 
 		## A key/value table that will be passed on to the writer.
@@ -253,7 +253,7 @@ export {
 	## Returns: True if a new logging stream was successfully created and
 	##          a default filter added to it.
 	##
-	## .. bro:see:: Log::add_default_filter Log::remove_default_filter
+	## .. zeek:see:: Log::add_default_filter Log::remove_default_filter
 	global create_stream: function(id: ID, stream: Stream) : bool;
 
 	## Removes a logging stream completely, stopping all the threads.
@@ -262,7 +262,7 @@ export {
 	##
 	## Returns: True if the stream was successfully removed.
 	##
-	## .. bro:see:: Log::create_stream
+	## .. zeek:see:: Log::create_stream
 	global remove_stream: function(id: ID) : bool;
 
 	## Enables a previously disabled logging stream.  Disabled streams
@@ -273,7 +273,7 @@ export {
 	##
 	## Returns: True if the stream is re-enabled or was not previously disabled.
 	##
-	## .. bro:see:: Log::disable_stream
+	## .. zeek:see:: Log::disable_stream
 	global enable_stream: function(id: ID) : bool;
 
 	## Disables a currently enabled logging stream.  Disabled streams
@@ -284,7 +284,7 @@ export {
 	##
 	## Returns: True if the stream is now disabled or was already disabled.
 	##
-	## .. bro:see:: Log::enable_stream
+	## .. zeek:see:: Log::enable_stream
 	global disable_stream: function(id: ID) : bool;
 
 	## Adds a custom filter to an existing logging stream.  If a filter
@@ -299,7 +299,7 @@ export {
 	##          the filter was not added or the *filter* argument was not
 	##          the correct type.
 	##
-	## .. bro:see:: Log::remove_filter Log::add_default_filter
+	## .. zeek:see:: Log::remove_filter Log::add_default_filter
 	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global add_filter: function(id: ID, filter: Filter) : bool;
 
@@ -309,12 +309,12 @@ export {
 	##     remove a filter.
 	##
 	## name: A string to match against the ``name`` field of a
-	##       :bro:type:`Log::Filter` for identification purposes.
+	##       :zeek:type:`Log::Filter` for identification purposes.
 	##
 	## Returns: True if the logging stream's filter was removed or
 	##          if no filter associated with *name* was found.
 	##
-	## .. bro:see:: Log::remove_filter Log::add_default_filter
+	## .. zeek:see:: Log::remove_filter Log::add_default_filter
 	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global remove_filter: function(id: ID, name: string) : bool;
 
@@ -326,7 +326,7 @@ export {
 	##
 	## Returns: The set of filter names associated with the stream.
 	##
-	## ..bro:see:: Log::remove_filter Log::add_default_filter
+	## ..zeek:see:: Log::remove_filter Log::add_default_filter
 	##   Log::remove_default_filter Log::get_filter
 	global get_filter_names: function(id: ID) : set[string];
 
@@ -336,13 +336,13 @@ export {
 	##     obtain one of its filters.
 	##
 	## name: A string to match against the ``name`` field of a
-	##       :bro:type:`Log::Filter` for identification purposes.
+	##       :zeek:type:`Log::Filter` for identification purposes.
 	##
 	## Returns: A filter attached to the logging stream *id* matching
 	##          *name* or, if no matches are found returns the
-	##          :bro:id:`Log::no_filter` sentinel value.
+	##          :zeek:id:`Log::no_filter` sentinel value.
 	##
-	## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
+	## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter
 	##              Log::remove_default_filter Log::get_filter_names
 	global get_filter: function(id: ID, name: string) : Filter;
 
@@ -360,7 +360,7 @@ export {
 	##          to handle, or one of the stream's filters has an invalid
 	##          ``path_func``.
 	##
-	## .. bro:see:: Log::enable_stream Log::disable_stream
+	## .. zeek:see:: Log::enable_stream Log::disable_stream
 	global write: function(id: ID, columns: any) : bool;
 
 	## Sets the buffering status for all the writers of a given logging stream.
@@ -375,7 +375,7 @@ export {
 	## Returns: True if buffering status was set, false if the logging stream
 	##          does not exist.
 	##
-	## .. bro:see:: Log::flush
+	## .. zeek:see:: Log::flush
 	global set_buf: function(id: ID, buffered: bool): bool;
 
 	## Flushes any currently buffered output for all the writers of a given
@@ -388,50 +388,50 @@ export {
 	##          buffered data or if the logging stream is disabled,
 	##          false if the logging stream does not exist.
 	##
-	## .. bro:see:: Log::set_buf Log::enable_stream Log::disable_stream
+	## .. zeek:see:: Log::set_buf Log::enable_stream Log::disable_stream
 	global flush: function(id: ID): bool;
 
-	## Adds a default :bro:type:`Log::Filter` record with ``name`` field
+	## Adds a default :zeek:type:`Log::Filter` record with ``name`` field
 	## set as "default" to a given logging stream.
 	##
 	## id: The ID associated with a logging stream for which to add a default
 	##     filter.
 	##
-	## Returns: The status of a call to :bro:id:`Log::add_filter` using a
+	## Returns: The status of a call to :zeek:id:`Log::add_filter` using a
-	##          default :bro:type:`Log::Filter` argument with ``name`` field
+	##          default :zeek:type:`Log::Filter` argument with ``name`` field
 	##          set to "default".
 	##
-	## .. bro:see:: Log::add_filter Log::remove_filter
+	## .. zeek:see:: Log::add_filter Log::remove_filter
 	##    Log::remove_default_filter
 	global add_default_filter: function(id: ID) : bool;
 
-	## Removes the :bro:type:`Log::Filter` with ``name`` field equal to
+	## Removes the :zeek:type:`Log::Filter` with ``name`` field equal to
 	## "default".
 	##
 	## id: The ID associated with a logging stream from which to remove the
 	##     default filter.
 	##
-	## Returns: The status of a call to :bro:id:`Log::remove_filter` using
+	## Returns: The status of a call to :zeek:id:`Log::remove_filter` using
 	##          "default" as the argument.
 	##
-	## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
+	## .. zeek:see:: Log::add_filter Log::remove_filter Log::add_default_filter
 	global remove_default_filter: function(id: ID) : bool;
 
-	## Runs a command given by :bro:id:`Log::default_rotation_postprocessor_cmd`
+	## Runs a command given by :zeek:id:`Log::default_rotation_postprocessor_cmd`
 	## on a rotated file.  Meant to be called from postprocessor functions
-	## that are added to :bro:id:`Log::default_rotation_postprocessors`.
+	## that are added to :zeek:id:`Log::default_rotation_postprocessors`.
 	##
 	## info: A record holding meta-information about the log being rotated.
 	##
 	## npath: The new path of the file (after already being rotated/processed
 	##        by writer-specific postprocessor as defined in
-	##        :bro:id:`Log::default_rotation_postprocessors`).
+	##        :zeek:id:`Log::default_rotation_postprocessors`).
 	##
-	## Returns: True when :bro:id:`Log::default_rotation_postprocessor_cmd`
+	## Returns: True when :zeek:id:`Log::default_rotation_postprocessor_cmd`
 	##          is empty or the system command given by it has been invoked
 	##          to postprocess a rotated log file.
 	##
-	## .. bro:see:: Log::default_rotation_date_format
+	## .. zeek:see:: Log::default_rotation_date_format
 	##    Log::default_rotation_postprocessor_cmd
 	##    Log::default_rotation_postprocessors
 	global run_rotation_postprocessor_cmd: function(info: RotationInfo, npath: string) : bool;

scripts/base/frameworks/logging/postprocessors/scp.zeek

@@ -2,22 +2,22 @@
 ##! to a logging filter in order to automatically SCP (secure copy)
 ##! a log stream (or a subset of it) to a remote host at configurable
 ##! rotation time intervals.  Generally, to use this functionality
-##! you must handle the :bro:id:`zeek_init` event and do the following
+##! you must handle the :zeek:id:`zeek_init` event and do the following
 ##! in your handler:
 ##!
-##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
+##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
 ##!    rotation interval, and set the ``postprocessor`` to
-##!    :bro:id:`Log::scp_postprocessor`.
+##!    :zeek:id:`Log::scp_postprocessor`.
-##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`.
+##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
-##! 3) Add a table entry to :bro:id:`Log::scp_destinations` for the filter's
+##! 3) Add a table entry to :zeek:id:`Log::scp_destinations` for the filter's
-##!    writer/path pair which defines a set of :bro:type:`Log::SCPDestination`
+##!    writer/path pair which defines a set of :zeek:type:`Log::SCPDestination`
 ##!    records.
 
 module Log;
 
 export {
 	## Secure-copies the rotated log to all the remote hosts
-	## defined in :bro:id:`Log::scp_destinations` and then deletes
+	## defined in :zeek:id:`Log::scp_destinations` and then deletes
 	## the local copy of the rotated log.  It's not active when
 	## reading from trace files.
 	##
@@ -42,7 +42,7 @@ export {
 	};
 
 	## A table indexed by a particular log writer and filter path, that yields
-	## a set of remote destinations.  The :bro:id:`Log::scp_postprocessor`
+	## a set of remote destinations.  The :zeek:id:`Log::scp_postprocessor`
 	## function queries this table upon log rotation and performs a secure
 	## copy of the rotated log to each destination in the set.  This
 	## table can be modified at run-time.

scripts/base/frameworks/logging/postprocessors/sftp.zeek

@@ -2,22 +2,22 @@
 ##! to a logging filter in order to automatically SFTP
 ##! a log stream (or a subset of it) to a remote host at configurable
 ##! rotation time intervals.  Generally, to use this functionality
-##! you must handle the :bro:id:`zeek_init` event and do the following
+##! you must handle the :zeek:id:`zeek_init` event and do the following
 ##! in your handler:
 ##!
-##! 1) Create a new :bro:type:`Log::Filter` record that defines a name/path,
+##! 1) Create a new :zeek:type:`Log::Filter` record that defines a name/path,
 ##!    rotation interval, and set the ``postprocessor`` to
-##!    :bro:id:`Log::sftp_postprocessor`.
+##!    :zeek:id:`Log::sftp_postprocessor`.
-##! 2) Add the filter to a logging stream using :bro:id:`Log::add_filter`.
+##! 2) Add the filter to a logging stream using :zeek:id:`Log::add_filter`.
-##! 3) Add a table entry to :bro:id:`Log::sftp_destinations` for the filter's
+##! 3) Add a table entry to :zeek:id:`Log::sftp_destinations` for the filter's
-##!    writer/path pair which defines a set of :bro:type:`Log::SFTPDestination`
+##!    writer/path pair which defines a set of :zeek:type:`Log::SFTPDestination`
 ##!    records.
 
 module Log;
 
 export {
 	## Securely transfers the rotated log to all the remote hosts
-	## defined in :bro:id:`Log::sftp_destinations` and then deletes
+	## defined in :zeek:id:`Log::sftp_destinations` and then deletes
 	## the local copy of the rotated log.  It's not active when
 	## reading from trace files.
 	##
@@ -44,7 +44,7 @@ export {
 	};
 
 	## A table indexed by a particular log writer and filter path, that yields
-	## a set of remote destinations.  The :bro:id:`Log::sftp_postprocessor`
+	## a set of remote destinations.  The :zeek:id:`Log::sftp_postprocessor`
 	## function queries this table upon log rotation and performs a secure
 	## transfer of the rotated log to each destination in the set.  This
 	## table can be modified at run-time.

scripts/base/frameworks/netcontrol/catch-and-release.zeek

@@ -80,7 +80,7 @@ export {
 	## again.
 	##
 	## In cluster mode, this function works on workers as well as the manager. On managers,
-	## the returned :bro:see:`NetControl::BlockInfo` record will not contain the block ID,
+	## the returned :zeek:see:`NetControl::BlockInfo` record will not contain the block ID,
 	## which will be assigned on the manager.
 	##
 	## a: The address to be dropped.
@@ -89,7 +89,7 @@ export {
 	##
 	## location: An optional string describing where the drop was triggered.
 	##
-	## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about
+	## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about
 	##          the inserted block.
 	global drop_address_catch_release: function(a: addr, location: string &default="") : BlockInfo;
 
@@ -114,7 +114,7 @@ export {
 	## a: The address that was seen and should be re-dropped if it is being watched.
 	global catch_release_seen: function(a: addr);
 
-	## Get the :bro:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
+	## Get the :zeek:see:`NetControl::BlockInfo` record for an address currently blocked by catch and release.
 	## If the address is unknown to catch and release, the watch_until time will be set to 0.
 	##
 	## In cluster mode, this function works on the manager and workers. On workers, the data will
@@ -123,7 +123,7 @@ export {
 	##
 	## a: The address to get information about.
 	##
-	## Returns: The :bro:see:`NetControl::BlockInfo` record containing information about
+	## Returns: The :zeek:see:`NetControl::BlockInfo` record containing information about
 	##          the inserted block.
 	global get_catch_release_info: function(a: addr) : BlockInfo;
 
@@ -132,7 +132,7 @@ export {
 	##
 	## a: The address that is no longer being managed.
 	##
-	## bi: The :bro:see:`NetControl::BlockInfo` record containing information about the block.
+	## bi: The :zeek:see:`NetControl::BlockInfo` record containing information about the block.
 	global catch_release_forgotten: event(a: addr, bi: BlockInfo);
 
 	## If true, catch_release_seen is called on the connection originator in new_connection,
@@ -148,7 +148,7 @@ export {
 	## effect.
 	const catch_release_intervals: vector of interval = vector(10min, 1hr, 24hrs, 7days) &redef;
 
-	## Event that can be handled to access the :bro:type:`NetControl::CatchReleaseInfo`
+	## Event that can be handled to access the :zeek:type:`NetControl::CatchReleaseInfo`
 	## record as it is sent on to the logging framework.
 	global log_netcontrol_catch_release: event(rec: CatchReleaseInfo);
 

scripts/base/frameworks/netcontrol/drop.zeek

@@ -50,7 +50,7 @@ export {
 	## r: The rule to be added.
 	global NetControl::drop_rule_policy: hook(r: Rule);
 
-	## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
+	## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
 	## record as it is sent on to the logging framework.
 	global log_netcontrol_drop: event(rec: DropInfo);
 }

scripts/base/frameworks/netcontrol/main.zeek

@@ -98,7 +98,7 @@ export {
 	## Returns: Vector of inserted rules on success, empty list on failure.
 	global quarantine_host: function(infected: addr, dns: addr, quarantine: addr, t: interval, location: string &default="") : vector of string;
 
-	## Flushes all state by calling :bro:see:`NetControl::remove_rule` on all currently active rules.
+	## Flushes all state by calling :zeek:see:`NetControl::remove_rule` on all currently active rules.
 	global clear: function();
 
 	# ###
@@ -122,7 +122,7 @@ export {
 
 	## Removes a rule.
 	##
-	## id: The rule to remove, specified as the ID returned by :bro:see:`NetControl::add_rule`.
+	## id: The rule to remove, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
 	##
 	## reason: Optional string argument giving information on why the rule was removed.
 	##
@@ -138,7 +138,7 @@ export {
 	## the rule has been added; if it is not removed from them by a separate mechanism,
 	## it will stay installed and not be removed later.
 	##
-	## id: The rule to delete, specified as the ID returned by :bro:see:`NetControl::add_rule`.
+	## id: The rule to delete, specified as the ID returned by :zeek:see:`NetControl::add_rule`.
 	##
 	## reason: Optional string argument giving information on why the rule was deleted.
 	##
@@ -321,7 +321,7 @@ export {
 		plugin: string		&log &optional;
 	};
 
-	## Event that can be handled to access the :bro:type:`NetControl::Info`
+	## Event that can be handled to access the :zeek:type:`NetControl::Info`
 	## record as it is sent on to the logging framework.
 	global log_netcontrol: event(rec: Info);
 }

scripts/base/frameworks/netcontrol/plugins/broker.zeek

@@ -9,7 +9,7 @@ module NetControl;
 @load base/frameworks/broker
 
 export {
-	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
+	## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
 	type BrokerConfig: record {
 		## The broker topic to send events to.
 		topic: string &optional;

scripts/base/frameworks/netcontrol/plugins/openflow.zeek

@@ -7,7 +7,7 @@
 module NetControl;
 
 export {
-	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_openflow`.
+	## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_openflow`.
 	type OfConfig: record {
 		monitor: bool &default=T; ##< Accept rules that target the monitor path.
 		forward: bool &default=T; ##< Accept rules that target the forward path.

scripts/base/frameworks/netcontrol/shunt.zeek

@@ -31,7 +31,7 @@ export {
 		location: string &log &optional;
 	};
 
-	## Event that can be handled to access the :bro:type:`NetControl::ShuntInfo`
+	## Event that can be handled to access the :zeek:type:`NetControl::ShuntInfo`
 	## record as it is sent on to the logging framework.
 	global log_netcontrol_shunt: event(rec: ShuntInfo);
 }

scripts/base/frameworks/netcontrol/types.zeek

@@ -1,6 +1,6 @@
 ##! This file defines the types that are used by the NetControl framework.
 ##!
-##! The most important type defined in this file is :bro:see:`NetControl::Rule`,
+##! The most important type defined in this file is :zeek:see:`NetControl::Rule`,
 ##! which is used to describe all rules that can be expressed by the NetControl framework. 
 
 module NetControl;
@@ -10,11 +10,11 @@ export {
 	option default_priority: int = +0;
 
 	## The default priority that is used when using the high-level functions to
-	## push whitelist entries to the backends (:bro:see:`NetControl::whitelist_address` and
+	## push whitelist entries to the backends (:zeek:see:`NetControl::whitelist_address` and
-	## :bro:see:`NetControl::whitelist_subnet`).
+	## :zeek:see:`NetControl::whitelist_subnet`).
 	##
 	## Note that this priority is not automatically used when manually creating rules
-	## that have a :bro:see:`NetControl::RuleType` of :bro:enum:`NetControl::WHITELIST`.
+	## that have a :zeek:see:`NetControl::RuleType` of :zeek:enum:`NetControl::WHITELIST`.
 	const whitelist_priority: int = +5 &redef;
 
 	## Type defining the entity that a rule applies to.
@@ -25,7 +25,7 @@ export {
 		MAC,		##< Activity involving a MAC address.
 	};
 
-	## Flow is used in :bro:type:`NetControl::Entity` together with :bro:enum:`NetControl::FLOW` to specify
+	## Flow is used in :zeek:type:`NetControl::Entity` together with :zeek:enum:`NetControl::FLOW` to specify
 	## a uni-directional flow that a rule applies to.
 	##
 	## If optional fields are not set, they are interpreted as wildcarded.
@@ -41,10 +41,10 @@ export {
 	## Type defining the entity a rule is operating on.
 	type Entity: record {
 		ty: EntityType;			##< Type of entity.
-		conn: conn_id &optional;	##< Used with :bro:enum:`NetControl::CONNECTION`.
+		conn: conn_id &optional;	##< Used with :zeek:enum:`NetControl::CONNECTION`.
-		flow: Flow &optional;	##< Used with :bro:enum:`NetControl::FLOW`.
+		flow: Flow &optional;	##< Used with :zeek:enum:`NetControl::FLOW`.
-		ip: subnet &optional;		##< Used with :bro:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet.
+		ip: subnet &optional;		##< Used with :zeek:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet.
-		mac: string &optional;		##< Used with :bro:enum:`NetControl::MAC`.
+		mac: string &optional;		##< Used with :zeek:enum:`NetControl::MAC`.
 	};
 
 	## Type defining the target of a rule.
@@ -59,7 +59,7 @@ export {
 	};
 
 	## Type of rules that the framework supports. Each type lists the extra
-	## :bro:type:`NetControl::Rule` fields it uses, if any.
+	## :zeek:type:`NetControl::Rule` fields it uses, if any.
 	##
 	## Plugins may extend this type to define their own.
 	type RuleType: enum {
@@ -108,8 +108,8 @@ export {
 		priority: int &default=default_priority;	##< Priority if multiple rules match an entity (larger value is higher priority).
 		location: string &optional;	##< Optional string describing where/what installed the rule.
 
-		out_port: count &optional;		##< Argument for :bro:enum:`NetControl::REDIRECT` rules.
+		out_port: count &optional;		##< Argument for :zeek:enum:`NetControl::REDIRECT` rules.
-		mod: FlowMod &optional; ##< Argument for :bro:enum:`NetControl::MODIFY` rules.
+		mod: FlowMod &optional; ##< Argument for :zeek:enum:`NetControl::MODIFY` rules.
 
 		id: string &default="";		##< Internally determined unique ID for this rule. Will be set when added.
 		cid: count &default=0;		##< Internally determined unique numeric ID for this rule. Set when added.

scripts/base/frameworks/notice/actions/add-geodata.zeek

@@ -13,7 +13,7 @@ module Notice;
 export {
 	redef enum Action += {
 		## Indicates that the notice should have geodata added for the
-		## "remote" host.  :bro:id:`Site::local_nets` must be defined
+		## "remote" host.  :zeek:id:`Site::local_nets` must be defined
 		## in order for this to work.
 		ACTION_ADD_GEODATA
 	};

scripts/base/frameworks/notice/actions/drop.zeek

@@ -8,7 +8,7 @@ module Notice;
 
 export {
 	redef enum Action += {
-		## Drops the address via :bro:see:`NetControl::drop_address_catch_release`.
+		## Drops the address via :zeek:see:`NetControl::drop_address_catch_release`.
 		ACTION_DROP
 	};
 

scripts/base/frameworks/notice/actions/email_admin.zeek

@@ -1,6 +1,6 @@
 ##! Adds a new notice action type which can be used to email notices
 ##! to the administrators of a particular address space as set by
-##! :bro:id:`Site::local_admins` if the notice contains a source
+##! :zeek:id:`Site::local_admins` if the notice contains a source
 ##! or destination address that lies within their space.
 
 @load ../main
@@ -12,7 +12,7 @@ export {
 	redef enum Action += {
 		## Indicate that the generated email should be addressed to the 
 		## appropriate email addresses as found by the
-		## :bro:id:`Site::get_emails` function based on the relevant 
+		## :zeek:id:`Site::get_emails` function based on the relevant 
 		## address or addresses indicated in the notice.
 		ACTION_EMAIL_ADMIN
 	};

scripts/base/frameworks/notice/actions/page.zeek

@@ -7,12 +7,12 @@ module Notice;
 export {
 	redef enum Action += {
 		## Indicates that the notice should be sent to the pager email
-		## address configured in the :bro:id:`Notice::mail_page_dest`
+		## address configured in the :zeek:id:`Notice::mail_page_dest`
 		## variable.
 		ACTION_PAGE
 	};
 	
-	## Email address to send notices with the :bro:enum:`Notice::ACTION_PAGE`
+	## Email address to send notices with the :zeek:enum:`Notice::ACTION_PAGE`
 	## action.
 	option mail_page_dest = "";
 }

scripts/base/frameworks/notice/actions/pp-alarms.zeek

@@ -12,7 +12,7 @@ export {
 	const pretty_print_alarms = T &redef;
 	
 	## Address to send the pretty-printed reports to. Default if not set is
-	## :bro:id:`Notice::mail_dest`.
+	## :zeek:id:`Notice::mail_dest`.
 	##
 	## Note that this is overridden by the BroControl MailAlarmsTo option.
 	const mail_dest_pretty_printed = "" &redef;

scripts/base/frameworks/notice/main.zeek

@@ -18,7 +18,7 @@ export {
 
 	## Scripts creating new notices need to redef this enum to add their
 	## own specific notice types which would then get used when they call
-	## the :bro:id:`NOTICE` function.  The convention is to give a general
+	## the :zeek:id:`NOTICE` function.  The convention is to give a general
 	## category along with the specific notice separating words with
 	## underscores and using leading capitals on each word except for
 	## abbreviations which are kept in all capitals. For example,
@@ -37,12 +37,12 @@ export {
 		## logging stream.
 		ACTION_LOG,
 		## Indicates that the notice should be sent to the email
-		## address(es) configured in the :bro:id:`Notice::mail_dest`
+		## address(es) configured in the :zeek:id:`Notice::mail_dest`
 		## variable.
 		ACTION_EMAIL,
 		## Indicates that the notice should be alarmed.  A readable
 		## ASCII version of the alarm log is emailed in bulk to the
-		## address(es) configured in :bro:id:`Notice::mail_dest`.
+		## address(es) configured in :zeek:id:`Notice::mail_dest`.
 		ACTION_ALARM,
 	};
 
@@ -50,7 +50,7 @@ export {
 	type ActionSet: set[Notice::Action];
 
 	## The notice framework is able to do automatic notice suppression by
-	## utilizing the *identifier* field in :bro:type:`Notice::Info` records.
+	## utilizing the *identifier* field in :zeek:type:`Notice::Info` records.
 	## Set this to "0secs" to completely disable automated notice
 	## suppression.
 	option default_suppression_interval = 1hrs;
@@ -103,18 +103,18 @@ export {
 		## *conn*, *iconn* or *p* is specified.
 		proto:          transport_proto &log &optional;
 
-		## The :bro:type:`Notice::Type` of the notice.
+		## The :zeek:type:`Notice::Type` of the notice.
 		note:           Type           &log;
 		## The human readable message for the notice.
 		msg:            string         &log &optional;
 		## The human readable sub-message.
 		sub:            string         &log &optional;
 
-		## Source address, if we don't have a :bro:type:`conn_id`.
+		## Source address, if we don't have a :zeek:type:`conn_id`.
 		src:            addr           &log &optional;
 		## Destination address.
 		dst:            addr           &log &optional;
-		## Associated port, if we don't have a :bro:type:`conn_id`.
+		## Associated port, if we don't have a :zeek:type:`conn_id`.
 		p:              port           &log &optional;
 		## Associated count, or perhaps a status code.
 		n:              count          &log &optional;
@@ -131,14 +131,14 @@ export {
 		## By adding chunks of text into this element, other scripts
 		## can expand on notices that are being emailed.  The normal
 		## way to add text is to extend the vector by handling the
-		## :bro:id:`Notice::notice` event and modifying the notice in
+		## :zeek:id:`Notice::notice` event and modifying the notice in
 		## place.
 		email_body_sections:  vector of string &optional;
 
 		## Adding a string "token" to this set will cause the notice
 		## framework's built-in emailing functionality to delay sending
 		## the email until either the token has been removed or the
-		## email has been delayed for :bro:id:`Notice::max_email_delay`.
+		## email has been delayed for :zeek:id:`Notice::max_email_delay`.
 		email_delay_tokens:   set[string] &optional;
 
 		## This field is to be provided when a notice is generated for
@@ -192,8 +192,8 @@ export {
 	## Note that this is overridden by the BroControl SendMail option.
 	option sendmail            = "/usr/sbin/sendmail";
 	## Email address to send notices with the
-	## :bro:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
+	## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
-	## on rotation with :bro:enum:`Notice::ACTION_ALARM`.
+	## on rotation with :zeek:enum:`Notice::ACTION_ALARM`.
 	##
 	## Note that this is overridden by the BroControl MailTo option.
 	const mail_dest           = ""                   &redef;
@@ -212,18 +212,18 @@ export {
 	## The maximum amount of time a plugin can delay email from being sent.
 	const max_email_delay     = 15secs &redef;
 
-	## Contains a portion of :bro:see:`fa_file` that's also contained in
+	## Contains a portion of :zeek:see:`fa_file` that's also contained in
-	## :bro:see:`Notice::Info`.
+	## :zeek:see:`Notice::Info`.
 	type FileInfo: record {
 		fuid: string;            ##< File UID.
 		desc: string;            ##< File description from e.g.
-		                         ##< :bro:see:`Files::describe`.
+		                         ##< :zeek:see:`Files::describe`.
 		mime: string  &optional; ##< Strongest mime type match for file.
 		cid:  conn_id &optional; ##< Connection tuple over which file is sent.
 		cuid: string  &optional; ##< Connection UID over which file is sent.
 	};
 
-	## Creates a record containing a subset of a full :bro:see:`fa_file` record.
+	## Creates a record containing a subset of a full :zeek:see:`fa_file` record.
 	##
 	## f: record containing metadata about a file.
 	##
@@ -245,7 +245,7 @@ export {
 	global populate_file_info2: function(fi: Notice::FileInfo, n: Notice::Info);
 
 	## A log postprocessing function that implements emailing the contents
-	## of a log upon rotation to any configured :bro:id:`Notice::mail_dest`.
+	## of a log upon rotation to any configured :zeek:id:`Notice::mail_dest`.
 	## The rotated log is removed upon being sent.
 	##
 	## info: A record containing the rotated log file information.
@@ -254,9 +254,9 @@ export {
 	global log_mailing_postprocessor: function(info: Log::RotationInfo): bool;
 
 	## This is the event that is called as the entry point to the
-	## notice framework by the global :bro:id:`NOTICE` function.  By the
+	## notice framework by the global :zeek:id:`NOTICE` function.  By the
 	## time this event is generated, default values have already been
-	## filled out in the :bro:type:`Notice::Info` record and the notice
+	## filled out in the :zeek:type:`Notice::Info` record and the notice
 	## policy has also been applied.
 	##
 	## n: The record containing notice data.
@@ -268,7 +268,7 @@ export {
 	##
 	## suppress_for: length of time that this notice should be suppressed.
 	##
-	## note: The :bro:type:`Notice::Type` of the notice.
+	## note: The :zeek:type:`Notice::Type` of the notice.
 	##
 	## identifier: The identifier string of the notice that should be suppressed.
 	global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string);
@@ -286,8 +286,8 @@ export {
 	global suppressed: event(n: Notice::Info);
 
 	## Call this function to send a notice in an email.  It is already used
-	## by default with the built in :bro:enum:`Notice::ACTION_EMAIL` and
+	## by default with the built in :zeek:enum:`Notice::ACTION_EMAIL` and
-	## :bro:enum:`Notice::ACTION_PAGE` actions.
+	## :zeek:enum:`Notice::ACTION_PAGE` actions.
 	##
 	## n: The record of notice data to email.
 	##
@@ -308,13 +308,13 @@ export {
 	##          appended.
 	global email_headers: function(subject_desc: string, dest: string): string;
 
-	## This event can be handled to access the :bro:type:`Notice::Info`
+	## This event can be handled to access the :zeek:type:`Notice::Info`
 	## record as it is sent on to the logging framework.
 	##
 	## rec: The record containing notice data before it is logged.
 	global log_notice: event(rec: Info);
 
-	## This is an internal wrapper for the global :bro:id:`NOTICE`
+	## This is an internal wrapper for the global :zeek:id:`NOTICE`
 	## function; disregard.
 	##
 	## n: The record of notice data.
@@ -598,7 +598,7 @@ function populate_file_info2(fi: Notice::FileInfo, n: Notice::Info)
 
 # This is run synchronously as a function before all of the other
 # notice related functions and events.  It also modifies the
-# :bro:type:`Notice::Info` record in place.
+# :zeek:type:`Notice::Info` record in place.
 function apply_policy(n: Notice::Info)
 	{
 	# Fill in some defaults.

scripts/base/frameworks/openflow/plugins/log.zeek

@@ -41,7 +41,7 @@ export {
 		flow_mod: ofp_flow_mod &log;
 	};
 
-	## Event that can be handled to access the :bro:type:`OpenFlow::Info`
+	## Event that can be handled to access the :zeek:type:`OpenFlow::Info`
 	## record as it is sent on to the logging framework.
 	global log_openflow: event(rec: Info);
 }

scripts/base/frameworks/packet-filter/main.zeek

@@ -2,7 +2,7 @@
 ##! Bro sets a capture filter that allows all traffic.  If a filter
 ##! is set on the command line, that filter takes precedence over the default
 ##! open filter and all filters defined in Bro scripts with the
-##! :bro:id:`capture_filters` and :bro:id:`restrict_filters` variables.
+##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables.
 
 @load base/frameworks/notice
 @load base/frameworks/analyzer
@@ -48,7 +48,7 @@ export {
 	};
 
 	## The BPF filter that is used by default to define what traffic should
-	## be captured.  Filters defined in :bro:id:`restrict_filters` will
+	## be captured.  Filters defined in :zeek:id:`restrict_filters` will
 	## still be applied to reduce the captured traffic.
 	const default_capture_filter = "ip or not ip" &redef;
 
@@ -64,7 +64,7 @@ export {
 	## The maximum amount of time that you'd like to allow for BPF filters to compile.
 	## If this time is exceeded, compensation measures may be taken by the framework
 	## to reduce the filter size.  This threshold being crossed also results
-	## in the :bro:see:`PacketFilter::Too_Long_To_Compile_Filter` notice.
+	## in the :zeek:see:`PacketFilter::Too_Long_To_Compile_Filter` notice.
 	const max_filter_compile_time = 100msec &redef;
 
 	## Install a BPF filter to exclude some traffic.  The filter should

scripts/base/frameworks/packet-filter/utils.zeek

@@ -1,7 +1,7 @@
 module PacketFilter;
 
 export {
-	## Takes a :bro:type:`port` and returns a BPF expression which will
+	## Takes a :zeek:type:`port` and returns a BPF expression which will
 	## match the port.
 	##
 	## p: The port.

scripts/base/frameworks/reporter/main.zeek

@@ -2,9 +2,9 @@
 ##! internal messages/warnings/errors.  It should typically be loaded to
 ##! log such messages to a file in a standard way.  For the options to
 ##! toggle whether messages are additionally written to STDERR, see
-##! :bro:see:`Reporter::info_to_stderr`,
+##! :zeek:see:`Reporter::info_to_stderr`,
-##! :bro:see:`Reporter::warnings_to_stderr`, and
+##! :zeek:see:`Reporter::warnings_to_stderr`, and
-##! :bro:see:`Reporter::errors_to_stderr`.
+##! :zeek:see:`Reporter::errors_to_stderr`.
 ##!
 ##! Note that this framework deals with the handling of internally generated
 ##! reporter messages, for the interface

scripts/base/frameworks/signatures/main.zeek

@@ -13,22 +13,22 @@ export {
 		Sensitive_Signature,
 		## Host has triggered many signatures on the same host.  The
 		## number of signatures is defined by the
-		## :bro:id:`Signatures::vert_scan_thresholds` variable.
+		## :zeek:id:`Signatures::vert_scan_thresholds` variable.
 		Multiple_Signatures,
 		## Host has triggered the same signature on multiple hosts as
-		## defined by the :bro:id:`Signatures::horiz_scan_thresholds`
+		## defined by the :zeek:id:`Signatures::horiz_scan_thresholds`
 		## variable.
 		Multiple_Sig_Responders,
 		## The same signature has triggered multiple times for a host.
 		## The number of times the signature has been triggered is
-		## defined by the :bro:id:`Signatures::count_thresholds`
+		## defined by the :zeek:id:`Signatures::count_thresholds`
 		## variable. To generate this notice, the
-		## :bro:enum:`Signatures::SIG_COUNT_PER_RESP` action must be
+		## :zeek:enum:`Signatures::SIG_COUNT_PER_RESP` action must be
 		## set for the signature.
 		Count_Signature,
 		## Summarize the number of times a host triggered a signature.
 		## The interval between summaries is defined by the
-		## :bro:id:`Signatures::summary_interval` variable.
+		## :zeek:id:`Signatures::summary_interval` variable.
 		Signature_Summary,
 	};
 
@@ -48,7 +48,7 @@ export {
 		SIG_QUIET,
 		## Generate a notice.
 		SIG_LOG,
-		## The same as :bro:enum:`Signatures::SIG_LOG`, but ignore for
+		## The same as :zeek:enum:`Signatures::SIG_LOG`, but ignore for
 		## aggregate/scan processing.
 		SIG_FILE_BUT_NO_SCAN,
 		## Generate a notice and set it to be alarmed upon.
@@ -58,8 +58,8 @@ export {
 		## Alarm once and then never again.
 		SIG_ALARM_ONCE,
 		## Count signatures per responder host and alarm with the 
-		## :bro:enum:`Signatures::Count_Signature` notice if a threshold
+		## :zeek:enum:`Signatures::Count_Signature` notice if a threshold
-		## defined by :bro:id:`Signatures::count_thresholds` is reached.
+		## defined by :zeek:id:`Signatures::count_thresholds` is reached.
 		SIG_COUNT_PER_RESP,
 		## Don't alarm, but generate per-orig summary.
 		SIG_SUMMARY,
@@ -114,11 +114,11 @@ export {
 	## different signature matches has reached one of the thresholds.
 	const vert_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
 
-	## Generate a notice if a :bro:enum:`Signatures::SIG_COUNT_PER_RESP`
+	## Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP`
 	## signature is triggered as often as given by one of these thresholds.
 	const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
 	
-	## The interval between when :bro:enum:`Signatures::Signature_Summary`
+	## The interval between when :zeek:enum:`Signatures::Signature_Summary`
 	## notices are generated.
 	option summary_interval = 1 day;
 

scripts/base/frameworks/software/main.zeek

@@ -2,7 +2,7 @@
 ##! parsing but doesn't actually do any detection on it's own.  It relies on
 ##! other protocol specific scripts to parse out software from the protocols
 ##! that they analyze.  The entry point for providing new software detections
-##! to this framework is through the :bro:id:`Software::found` function.
+##! to this framework is through the :zeek:id:`Software::found` function.
 
 @load base/utils/directions-and-hosts
 @load base/utils/numbers
@@ -16,7 +16,7 @@ export {
 	
 	## Scripts detecting new types of software need to redef this enum to add
 	## their own specific software types which would then be used when they 
-	## create :bro:type:`Software::Info` records.
+	## create :zeek:type:`Software::Info` records.
 	type Type: enum {
 		## A placeholder type for when the type of software is not known.
 		UNKNOWN,
@@ -45,7 +45,7 @@ export {
 		## The port on which the software is running. Only sensible for
 		## server software.
 		host_p:           port &log &optional;
-		## The type of software detected (e.g. :bro:enum:`HTTP::SERVER`).
+		## The type of software detected (e.g. :zeek:enum:`HTTP::SERVER`).
 		software_type:    Type &log &default=UNKNOWN;
 		## Name of the software (e.g. Apache).
 		name:             string &log &optional;
@@ -96,9 +96,9 @@ export {
 		["Flash Player"] = "Flash",
 	} &default=function(a: string): string { return a; };
 
-	## Type to represent a collection of :bro:type:`Software::Info` records.
+	## Type to represent a collection of :zeek:type:`Software::Info` records.
 	## It's indexed with the name of a piece of software such as "Firefox" 
-	## and it yields a :bro:type:`Software::Info` record with more
+	## and it yields a :zeek:type:`Software::Info` record with more
 	## information about the software.
 	type SoftwareSet: table[string] of Info;
 	
@@ -108,7 +108,7 @@ export {
 	## uniformly distributed among proxy nodes.
 	global tracked: table[addr] of SoftwareSet &create_expire=1day;
 	
-	## This event can be handled to access the :bro:type:`Software::Info`
+	## This event can be handled to access the :zeek:type:`Software::Info`
 	## record as it is sent on to the logging framework.
 	global log_software: event(rec: Info);
 
@@ -117,7 +117,7 @@ export {
 	global version_change: event(old: Info, new: Info);
 
 	## This event is raised when software is about to be registered for
-	## tracking in :bro:see:`Software::tracked`.
+	## tracking in :zeek:see:`Software::tracked`.
 	global register: event(info: Info);
 }
 

scripts/base/frameworks/sumstats/cluster.zeek

@@ -35,12 +35,12 @@ export {
 	global cluster_get_result: event(uid: string, ss_name: string, key: Key, cleanup: bool);
 
 	## This event is sent by nodes in response to a
-	## :bro:id:`SumStats::cluster_get_result` event.
+	## :zeek:id:`SumStats::cluster_get_result` event.
 	global cluster_send_result: event(uid: string, ss_name: string, key: Key, result: Result, cleanup: bool);
 
 	## This is sent by workers to indicate that they crossed the percent
 	## of the current threshold by the percentage defined globally in
-	## :bro:id:`SumStats::cluster_request_global_view_percent`.
+	## :zeek:id:`SumStats::cluster_request_global_view_percent`.
 	global cluster_key_intermediate_response: event(ss_name: string, key: SumStats::Key);
 
 	## This event is scheduled internally on workers to send result chunks.

scripts/base/frameworks/sumstats/main.zeek

@@ -105,7 +105,7 @@ export {
 		reducers:           set[Reducer];
 
 		## A function that will be called once for each observation in order
-		## to calculate a value from the :bro:see:`SumStats::Result` structure
+		## to calculate a value from the :zeek:see:`SumStats::Result` structure
 		## which will be used for thresholding.
 		## This function is required if a *threshold* value or
 		## a *threshold_series* is given.
@@ -157,7 +157,7 @@ export {
 
 	## Dynamically request a sumstat key.  This function should be
 	## used sparingly and not as a replacement for the callbacks 
-	## from the :bro:see:`SumStats::SumStat` record.  The function is only
+	## from the :zeek:see:`SumStats::SumStat` record.  The function is only
 	## available for use within "when" statements as an asynchronous
 	## function.
 	##
@@ -168,7 +168,7 @@ export {
 	## Returns: The result for the requested sumstat key.
 	global request_key: function(ss_name: string, key: Key): Result;
 
-	## Helper function to represent a :bro:type:`SumStats::Key` value as
+	## Helper function to represent a :zeek:type:`SumStats::Key` value as
 	## a simple string.
 	##
 	## key: The metric key that is to be converted into a string.

scripts/base/frameworks/sumstats/plugins/last.zeek

@@ -19,7 +19,7 @@ export {
 	redef record ResultVal += {
 		## This is the queue where elements are maintained.
 		## Don't access this value directly, instead use the
-		## :bro:see:`SumStats::get_last` function to get a vector of
+		## :zeek:see:`SumStats::get_last` function to get a vector of
 		## the current element values.
 		last_elements: Queue::Queue &optional;
 	};

scripts/base/frameworks/tunnels/main.zeek

@@ -3,7 +3,7 @@
 ##!
 ##! For any connection that occurs over a tunnel, information about its
 ##! encapsulating tunnels is also found in the *tunnel* field of
-##! :bro:type:`connection`.
+##! :zeek:type:`connection`.
 
 module Tunnel;
 
@@ -18,7 +18,7 @@ export {
 		## A tunnel connection has closed.
 		CLOSE,
 		## No new connections over a tunnel happened in the amount of
-		## time indicated by :bro:see:`Tunnel::expiration_interval`.
+		## time indicated by :zeek:see:`Tunnel::expiration_interval`.
 		EXPIRE,
 	};
 
@@ -27,7 +27,7 @@ export {
 		## Time at which some tunnel activity occurred.
 		ts:          time         &log;
 		## The unique identifier for the tunnel, which may correspond
-		## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
+		## to a :zeek:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
 		## This is optional because there could be numerous connections
 		## for payload proxies like SOCKS but we should treat it as a
 		## single tunnel.
@@ -42,29 +42,29 @@ export {
 	};
 
 	## Logs all tunnels in an encapsulation chain with action
-	## :bro:see:`Tunnel::DISCOVER` that aren't already in the
+	## :zeek:see:`Tunnel::DISCOVER` that aren't already in the
-	## :bro:id:`Tunnel::active` table and adds them if not.
+	## :zeek:id:`Tunnel::active` table and adds them if not.
 	global register_all: function(ecv: EncapsulatingConnVector);
 
 	## Logs a single tunnel "connection" with action
-	## :bro:see:`Tunnel::DISCOVER` if it's not already in the
+	## :zeek:see:`Tunnel::DISCOVER` if it's not already in the
-	## :bro:id:`Tunnel::active` table and adds it if not.
+	## :zeek:id:`Tunnel::active` table and adds it if not.
 	global register: function(ec: EncapsulatingConn);
 
 	## Logs a single tunnel "connection" with action
-	## :bro:see:`Tunnel::EXPIRE` and removes it from the
+	## :zeek:see:`Tunnel::EXPIRE` and removes it from the
-	## :bro:id:`Tunnel::active` table.
+	## :zeek:id:`Tunnel::active` table.
 	##
 	## t: A table of tunnels.
 	##
 	## idx: The index of the tunnel table corresponding to the tunnel to expire.
 	##
 	## Returns: 0secs, which when this function is used as an
-	##          :bro:attr:`&expire_func`, indicates to remove the element at
+	##          :zeek:attr:`&expire_func`, indicates to remove the element at
 	##          *idx* immediately.
 	global expire: function(t: table[conn_id] of Info, idx: conn_id): interval;
 
-	## Removes a single tunnel from the :bro:id:`Tunnel::active` table
+	## Removes a single tunnel from the :zeek:id:`Tunnel::active` table
 	## and logs the closing/expiration of the tunnel.
 	##
 	## tunnel: The tunnel which has closed or expired.
@@ -78,7 +78,7 @@ export {
 
 	## Currently active tunnels.  That is, tunnels for which new,
 	## encapsulated connections have been seen in the interval indicated by
-	## :bro:see:`Tunnel::expiration_interval`.
+	## :zeek:see:`Tunnel::expiration_interval`.
 	global active: table[conn_id] of Info = table() &read_expire=expiration_interval &expire_func=expire;
 }
 

scripts/base/misc/find-filtered-trace.zeek

@@ -1,7 +1,7 @@
 ##! Discovers trace files that contain TCP traffic consisting only of
 ##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
 ##! packets and no content).  On finding such a trace, a warning is
-##! emitted that suggests toggling the :bro:see:`detect_filtered_trace`
+##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace`
 ##! option may be desired if the user does not want Bro to report
 ##! missing TCP segments.
 

scripts/base/protocols/conn/contents.zeek

@@ -2,7 +2,7 @@
 ##! responders data or both.  By default nothing is extracted, and in order 
 ##! to actually extract data the ``c$extract_orig`` and/or the
 ##! ``c$extract_resp`` variable must be set to ``T``.  One way to achieve this
-##! would be to handle the :bro:id:`connection_established` event elsewhere
+##! would be to handle the :zeek:id:`connection_established` event elsewhere
 ##! and set the ``extract_orig`` and ``extract_resp`` options there.
 ##! However, there may be trouble with the timing due to event queue delay.
 ##!

scripts/base/protocols/conn/main.zeek

@@ -78,13 +78,13 @@ export {
 
 		## If the connection is originated locally, this value will be T.
 		## If it was originated remotely it will be F.  In the case that
-		## the :bro:id:`Site::local_nets` variable is undefined, this
+		## the :zeek:id:`Site::local_nets` variable is undefined, this
 		## field will be left empty at all times.
 		local_orig:   bool            &log &optional;
 
 		## If the connection is responded to locally, this value will be T.
 		## If it was responded to remotely it will be F.  In the case that
-		## the :bro:id:`Site::local_nets` variable is undefined, this
+		## the :zeek:id:`Site::local_nets` variable is undefined, this
 		## field will be left empty at all times.
 		local_resp:   bool            &log &optional;
 
@@ -128,18 +128,18 @@ export {
 		## (at least) 10 times; the third instance, 100 times; etc.
 		history:      string          &log &optional;
 		## Number of packets that the originator sent.
-		## Only set if :bro:id:`use_conn_size_analyzer` = T.
+		## Only set if :zeek:id:`use_conn_size_analyzer` = T.
 		orig_pkts:     count      &log &optional;
 		## Number of IP level bytes that the originator sent (as seen on
 		## the wire, taken from the IP total_length header field).
-		## Only set if :bro:id:`use_conn_size_analyzer` = T.
+		## Only set if :zeek:id:`use_conn_size_analyzer` = T.
 		orig_ip_bytes: count      &log &optional;
 		## Number of packets that the responder sent.
-		## Only set if :bro:id:`use_conn_size_analyzer` = T.
+		## Only set if :zeek:id:`use_conn_size_analyzer` = T.
 		resp_pkts:     count      &log &optional;
 		## Number of IP level bytes that the responder sent (as seen on
 		## the wire, taken from the IP total_length header field).
-		## Only set if :bro:id:`use_conn_size_analyzer` = T.
+		## Only set if :zeek:id:`use_conn_size_analyzer` = T.
 		resp_ip_bytes: count      &log &optional;
 		## If this connection was over a tunnel, indicate the
 		## *uid* values for any encapsulating parent connections
@@ -147,7 +147,7 @@ export {
 		tunnel_parents: set[string] &log &optional;
 	};
 
-	## Event that can be handled to access the :bro:type:`Conn::Info`
+	## Event that can be handled to access the :zeek:type:`Conn::Info`
 	## record as it is sent on to the logging framework.
 	global log_conn: event(rec: Info);
 }

scripts/base/protocols/dhcp/main.zeek

@@ -89,13 +89,13 @@ export {
 	## This event is used internally to distribute data around clusters
 	## since DHCP doesn't follow the normal "connection" model used by
 	## most protocols. It can also be handled to extend the DHCP log.
-	## bro:see::`DHCP::log_info`.
+	## :zeek:see:`DHCP::log_info`.
 	global DHCP::aggregate_msgs: event(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options);
 
 	## This is a global variable that is only to be used in the
-	## :bro::see::`DHCP::aggregate_msgs` event. It can be used to avoid
+	## :zeek:see:`DHCP::aggregate_msgs` event. It can be used to avoid
 	## looking up the info record for a transaction ID in every event handler
-	## for :bro:see::`DHCP::aggregate_msgs`.
+	## for :zeek:see:`DHCP::aggregate_msgs`.
 	global DHCP::log_info: Info;
 
 	## Event that can be handled to access the DHCP

scripts/base/protocols/dns/main.zeek

@@ -80,7 +80,7 @@ export {
 		saw_reply: bool                &default=F;
 	};
 
-	## An event that can be handled to access the :bro:type:`DNS::Info`
+	## An event that can be handled to access the :zeek:type:`DNS::Info`
 	## record as it is sent to the logging framework.
 	global log_dns: event(rec: Info);
 
@@ -109,7 +109,7 @@ export {
 	## is_query: Indicator for if this is being called for a query or a response.
 	global set_session: hook(c: connection, msg: dns_msg, is_query: bool);
 
-	## Yields a queue of :bro:see:`DNS::Info` objects for a given
+	## Yields a queue of :zeek:see:`DNS::Info` objects for a given
 	## DNS message query/transaction ID.
 	type PendingMessages: table[count] of Queue::Queue;
 
@@ -126,7 +126,7 @@ export {
 	option max_pending_query_ids = 50;
 
 	## A record type which tracks the status of DNS queries for a given
-	## :bro:type:`connection`.
+	## :zeek:type:`connection`.
 	type State: record {
 		## A single query that hasn't been matched with a response yet.
 		## Note this is maintained separate from the *pending_queries*

scripts/base/protocols/ftp/gridftp.zeek

@@ -6,7 +6,7 @@
 ##! indicating the GSI mechanism for GSSAPI was used.  This analysis
 ##! is all supported internally, this script simply adds the "gridftp"
 ##! label to the *service* field of the control channel's
-##! :bro:type:`connection` record.
+##! :zeek:type:`connection` record.
 ##!
 ##! GridFTP data channels are identified by a heuristic that relies on
 ##! the fact that default settings for GridFTP clients typically
@@ -33,7 +33,7 @@ export {
 	option size_threshold = 1073741824;
 
 	## Time during which we check whether a connection's size exceeds the
-	## :bro:see:`GridFTP::size_threshold`.
+	## :zeek:see:`GridFTP::size_threshold`.
 	option max_time = 2 min;
 
 	## Whether to skip further processing of the GridFTP data channel once
@@ -46,8 +46,8 @@ export {
 	global data_channel_detected: event(c: connection);
 
 	## The initial criteria used to determine whether to start polling
-	## the connection for the :bro:see:`GridFTP::size_threshold` to have
+	## the connection for the :zeek:see:`GridFTP::size_threshold` to have
-	## been exceeded.  This is called in a :bro:see:`ssl_established` event
+	## been exceeded.  This is called in a :zeek:see:`ssl_established` event
 	## handler and by default looks for both a client and server certificate
 	## and for a NULL bulk cipher.  One way in which this function could be
 	## redefined is to make it also consider client/server certificate
@@ -56,7 +56,7 @@ export {
 	## c: The connection which may possibly be a GridFTP data channel.
 	##
 	## Returns: true if the connection should be further polled for an
-	##          exceeded :bro:see:`GridFTP::size_threshold`, else false.
+	##          exceeded :zeek:see:`GridFTP::size_threshold`, else false.
 	const data_channel_initial_criteria: function(c: connection): bool &redef;
 }
 

scripts/base/protocols/ftp/main.zeek

@@ -36,7 +36,7 @@ export {
 	## Parse FTP reply codes into the three constituent single digit values.
 	global parse_ftp_reply_code: function(code: count): ReplyCode;
 
-	## Event that can be handled to access the :bro:type:`FTP::Info`
+	## Event that can be handled to access the :zeek:type:`FTP::Info`
 	## record as it is sent on to the logging framework.
 	global log_ftp: event(rec: Info);
 }

scripts/base/protocols/ftp/utils.zeek

@@ -7,16 +7,16 @@
 module FTP;
 
 export {
-	## Creates a URL from an :bro:type:`FTP::Info` record.
+	## Creates a URL from an :zeek:type:`FTP::Info` record.
 	##
-	## rec: An :bro:type:`FTP::Info` record.
+	## rec: An :zeek:type:`FTP::Info` record.
 	##
 	## Returns: A URL, not prefixed by ``"ftp://"``.
 	global build_url: function(rec: Info): string;
 
-	## Creates a URL from an :bro:type:`FTP::Info` record.
+	## Creates a URL from an :zeek:type:`FTP::Info` record.
 	##
-	## rec: An :bro:type:`FTP::Info` record.
+	## rec: An :zeek:type:`FTP::Info` record.
 	##
 	## Returns: A URL prefixed with ``"ftp://"``.
 	global build_url_ftp: function(rec: Info): string;

scripts/base/protocols/http/entities.zeek

@@ -14,44 +14,44 @@ export {
 	};
 
 	## Maximum number of originator files to log.
-	## :bro:see:`HTTP::max_files_policy` even is called once this
+	## :zeek:see:`HTTP::max_files_policy` even is called once this
 	## limit is reached to determine if it's enforced.
 	option max_files_orig = 15;
 
 	## Maximum number of responder files to log.
-	## :bro:see:`HTTP::max_files_policy` even is called once this
+	## :zeek:see:`HTTP::max_files_policy` even is called once this
 	## limit is reached to determine if it's enforced.
 	option max_files_resp = 15;
 
 	## Called when reaching the max number of files across a given HTTP
-	## connection according to :bro:see:`HTTP::max_files_orig`
+	## connection according to :zeek:see:`HTTP::max_files_orig`
-	## or :bro:see:`HTTP::max_files_resp`.  Break from the hook
+	## or :zeek:see:`HTTP::max_files_resp`.  Break from the hook
 	## early to signal that the file limit should not be applied.
 	global max_files_policy: hook(f: fa_file, is_orig: bool);
 
 	redef record Info += {
 		## An ordered vector of file unique IDs.
-		## Limited to :bro:see:`HTTP::max_files_orig` entries.
+		## Limited to :zeek:see:`HTTP::max_files_orig` entries.
 		orig_fuids:      vector of string &log &optional;
 
 		## An ordered vector of filenames from the client.
-		## Limited to :bro:see:`HTTP::max_files_orig` entries.
+		## Limited to :zeek:see:`HTTP::max_files_orig` entries.
 		orig_filenames:  vector of string &log &optional;
 
 		## An ordered vector of mime types.
-		## Limited to :bro:see:`HTTP::max_files_orig` entries.
+		## Limited to :zeek:see:`HTTP::max_files_orig` entries.
 		orig_mime_types: vector of string &log &optional;
 
 		## An ordered vector of file unique IDs.
-		## Limited to :bro:see:`HTTP::max_files_resp` entries.
+		## Limited to :zeek:see:`HTTP::max_files_resp` entries.
 		resp_fuids:      vector of string &log &optional;
 
 		## An ordered vector of filenames from the server.
-		## Limited to :bro:see:`HTTP::max_files_resp` entries.
+		## Limited to :zeek:see:`HTTP::max_files_resp` entries.
 		resp_filenames:  vector of string &log &optional;
 
 		## An ordered vector of mime types.
-		## Limited to :bro:see:`HTTP::max_files_resp` entries.
+		## Limited to :zeek:see:`HTTP::max_files_resp` entries.
 		resp_mime_types: vector of string &log &optional;
 
 		## The current entity.

scripts/base/protocols/http/utils.zeek

@@ -17,18 +17,18 @@ export {
 	## Returns: A vector of strings containing the keys.
 	global extract_keys: function(data: string, kv_splitter: pattern): string_vec;
 	
-	## Creates a URL from an :bro:type:`HTTP::Info` record.  This should
+	## Creates a URL from an :zeek:type:`HTTP::Info` record.  This should
 	## handle edge cases such as proxied requests appropriately.
 	##
-	## rec: An :bro:type:`HTTP::Info` record.
+	## rec: An :zeek:type:`HTTP::Info` record.
 	##
 	## Returns: A URL, not prefixed by ``"http://"``.
 	global build_url: function(rec: Info): string;
 	
-	## Creates a URL from an :bro:type:`HTTP::Info` record.  This should
+	## Creates a URL from an :zeek:type:`HTTP::Info` record.  This should
 	## handle edge cases such as proxied requests appropriately.
 	##
-	## rec: An :bro:type:`HTTP::Info` record.
+	## rec: An :zeek:type:`HTTP::Info` record.
 	##
 	## Returns: A URL prefixed with ``"http://"``.
 	global build_url_http: function(rec: Info): string;

scripts/base/protocols/ssh/main.zeek

@@ -75,7 +75,7 @@ export {
 	## c: The connection over which the :abbr:`SSH (Secure Shell)`
 	##    connection took place.
 	##
-	## .. bro:see:: ssh_server_version ssh_client_version
+	## .. zeek:see:: ssh_server_version ssh_client_version
 	##    ssh_auth_successful ssh_auth_result ssh_auth_attempted
 	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
 	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
@@ -98,7 +98,7 @@ export {
 	## auth_attempts: The number of authentication attempts that were
 	##    observed.
 	##
-	## .. bro:see:: ssh_server_version ssh_client_version
+	## .. zeek:see:: ssh_server_version ssh_client_version
 	##    ssh_auth_successful ssh_auth_failed ssh_auth_attempted
 	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
 	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
@@ -106,10 +106,10 @@ export {
 	global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count);
 
 	## Event that can be handled when the analyzer sees an SSH server host
-	## key. This abstracts :bro:id:`ssh1_server_host_key` and
+	## key. This abstracts :zeek:id:`ssh1_server_host_key` and
-	## :bro:id:`ssh2_server_host_key`.
+	## :zeek:id:`ssh2_server_host_key`.
 	##
-	## .. bro:see:: ssh_server_version ssh_client_version
+	## .. zeek:see:: ssh_server_version ssh_client_version
 	##    ssh_auth_successful ssh_auth_failed ssh_auth_result
 	##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
 	##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params

scripts/base/utils/active-http.zeek

@@ -46,7 +46,7 @@ export {
 	};
 
 	## Perform an HTTP request according to the
-	## :bro:type:`ActiveHTTP::Request` record.  This is an asynchronous
+	## :zeek:type:`ActiveHTTP::Request` record.  This is an asynchronous
 	## function and must be called within a "when" statement.
 	##
 	## req: A record instance representing all options for an HTTP request.

scripts/base/utils/conn-ids.zeek

@@ -13,7 +13,7 @@ export {
 	## on the right to the originator on the left.
 	global reverse_id_string: function(id: conn_id): string;
 	
-	## Calls :bro:id:`id_string` or :bro:id:`reverse_id_string` if the
+	## Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the
 	## second argument is T or F, respectively.
 	global directed_id_string: function(id: conn_id, is_orig: bool): string;
 }

scripts/base/utils/dir.zeek

@@ -6,7 +6,7 @@ module Dir;
 
 export {
 	## The default interval this module checks for files in directories when
-	## using the :bro:see:`Dir::monitor` function.
+	## using the :zeek:see:`Dir::monitor` function.
 	option polling_interval = 30sec;
 
 	## Register a directory to monitor with a callback that is called

scripts/base/utils/exec.zeek

@@ -8,7 +8,7 @@ export {
 	type Command: record {
 		## The command line to execute.  Use care to avoid injection
 		## attacks (i.e., if the command uses untrusted/variable data,
-		## sanitize it with :bro:see:`safe_shell_quote`).
+		## sanitize it with :zeek:see:`safe_shell_quote`).
 		cmd:         string;
 		## Provide standard input to the program as a string.
 		stdin:       string      &default="";

scripts/base/utils/geoip-distance.zeek

@@ -10,7 +10,7 @@
 ## Returns: The distance between *a1* and *a2* in miles, or -1.0 if GeoIP data
 ##          is not available for either of the IP addresses.
 ##
-## .. bro:see:: haversine_distance lookup_location
+## .. zeek:see:: haversine_distance lookup_location
 function haversine_distance_ip(a1: addr, a2: addr): double
 	{
 	local loc1 = lookup_location(a1);

scripts/base/utils/paths.zeek

@@ -75,7 +75,7 @@ function build_path(dir: string, file_name: string): string
 	}
 
 ## Returns a compressed path to a file given a directory and file name.
-## See :bro:id:`build_path` and :bro:id:`compress_path`.
+## See :zeek:id:`build_path` and :zeek:id:`compress_path`.
 function build_path_compressed(dir: string, file_name: string): string
 	{
 	return compress_path(build_path(dir, file_name));

scripts/base/utils/patterns.zeek

@@ -37,7 +37,7 @@ type PatternMatchResult: record {
 };
 
 ## Matches the given pattern against the given string, returning
-## a :bro:type:`PatternMatchResult` record.
+## a :zeek:type:`PatternMatchResult` record.
 ## For example: ``match_pattern("foobar", /o*[a-k]/)`` returns
 ## ``[matched=T, str=f, off=1]``,  because the *first* match is for
 ## zero o's followed by an [a-k], but ``match_pattern("foobar", /o+[a-k]/)``

scripts/base/utils/site.zeek

@@ -22,9 +22,9 @@ export {
 	option local_nets: set[subnet] = {};
 
 	## This is used for retrieving the subnet when using multiple entries in
-	## :bro:id:`Site::local_nets`.  It's populated automatically from there.
+	## :zeek:id:`Site::local_nets`.  It's populated automatically from there.
 	## A membership query can be done with an
-	## :bro:type:`addr` and the table will yield the subnet it was found
+	## :zeek:type:`addr` and the table will yield the subnet it was found
 	## within.
 	global local_nets_table: table[subnet] of subnet = {};
 
@@ -45,33 +45,33 @@ export {
 
 	## Function that returns true if an address corresponds to one of
 	## the local networks, false if not.
-	## The function inspects :bro:id:`Site::local_nets`.
+	## The function inspects :zeek:id:`Site::local_nets`.
 	global is_local_addr: function(a: addr): bool;
 
 	## Function that returns true if an address corresponds to one of
 	## the neighbor networks, false if not.
-	## The function inspects :bro:id:`Site::neighbor_nets`.
+	## The function inspects :zeek:id:`Site::neighbor_nets`.
 	global is_neighbor_addr: function(a: addr): bool;
 
 	## Function that returns true if an address corresponds to one of
 	## the private/unrouted networks, false if not.
-	## The function inspects :bro:id:`Site::private_address_space`.
+	## The function inspects :zeek:id:`Site::private_address_space`.
 	global is_private_addr: function(a: addr): bool;
 
 	## Function that returns true if a host name is within a local
 	## DNS zone.
-	## The function inspects :bro:id:`Site::local_zones`.
+	## The function inspects :zeek:id:`Site::local_zones`.
 	global is_local_name: function(name: string): bool;
 
 	## Function that returns true if a host name is within a neighbor
 	## DNS zone.
-	## The function inspects :bro:id:`Site::neighbor_zones`.
+	## The function inspects :zeek:id:`Site::neighbor_zones`.
 	global is_neighbor_name: function(name: string): bool;
 
 	## Function that returns a comma-separated list of email addresses
 	## that are considered administrators for the IP address provided as
 	## an argument.
-	## The function inspects :bro:id:`Site::local_admins`.
+	## The function inspects :zeek:id:`Site::local_admins`.
 	global get_emails: function(a: addr): string;
 }
 

scripts/base/utils/thresholds.zeek

@@ -1,8 +1,8 @@
 ##! Functions for using multiple thresholds with a counting tracker.  For
 ##! example, you may want to generate a notice when something happens 10 times
 ##! and again when it happens 100 times but nothing in between.  You can use
-##! the :bro:id:`check_threshold` function to define your threshold points
+##! the :zeek:id:`check_threshold` function to define your threshold points
-##! and the :bro:type:`TrackCount` variable where you are keeping track of your
+##! and the :zeek:type:`TrackCount` variable where you are keeping track of your
 ##! counter.
 
 module GLOBAL;
@@ -18,12 +18,12 @@ export {
 	};
 	
 	## The thresholds you would like to use as defaults with the 
-	## :bro:id:`default_check_threshold` function.
+	## :zeek:id:`default_check_threshold` function.
 	const default_notice_thresholds: vector of count = {
 		30, 100, 1000, 10000, 100000, 1000000, 10000000,
 	} &redef;
 	
-	## This will check if a :bro:type:`TrackCount` variable has crossed any
+	## This will check if a :zeek:type:`TrackCount` variable has crossed any
 	## thresholds in a given set.
 	##
 	## v: a vector holding counts that represent thresholds.
@@ -34,8 +34,8 @@ export {
 	## Returns: T if a threshold has been crossed, else F.
 	global check_threshold: function(v: vector of count, tracker: TrackCount): bool;
 	
-	## This will use the :bro:id:`default_notice_thresholds` variable to
+	## This will use the :zeek:id:`default_notice_thresholds` variable to
-	## check a :bro:type:`TrackCount` variable to see if it has crossed
+	## check a :zeek:type:`TrackCount` variable to see if it has crossed
 	## another threshold.
 	global default_check_threshold: function(tracker: TrackCount): bool;
 }

scripts/base/utils/urls.zeek

@@ -3,7 +3,7 @@
 ## A regular expression for matching and extracting URLs.
 const url_regex = /^([a-zA-Z\-]{3,5})(:\/\/[^\/?#"'\r\n><]*)([^?#"'\r\n><]*)([^[:blank:]\r\n"'><]*|\??[^"'\r\n><]*)/ &redef;
 
-## A URI, as parsed by :bro:id:`decompose_uri`.
+## A URI, as parsed by :zeek:id:`decompose_uri`.
 type URI: record {
 	## The URL's scheme..
 	scheme:       string &optional;

scripts/broxygen/README

@@ -1,4 +0,0 @@
-This package is loaded during the process which automatically generates
-reference documentation for all Bro scripts (i.e. "Broxygen").  Its only
-purpose is to provide an easy way to load all known Bro scripts plus any
-extra scripts needed or used by the documentation process.

scripts/policy/frameworks/dpd/packet-segment-logging.zeek

@@ -1,6 +1,6 @@
 ##! This script enables logging of packet segment data when a protocol
 ##! parsing violation is encountered.  The amount of data from the
-##! packet logged is set by the :bro:see:`DPD::packet_segment_size` variable.
+##! packet logged is set by the :zeek:see:`DPD::packet_segment_size` variable.
 ##! A caveat to logging packet data is that in some cases, the packet may
 ##! not be the packet that actually caused the protocol violation.
 

scripts/policy/frameworks/notice/extend-email/hostnames.zeek

@@ -1,6 +1,6 @@
-##! Loading this script extends the :bro:enum:`Notice::ACTION_EMAIL` action
+##! Loading this script extends the :zeek:enum:`Notice::ACTION_EMAIL` action
 ##! by appending to the email the hostnames associated with
-##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
+##! :zeek:type:`Notice::Info`'s *src* and *dst* fields as determined by a
 ##! DNS lookup.
 
 @load base/frameworks/notice/main

scripts/policy/frameworks/packet-filter/shunt.zeek

@@ -23,7 +23,7 @@ export {
 	## update done by the `PacketFilter` framework.
 	global unshunt_host_pair: function(id: conn_id): bool;
 
-	## Performs the same function as the :bro:id:`PacketFilter::unshunt_host_pair`
+	## Performs the same function as the :zeek:id:`PacketFilter::unshunt_host_pair`
 	## function, but it forces an immediate filter update.
 	global force_unshunt_host_pair: function(id: conn_id): bool;
 
@@ -34,7 +34,7 @@ export {
 	global current_shunted_host_pairs: function(): set[conn_id];
 
 	redef enum Notice::Type += {
-		## Indicative that :bro:id:`PacketFilter::max_bpf_shunts`
+		## Indicative that :zeek:id:`PacketFilter::max_bpf_shunts`
 		## connections are already being shunted with BPF filters and
 		## no more are allowed.
 		No_More_Conn_Shunts_Available,

scripts/policy/frameworks/software/version-changes.zeek

@@ -12,7 +12,7 @@ export {
 		## For certain software, a version changing may matter.  In that
 		## case, this notice will be generated.  Software that matters
 		## if the version changes can be configured with the
-		## :bro:id:`Software::interesting_version_changes` variable.
+		## :zeek:id:`Software::interesting_version_changes` variable.
 		Software_Version_Change,
 	};
 	

scripts/policy/integration/barnyard2/main.zeek

@@ -18,8 +18,8 @@ export {
 		alert:              AlertData &log;
 	};
 	
-	## This can convert a Barnyard :bro:type:`Barnyard2::PacketID` value to
+	## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to
-	## a :bro:type:`conn_id` value in the case that you might need to index 
+	## a :zeek:type:`conn_id` value in the case that you might need to index 
 	## into an existing data structure elsewhere within Bro.
 	global pid2cid: function(p: PacketID): conn_id;
 }

scripts/policy/misc/capture-loss.zeek

@@ -41,7 +41,7 @@ export {
 	option watch_interval = 15mins;
 	
 	## The percentage of missed data that is considered "too much" 
-	## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be
+	## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be
 	## generated. The value is expressed as a double between 0 and 1 with 1
 	## being 100%.
 	option too_much_loss: double = 0.1;

scripts/policy/misc/detect-traceroute/main.zeek

@@ -34,7 +34,7 @@ export {
 	const icmp_time_exceeded_threshold: double = 3 &redef;
 
 	## Interval at which to watch for the
-	## :bro:id:`Traceroute::icmp_time_exceeded_threshold` variable to be
+	## :zeek:id:`Traceroute::icmp_time_exceeded_threshold` variable to be
 	## crossed.  At the end of each interval the counter is reset.
 	const icmp_time_exceeded_interval = 3min &redef;
 

scripts/policy/misc/profiling.zeek

@@ -9,7 +9,7 @@ redef profiling_file = open_log_file("prof");
 redef profiling_interval = 15 secs;
 
 ## Set the expensive profiling interval (multiple of
-## :bro:id:`profiling_interval`).
+## :zeek:id:`profiling_interval`).
 redef expensive_profiling_multiple = 20;
 
 event zeek_init()

scripts/policy/misc/scan.zeek

@@ -15,17 +15,17 @@ export {
 	redef enum Notice::Type += {
 		## Address scans detect that a host appears to be scanning some
 		## number of destinations on a single port. This notice is
-		## generated when more than :bro:id:`Scan::addr_scan_threshold`
+		## generated when more than :zeek:id:`Scan::addr_scan_threshold`
 		## unique hosts are seen over the previous
-		## :bro:id:`Scan::addr_scan_interval` time range.
+		## :zeek:id:`Scan::addr_scan_interval` time range.
 		Address_Scan,
 
 		## Port scans detect that an attacking host appears to be
 		## scanning a single victim host on several ports.  This notice
 		## is generated when an attacking host attempts to connect to
-		## :bro:id:`Scan::port_scan_threshold`
+		## :zeek:id:`Scan::port_scan_threshold`
 		## unique ports on a single host over the previous
-		## :bro:id:`Scan::port_scan_interval` time range.
+		## :zeek:id:`Scan::port_scan_interval` time range.
 		Port_Scan,
 	};
 

scripts/policy/misc/trim-trace-file.zeek

@@ -11,7 +11,7 @@ export {
 	## tracefile rotation is required with the caveat that the script
 	## doesn't currently attempt to get back on schedule automatically and
 	## the next trim likely won't happen on the
-	## :bro:id:`TrimTraceFile::trim_interval`.
+	## :zeek:id:`TrimTraceFile::trim_interval`.
 	global go: event(first_trim: bool);
 	}
 

scripts/policy/protocols/conn/known-hosts.zeek

@@ -28,22 +28,22 @@ export {
 	const use_host_store = T &redef;
 	
 	## The hosts whose existence should be logged and tracked.
-	## See :bro:type:`Host` for possible choices.
+	## See :zeek:type:`Host` for possible choices.
 	option host_tracking = LOCAL_HOSTS;
 	
 	## Holds the set of all known hosts.  Keys in the store are addresses
 	## and their associated value will always be the "true" boolean.
 	global host_store: Cluster::StoreInfo;
 
-	## The Broker topic name to use for :bro:see:`Known::host_store`.
+	## The Broker topic name to use for :zeek:see:`Known::host_store`.
 	const host_store_name = "bro/known/hosts" &redef;
 
-	## The expiry interval of new entries in :bro:see:`Known::host_store`.
+	## The expiry interval of new entries in :zeek:see:`Known::host_store`.
 	## This also changes the interval at which hosts get logged.
 	const host_store_expiry = 1day &redef;
 
 	## The timeout interval to use for operations against
-	## :bro:see:`Known::host_store`.
+	## :zeek:see:`Known::host_store`.
 	option host_store_timeout = 15sec;
 
 	## The set of all known addresses to store for preventing duplicate 
@@ -56,7 +56,7 @@ export {
 	## proxy nodes.
 	global hosts: set[addr] &create_expire=1day &redef;
 
-	## An event that can be handled to access the :bro:type:`Known::HostsInfo`
+	## An event that can be handled to access the :zeek:type:`Known::HostsInfo`
 	## record as it is sent on to the logging framework.
 	global log_known_hosts: event(rec: HostsInfo);
 }

scripts/policy/protocols/conn/known-services.zeek

@@ -34,7 +34,7 @@ export {
 	const use_service_store = T &redef;
 	
 	## The hosts whose services should be tracked and logged.
-	## See :bro:type:`Host` for possible choices.
+	## See :zeek:type:`Host` for possible choices.
 	option service_tracking = LOCAL_HOSTS;
 
 	type AddrPortPair: record {
@@ -43,19 +43,19 @@ export {
 	};
 
 	## Holds the set of all known services.  Keys in the store are
-	## :bro:type:`Known::AddrPortPair` and their associated value is
+	## :zeek:type:`Known::AddrPortPair` and their associated value is
 	## always the boolean value of "true".
 	global service_store: Cluster::StoreInfo;
 
-	## The Broker topic name to use for :bro:see:`Known::service_store`.
+	## The Broker topic name to use for :zeek:see:`Known::service_store`.
 	const service_store_name = "bro/known/services" &redef;
 
-	## The expiry interval of new entries in :bro:see:`Known::service_store`.
+	## The expiry interval of new entries in :zeek:see:`Known::service_store`.
 	## This also changes the interval at which services get logged.
 	const service_store_expiry = 1day &redef;
 
 	## The timeout interval to use for operations against
-	## :bro:see:`Known::service_store`.
+	## :zeek:see:`Known::service_store`.
 	option service_store_timeout = 15sec;
 
 	## Tracks the set of daily-detected services for preventing the logging
@@ -68,7 +68,7 @@ export {
 	## This set is automatically populated and shouldn't be directly modified.
 	global services: set[addr, port] &create_expire=1day;
 
-	## Event that can be handled to access the :bro:type:`Known::ServicesInfo`
+	## Event that can be handled to access the :zeek:type:`Known::ServicesInfo`
 	## record as it is sent on to the logging framework.
 	global log_known_services: event(rec: ServicesInfo);
 }

scripts/policy/protocols/dhcp/deprecated_events.zeek

@@ -11,9 +11,9 @@
 ## .. note:: This type is included to support the deprecated events dhcp_ack,
 ##           dhcp_decline, dhcp_discover, dhcp_inform, dhcp_nak, dhcp_offer,
 ##           dhcp_release and dhcp_request and is thus similarly deprecated
-##           itself. Use :bro:see:`dhcp_message` instead.
+##           itself. Use :zeek:see:`dhcp_message` instead.
 ##
-## .. bro:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover
+## .. zeek:see:: dhcp_message dhcp_ack dhcp_decline dhcp_discover
 ##              dhcp_inform dhcp_nak dhcp_offer dhcp_release dhcp_request
 type dhcp_msg: record {
 	op: count;      ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
@@ -28,9 +28,9 @@ type dhcp_msg: record {
 ##
 ## .. note:: This type is included to support the deprecated events dhcp_ack
 ##           and dhcp_offer and is thus similarly deprecated
-##           itself. Use :bro:see:`dhcp_message` instead.
+##           itself. Use :zeek:see:`dhcp_message` instead.
 ##
-## .. bro:see:: dhcp_message dhcp_ack dhcp_offer
+## .. zeek:see:: dhcp_message dhcp_ack dhcp_offer
 type dhcp_router_list: table[count] of addr;
 
 ## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
@@ -44,7 +44,7 @@ type dhcp_router_list: table[count] of addr;
 ##
 ## host_name: The value of the host name option, if specified by the client.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
 ##              dhcp_decline dhcp_ack dhcp_nak dhcp_release dhcp_inform
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.
@@ -74,7 +74,7 @@ global dhcp_discover: event(c: connection, msg: dhcp_msg, req_addr: addr, host_n
 ## host_name: Optional host name value. May differ from the host name requested
 ##            from the client.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_request dhcp_decline
 ##              dhcp_ack dhcp_nak dhcp_release dhcp_inform
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.
@@ -101,7 +101,7 @@ global dhcp_offer: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_
 ##
 ## host_name: The value of the host name option, if specified by the client.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_decline
 ##    	       dhcp_ack dhcp_nak dhcp_release dhcp_inform
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.
@@ -122,7 +122,7 @@ global dhcp_request: event(c: connection, msg: dhcp_msg, req_addr: addr, serv_ad
 ##
 ## host_name: Optional host name value.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
 ##              dhcp_ack dhcp_nak dhcp_release dhcp_inform
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.
@@ -152,7 +152,7 @@ global dhcp_decline: event(c: connection, msg: dhcp_msg, host_name: string) &dep
 ## host_name: Optional host name value. May differ from the host name requested
 ##            from the client.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
 ##              dhcp_decline dhcp_nak dhcp_release dhcp_inform
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.
@@ -170,7 +170,7 @@ global dhcp_ack: event(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_ro
 ##
 ## host_name: Optional host name value.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
 ##              dhcp_decline dhcp_ack dhcp_release dhcp_inform
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.
@@ -191,7 +191,7 @@ global dhcp_nak: event(c: connection, msg: dhcp_msg, host_name: string) &depreca
 ##
 ## host_name: The value of the host name option, if specified by the client.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
 ##              dhcp_decline dhcp_ack dhcp_nak dhcp_inform
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.
@@ -209,7 +209,7 @@ global dhcp_release: event(c: connection, msg: dhcp_msg, host_name: string) &dep
 ##
 ## host_name: The value of the host name option, if specified by the client.
 ##
-## .. bro:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
+## .. zeek:see:: dhcp_message dhcp_discover dhcp_offer dhcp_request
 ##              dhcp_decline dhcp_ack dhcp_nak dhcp_release
 ##
 ## .. note:: This event has been deprecated, and will be removed in the next version.

scripts/policy/protocols/dns/detect-external-names.zeek

@@ -1,6 +1,6 @@
 ##! This script detects names which are not within zones considered to be
 ##! local but resolving to addresses considered local.  
-##! The :bro:id:`Site::local_zones` variable **must** be set appropriately for 
+##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for 
 ##! this detection.
 
 @load base/frameworks/notice
@@ -11,7 +11,7 @@ module DNS;
 export {
 	redef enum Notice::Type += { 
 		## Raised when a non-local name is found to be pointing at a
-		## local host.  The :bro:id:`Site::local_zones` variable
+		## local host.  The :zeek:id:`Site::local_zones` variable
 		## **must** be set appropriately for this detection.
 		External_Name,
 		};

scripts/policy/protocols/http/detect-sqli.zeek

@@ -35,7 +35,7 @@ export {
 	const sqli_requests_threshold: double = 50.0 &redef;
 
 	## Interval at which to watch for the
-	## :bro:id:`HTTP::sqli_requests_threshold` variable to be crossed.
+	## :zeek:id:`HTTP::sqli_requests_threshold` variable to be crossed.
 	## At the end of each interval the counter is reset.
 	const sqli_requests_interval = 5min &redef;
 

scripts/policy/protocols/smtp/entities-excerpt.zeek

@@ -13,7 +13,7 @@ export {
 
 	## This is the default value for how much of the entity body should be
 	## included for all MIME entities.  The lesser of this value and
-	## :bro:see:`default_file_bof_buffer_size` will be used.
+	## :zeek:see:`default_file_bof_buffer_size` will be used.
 	option default_entity_excerpt_len = 0;
 }
 

scripts/policy/protocols/ssh/detect-bruteforcing.zeek

@@ -11,7 +11,7 @@ module SSH;
 export {
 	redef enum Notice::Type += {
 		## Indicates that a host has been identified as crossing the
-		## :bro:id:`SSH::password_guesses_limit` threshold with
+		## :zeek:id:`SSH::password_guesses_limit` threshold with
 		## failed logins.
 		Password_Guessing,
 		## Indicates that a host previously identified as a "password

scripts/policy/protocols/ssh/geo-data.zeek

@@ -8,7 +8,7 @@ module SSH;
 export {
 	redef enum Notice::Type += {
 		## If an SSH login is seen to or from a "watched" country based
-		## on the :bro:id:`SSH::watched_countries` variable then this
+		## on the :zeek:id:`SSH::watched_countries` variable then this
 		## notice will be generated.
 		Watched_Country_Login,
 	};

scripts/policy/protocols/ssh/interesting-hostnames.zeek

@@ -12,7 +12,7 @@ export {
 	redef enum Notice::Type += {
 		## Generated if a login originates or responds with a host where
 		## the reverse hostname lookup resolves to a name matched by the
-		## :bro:id:`SSH::interesting_hostnames` regular expression.
+		## :zeek:id:`SSH::interesting_hostnames` regular expression.
 		Interesting_Hostname_Login,
 	};
 	

scripts/policy/protocols/ssl/expiring-certs.zeek

@@ -15,7 +15,7 @@ export {
 		## and the certificate is now invalid.
 		Certificate_Expired,
 		## Indicates that a certificate is going to expire within 
-		## :bro:id:`SSL::notify_when_cert_expiring_in`.
+		## :zeek:id:`SSL::notify_when_cert_expiring_in`.
 		Certificate_Expires_Soon,
 		## Indicates that a certificate's NotValidBefore date is future
 		## dated.
@@ -30,7 +30,7 @@ export {
 	option notify_certs_expiration = LOCAL_HOSTS;
 	
 	## The time before a certificate is going to expire that you would like
-	## to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
+	## to start receiving :zeek:enum:`SSL::Certificate_Expires_Soon` notices.
 	option notify_when_cert_expiring_in = 30days;
 }
 

scripts/policy/protocols/ssl/known-certs.zeek

@@ -43,19 +43,19 @@ export {
 	};
 
 	## Holds the set of all known certificates.  Keys in the store are of
-	## type :bro:type:`Known::AddrCertHashPair` and their associated value is
+	## type :zeek:type:`Known::AddrCertHashPair` and their associated value is
 	## always the boolean value of "true".
 	global cert_store: Cluster::StoreInfo;
 
-	## The Broker topic name to use for :bro:see:`Known::cert_store`.
+	## The Broker topic name to use for :zeek:see:`Known::cert_store`.
 	const cert_store_name = "bro/known/certs" &redef;
 
-	## The expiry interval of new entries in :bro:see:`Known::cert_store`.
+	## The expiry interval of new entries in :zeek:see:`Known::cert_store`.
 	## This also changes the interval at which certs get logged.
 	option cert_store_expiry = 1day;
 
 	## The timeout interval to use for operations against
-	## :bro:see:`Known::cert_store`.
+	## :zeek:see:`Known::cert_store`.
 	option cert_store_timeout = 15sec;
 
 	## The set of all known certificates to store for preventing duplicate 

scripts/zeexygen/README

@@ -0,0 +1,4 @@
+This package is loaded during the process which automatically generates
+reference documentation for all Zeek scripts (i.e. "Zeexygen").  Its only
+purpose is to provide an easy way to load all known Zeek scripts plus any
+extra scripts needed or used by the documentation process.

scripts/zeexygen/example.zeek

@@ -1,4 +1,4 @@
-##! This is an example script that demonstrates Broxygen-style
+##! This is an example script that demonstrates Zeexygen-style
 ##! documentation.  It generally will make most sense when viewing
 ##! the script's raw source code and comparing to the HTML-rendered
 ##! version.
@@ -11,14 +11,14 @@
 ##! .. tip:: You can embed directives and roles within ``##``-stylized comments.
 ##!
 ##! There's also a custom role to reference any identifier node in
-##! the Bro Sphinx domain that's good for "see alsos", e.g.
+##! the Zeek Sphinx domain that's good for "see alsos", e.g.
 ##!
-##! See also: :bro:see:`BroxygenExample::a_var`,
+##! See also: :zeek:see:`ZeexygenExample::a_var`,
-##! :bro:see:`BroxygenExample::ONE`, :bro:see:`SSH::Info`
+##! :zeek:see:`ZeexygenExample::ONE`, :zeek:see:`SSH::Info`
 ##!
 ##! And a custom directive does the equivalent references:
 ##!
-##! .. bro:see:: BroxygenExample::a_var BroxygenExample::ONE SSH::Info
+##! .. zeek:see:: ZeexygenExample::a_var ZeexygenExample::ONE SSH::Info
 
 # Comments that use a single pound sign (#) are not significant to
 # a script's auto-generated documentation, but ones that use a
@@ -30,7 +30,7 @@
 # variable declarations to associate with the last-declared identifier.
 #
 # Generally, the auto-doc comments (##) are associated with the
-# next declaration/identifier found in the script, but Broxygen
+# next declaration/identifier found in the script, but Zeexygen
 # will track/render identifiers regardless of whether they have any
 # of these special comments associated with them.
 #
@@ -49,19 +49,19 @@
 
 # "module" statements are self-documenting, don't use any ``##`` style
 # comments with them.
-module BroxygenExample;
+module ZeexygenExample;
 
 # Redefinitions of "Notice::Type" are self-documenting, but
 # more information can be supplied in two different ways.
 redef enum Notice::Type += {
 	## Any number of this type of comment
-	## will document "Broxygen_One".
+	## will document "Zeexygen_One".
-	Broxygen_One,
+	Zeexygen_One,
-	Broxygen_Two,  ##< Any number of this type of comment
+	Zeexygen_Two,  ##< Any number of this type of comment
-	               ##< will document "BROXYGEN_TWO".
+	               ##< will document "ZEEXYGEN_TWO".
-	Broxygen_Three,
+	Zeexygen_Three,
 	## Omitting comments is fine, and so is mixing ``##`` and ``##<``, but
-	Broxygen_Four,  ##< it's probably best to use only one style consistently.
+	Zeexygen_Four,  ##< it's probably best to use only one style consistently.
 };
 
 # All redefs are automatically tracked.  Comments of the "##" form can be use
@@ -110,7 +110,7 @@ export {
 	type ComplexRecord: record {
 		field1: count;               ##< Counts something.
 		field2: bool;                ##< Toggles something.
-		field3: SimpleRecord;        ##< Broxygen automatically tracks types
+		field3: SimpleRecord;        ##< Zeexygen automatically tracks types
 		                             ##< and cross-references are automatically
 		                             ##< inserted in to generated docs.
 		msg: string &default="blah"; ##< Attributes are self-documenting.
@@ -163,9 +163,9 @@ export {
     ## Summarize "an_event" here.
     ## Give more details about "an_event" here.
 	##
-	## BroxygenExample::a_function should not be confused as a parameter
+	## ZeexygenExample::a_function should not be confused as a parameter
 	## in the generated docs, but it also doesn't generate a cross-reference
-	## link.  Use the see role instead: :bro:see:`BroxygenExample::a_function`.
+	## link.  Use the see role instead: :zeek:see:`ZeexygenExample::a_function`.
 	##
     ## name: Describe the argument here.
     global an_event: event(name: string);

src/Attr.cc

@@ -51,7 +51,7 @@ void Attr::Describe(ODesc* d) const
 
 void Attr::DescribeReST(ODesc* d) const
 	{
-	d->Add(":bro:attr:`");
+	d->Add(":zeek:attr:`");
 	AddTag(d);
 	d->Add("`");
 
@@ -64,14 +64,14 @@ void Attr::DescribeReST(ODesc* d) const
 
 		if ( expr->Tag() == EXPR_NAME )
 			{
-			d->Add(":bro:see:`");
+			d->Add(":zeek:see:`");
 			expr->Describe(d);
 			d->Add("`");
 			}
 
 		else if ( expr->Type()->Tag() == TYPE_FUNC )
 			{
-			d->Add(":bro:type:`");
+			d->Add(":zeek:type:`");
 			d->Add(expr->Type()->AsFuncType()->FlavorString());
 			d->Add("`");
 			}

src/CMakeLists.txt

@@ -143,7 +143,7 @@ set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE)
 
 add_subdirectory(analyzer)
 add_subdirectory(broker)
-add_subdirectory(broxygen)
+add_subdirectory(zeexygen)
 add_subdirectory(file_analysis)
 add_subdirectory(input)
 add_subdirectory(iosource)