Merge remote-tracking branch 'origin/topic/bernhard/software'

* origin/topic/bernhard/software: change software framework interface again. At the moment everything should worl. start reworking interface of software framework. working apart from detect-webapps.bro, which direcly manipulates a no longer available interface... after talking to seth - change host_a field in record back to host. forgotten policy files. Software framework stores ports for server software.
2025-10-02 14:48:21 +00:00 · 2012-02-03 16:17:04 -05:00 · 2012-02-03 16:17:04 -05:00 · 2cd88ee4f6
commit 2cd88ee4f6
parent 819cb57952 eacdffff90
8 changed files with 203 additions and 196 deletions
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@ -36,15 +36,17 @@ export {
 	## The record type that is used for representing and logging software.
 	type Info: record {
 		## The time at which the software was detected.
-		ts:               time &log;
+		ts:               time &log &optional;
 		## The IP address detected running the software.
 		host:             addr &log;
 		## The Port on which the software is running. Only sensible for server software.
 		host_p:           port &log &optional;
 		## The type of software detected (e.g. :bro:enum:`HTTP::SERVER`).
 		software_type:    Type &log &default=UNKNOWN;
 		## Name of the software (e.g. Apache).
-		name:             string &log;
+		name:             string &log &optional;
 		## Version of the software.
-		version:          Version &log;
+		version:          Version &log &optional;
 		## The full unparsed version string found because the version parsing 
 		## doesn't always work reliably in all cases and this acts as a 
 		## fallback in the logs.
@ -65,31 +67,12 @@ export {
 	const asset_tracking = LOCAL_HOSTS &redef;
 	## Other scripts should call this function when they detect software.
 	## unparsed_version: This is the full string from which the
 	##                   :bro:type:`Software::Info` was extracted.
 	##
 	## id: The connection id where the software was discovered.
 	##
 	## info: A record representing the software discovered.
 	## 
 	## Returns: T if the software was logged, F otherwise.
-	global found: function(id: conn_id, info: Software::Info): bool;
+	global found: function(id: conn_id, info: Info): bool;
 	## Take many common software version strings and parse them 
 	## into a sensible :bro:type:`Software::Version` record.  There are 
 	## still many cases where scripts may have to have their own specific 
 	## version parsing though.
 	##
 	## unparsed_version: The raw version string.
 	##
 	## host: The host where the software was discovered.
 	##
 	## software_type: The type of software.
 	##
 	## Returns: A complete record ready for the :bro:id:`Software::found` function.
 	global parse: function(unparsed_version: string,
 	                       host: addr,
 	                       software_type: Type): Info;
 	## Compare two version records.
 	## 
@ -117,112 +100,23 @@ export {
 	global log_software: event(rec: Info);
 }
-event bro_init()
+event bro_init() &priority=5
 	{
 	Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software]);
 	}
 function parse_mozilla(unparsed_version: string, 
 	                   host: addr, 
 	                   software_type: Type): Info
 	{
 	local software_name = "<unknown browser>";
 	local v: Version;
 	local parts: table[count] of string;
-	if ( /Opera [0-9\.]*$/ in unparsed_version )
+type Description: record {
-		{
+	name:             string;
-		software_name = "Opera";
+	version:          Version;
-		parts = split_all(unparsed_version, /Opera [0-9\.]*$/);
+	unparsed_version: string;
-		if ( 2 in parts )
+};
 			v = parse(parts[2], host, software_type)$version;
 		}
 	else if ( / MSIE / in unparsed_version )
 		{
 		software_name = "MSIE";
 		if ( /Trident\/4\.0/ in unparsed_version )
 			v = [$major=8,$minor=0];
 		else if ( /Trident\/5\.0/ in unparsed_version )
 			v = [$major=9,$minor=0];
 		else if ( /Trident\/6\.0/ in unparsed_version )
 			v = [$major=10,$minor=0];
 		else
 			{
 			parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/);
 			if ( 2 in parts )
 				v = parse(parts[2], host, software_type)$version;
 			}
 		}
 	else if ( /Version\/.*Safari\// in unparsed_version )
 		{
 		software_name = "Safari";
 		parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
 		if ( 2 in parts )
 			{
 			v = parse(parts[2], host, software_type)$version;
 			if ( / Mobile\/?.* Safari/ in unparsed_version )
 				v$addl = "Mobile";
 			}
 		}
 	else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version )
 		{
 		parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/);
 		if ( 2 in parts )
 			{
 			local tmp_s = parse(parts[2], host, software_type);
 			software_name = tmp_s$name;
 			v = tmp_s$version;
 			}
 		}
 	else if ( /Chrome\/.*Safari\// in unparsed_version )
 		{
 		software_name = "Chrome";
 		parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/);
 		if ( 2 in parts )
 			v = parse(parts[2], host, software_type)$version;
 		}
 	else if ( /^Opera\// in unparsed_version )
 		{
 		if ( /Opera M(ini|obi)\// in unparsed_version )
 			{
 			parts = split_all(unparsed_version, /Opera M(ini|obi)/);
 			if ( 2 in parts )
 				software_name = parts[2];
 			parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
 			if ( 2 in parts )
 				v = parse(parts[2], host, software_type)$version;
 			else
 				{
 				parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/);
 				if ( 2 in parts )
 					v = parse(parts[2], host, software_type)$version;
 				}
 			}
 		else
 			{
 			software_name = "Opera";
 			parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
 			if ( 2 in parts )
 				v = parse(parts[2], host, software_type)$version;
 			}
 		}
 	else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "Unspecified WebKit";
 		parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/);
 		if ( 2 in parts )
 			v = parse(parts[2], host, software_type)$version;
 		}
-	return [$ts=network_time(), $host=host, $name=software_name, $version=v,
+# Defining this here because of a circular dependency between two functions.
-	        $software_type=software_type, $unparsed_version=unparsed_version];
+global parse_mozilla: function(unparsed_version: string): Description;
 	}
 # Don't even try to understand this now, just make sure the tests are 
 # working.
-function parse(unparsed_version: string,
+function parse(unparsed_version: string): Description
 	           host: addr,
 	           software_type: Type): Info
 	{
 	local software_name = "<parse error>";
 	local v: Version;
@ -230,7 +124,7 @@ function parse(unparsed_version: string,
 	# Parse browser-alike versions separately
 	if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version )
 		{
-		return parse_mozilla(unparsed_version, host, software_type);
+		return parse_mozilla(unparsed_version);
 		}
 	else
 		{
@ -255,7 +149,7 @@ function parse(unparsed_version: string,
 			if ( 4 in version_numbers && version_numbers[4] != "" )
 				v$addl = strip(version_numbers[4]);
 			else if ( 3 in version_parts && version_parts[3] != "" &&
-			          version_parts[3] != ")" )
+				  version_parts[3] != ")" )
 				{
 				if ( /^[[:blank:]]*\([a-zA-Z0-9\-\._[:blank:]]*\)/ in version_parts[3] )
 					{
@ -292,9 +186,102 @@ function parse(unparsed_version: string,
 				v$major = extract_count(version_numbers[1]);
 			}
 		}
-	return [$ts=network_time(), $host=host, $name=software_name,
+	
-	        $version=v, $unparsed_version=unparsed_version,
+	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
-	        $software_type=software_type];
+	}
 function parse_mozilla(unparsed_version: string): Description
 	{
 	local software_name = "<unknown browser>";
 	local v: Version;
 	local parts: table[count] of string;
 	if ( /Opera [0-9\.]*$/ in unparsed_version )
 		{
 		software_name = "Opera";
 		parts = split_all(unparsed_version, /Opera [0-9\.]*$/);
 		if ( 2 in parts )
 			v = parse(parts[2])$version;
 		}
 	else if ( / MSIE / in unparsed_version )
 		{
 		software_name = "MSIE";
 		if ( /Trident\/4\.0/ in unparsed_version )
 			v = [$major=8,$minor=0];
 		else if ( /Trident\/5\.0/ in unparsed_version )
 			v = [$major=9,$minor=0];
 		else if ( /Trident\/6\.0/ in unparsed_version )
 			v = [$major=10,$minor=0];
 		else
 			{
 			parts = split_all(unparsed_version, /MSIE [0-9]{1,2}\.*[0-9]*b?[0-9]*/);
 			if ( 2 in parts )
 				v = parse(parts[2])$version;
 			}
 		}
 	else if ( /Version\/.*Safari\// in unparsed_version )
 		{
 		software_name = "Safari";
 		parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
 		if ( 2 in parts )
 			{
 			v = parse(parts[2])$version;
 			if ( / Mobile\/?.* Safari/ in unparsed_version )
 				v$addl = "Mobile";
 			}
 		}
 	else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version )
 		{
 		parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/);
 		if ( 2 in parts )
 			{
 			local tmp_s = parse(parts[2]);
 			software_name = tmp_s$name;
 			v = tmp_s$version;
 			}
 		}
 	else if ( /Chrome\/.*Safari\// in unparsed_version )
 		{
 		software_name = "Chrome";
 		parts = split_all(unparsed_version, /Chrome\/[0-9\.]*/);
 		if ( 2 in parts )
 			v = parse(parts[2])$version;
 		}
 	else if ( /^Opera\// in unparsed_version )
 		{
 		if ( /Opera M(ini|obi)\// in unparsed_version )
 			{
 			parts = split_all(unparsed_version, /Opera M(ini|obi)/);
 			if ( 2 in parts )
 				software_name = parts[2];
 			parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
 			if ( 2 in parts )
 				v = parse(parts[2])$version;
 			else
 				{
 				parts = split_all(unparsed_version, /Opera Mini\/[0-9\.]*/);
 				if ( 2 in parts )
 					v = parse(parts[2])$version;
 				}
 			}
 		else
 			{
 			software_name = "Opera";
 			parts = split_all(unparsed_version, /Version\/[0-9\.]*/);
 			if ( 2 in parts )
 				v = parse(parts[2])$version;
 			}
 		}
 	else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "Unspecified WebKit";
 		parts = split_all(unparsed_version, /AppleWebKit\/[0-9\.]*/);
 		if ( 2 in parts )
 			v = parse(parts[2])$version;
 		}
 	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
 	}
@ -407,6 +394,30 @@ function found(id: conn_id, info: Info): bool
 	{
 	if ( info$force_log || addr_matches_host(info$host, asset_tracking) )
 		{
 		if ( !info?$ts ) 
 			info$ts=network_time();
 		if ( info?$version ) # we have a version number and don't have to parse. check if the name is also set...
 			{
 				if ( ! info?$name ) 
 					{
 					Reporter::error("Required field name not present in Software::found");
 					return F;
 					}
 			}
 		else  # no version present, we have to parse...
 			{
 			if ( !info?$unparsed_version ) 
 				{
 				Reporter::error("No unparsed version string present in Info record with version in Software::found");
 				return F;
 				} 
 			local sw = parse(info$unparsed_version);
 			info$unparsed_version = sw$unparsed_version;
 			info$name = sw$name;
 			info$version = sw$version;
 			}
 		event software_register(id, info);
 		return T;
 		}
--- a/scripts/policy/protocols/ftp/software.bro
+++ b/scripts/policy/protocols/ftp/software.bro
@ -23,7 +23,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4
 	{
 	if ( command == "CLNT" )
 		{
-		local si = Software::parse(arg, c$id$orig_h, CLIENT);
+		Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT]);
 		Software::found(c$id, si);
 		}
 	}
--- a/scripts/policy/protocols/http/detect-webapps.bro
+++ b/scripts/policy/protocols/http/detect-webapps.bro
@ -27,7 +27,8 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
 	if ( /^webapp-/ !in state$sig_id ) return;
 	local c = state$conn;
-	local si = Software::parse(msg, c$id$resp_h, WEB_APPLICATION);
+	local si = Software::Info;
 	si = [$unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
 	si$url = build_url_http(c$http);
 	if ( c$id$resp_h in Software::tracked &&
 	     si$name in Software::tracked[c$id$resp_h] )
--- a/scripts/policy/protocols/http/software-browser-plugins.bro
+++ b/scripts/policy/protocols/http/software-browser-plugins.bro
@ -27,8 +27,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			# Flash doesn't include it's name so we'll add it here since it 
 			# simplifies the version parsing.
 			value = cat("Flash/", value);
-			local flash_version = Software::parse(value, c$id$orig_h, BROWSER_PLUGIN);
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
 			Software::found(c$id, flash_version);
 			}
 		}
 	else
@ -55,7 +54,7 @@ event log_http(rec: Info)
 			local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/);
 			for ( i in plugins )
-				Software::found(rec$id, Software::parse(plugins[i], rec$id$orig_h, BROWSER_PLUGIN));
+				Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);
 			}
 		}
-	}
+	}
--- a/scripts/policy/protocols/http/software.bro
+++ b/scripts/policy/protocols/http/software.bro
@ -23,18 +23,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 	if ( is_orig )
 		{
 		if ( name == "USER-AGENT" && ignored_user_agents !in value )
-			Software::found(c$id, Software::parse(value, c$id$orig_h, BROWSER));
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]);
 		}
 	else
 		{
 		if ( name == "SERVER" )
-			Software::found(c$id, Software::parse(value, c$id$resp_h, SERVER));
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
 		else if ( name == "X-POWERED-BY" )
-			Software::found(c$id, Software::parse(value, c$id$resp_h, APPSERVER));
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
 		else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" )
 			{
 			value = cat("SharePoint/", value);
-			Software::found(c$id, Software::parse(value, c$id$resp_h, APPSERVER));
+			Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
 			}
 		}
 	}
--- a/scripts/policy/protocols/smtp/software.bro
+++ b/scripts/policy/protocols/smtp/software.bro
@ -75,8 +75,7 @@ event log_smtp(rec: Info)
 		if ( addr_matches_host(rec$id$orig_h,
 		                       detect_clients_in_messages_from) )
 			{
-			local s = Software::parse(rec$user_agent, client_ip, s_type);
+			Software::found(rec$id, [$unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type]);
 			Software::found(rec$id, s);
 			}
 		}
 	}
--- a/scripts/policy/protocols/ssh/software.bro
+++ b/scripts/policy/protocols/ssh/software.bro
@ -18,14 +18,12 @@ event ssh_client_version(c: connection, version: string) &priority=4
 	{
 	# Get rid of the protocol information when passing to the software framework.
 	local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, "");
-	local si = Software::parse(cleaned_version, c$id$orig_h, CLIENT);
+	Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT]);
 	Software::found(c$id, si);
 	}
 event ssh_server_version(c: connection, version: string) &priority=4
 	{
 	# Get rid of the protocol information when passing to the software framework.
 	local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, "");
-	local si = Software::parse(cleaned_version, c$id$resp_h, SERVER);
+	Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
 	Software::found(c$id, si);
 	}
--- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro
+++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
@ -1,116 +1,116 @@
 # @TEST-EXEC: bro %INPUT > output
 # @TEST-EXEC: btest-diff output
-global ts = network_time();
+module Software;
 global host = 0.0.0.0;
-global matched_software: table[string] of Software::Info = {
+global matched_software: table[string] of Software::Description = {
 	["OpenSSH_4.4"] = 
-		[$name="OpenSSH", $version=[$major=4,$minor=4], $host=host, $ts=ts],
+		[$name="OpenSSH", $version=[$major=4,$minor=4], $unparsed_version=""],
 	["OpenSSH_5.2"] = 
-		[$name="OpenSSH", $version=[$major=5,$minor=2], $host=host, $ts=ts],
+		[$name="OpenSSH", $version=[$major=5,$minor=2], $unparsed_version=""],
 	["Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2"] =
-		[$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $host=host, $ts=ts],
+		[$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $unparsed_version=""],
 	["Apache/1.3.19 (Unix)"] =
-		[$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $host=host, $ts=ts],
+		[$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $unparsed_version=""],
 	["ProFTPD 1.2.5rc1 Server (Debian)"] =
-		[$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $host=host, $ts=ts],
+		[$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc1"], $unparsed_version=""],
 	["wu-2.4.2-academ[BETA-18-VR14](1)"] = 
-		[$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $host=host, $ts=ts],
+		[$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $unparsed_version=""],
 	["wu-2.6.2(1)"] =
-		[$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $host=host, $ts=ts],
+		[$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $unparsed_version=""],
 	["Java1.2.2-JDeveloper"] =
-		[$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $host=host, $ts=ts],
+		[$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $unparsed_version=""],
 	["Java/1.6.0_13"] = 
-		[$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $host=host, $ts=ts],
+		[$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $unparsed_version=""],
 	["Python-urllib/3.1"] = 
-		[$name="Python-urllib", $version=[$major=3,$minor=1], $host=host, $ts=ts],
+		[$name="Python-urllib", $version=[$major=3,$minor=1], $unparsed_version=""],
 	["libwww-perl/5.820"] = 
-		[$name="libwww-perl", $version=[$major=5,$minor=820], $host=host, $ts=ts],
+		[$name="libwww-perl", $version=[$major=5,$minor=820], $unparsed_version=""],
 	["Wget/1.9+cvs-stable (Red Hat modified)"] = 
-		[$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $host=host, $ts=ts],
+		[$name="Wget", $version=[$major=1,$minor=9,$addl="+cvs"], $unparsed_version=""],
 	["Wget/1.11.4 (Red Hat modified)"] = 
-		[$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $host=host, $ts=ts],
+		[$name="Wget", $version=[$major=1,$minor=11,$minor2=4,$addl="Red Hat modified"], $unparsed_version=""],
 	["curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18"] =
-		[$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $host=host, $ts=ts],
+		[$name="curl", $version=[$major=7,$minor=15,$minor2=1,$addl="i486-pc-linux-gnu"], $unparsed_version=""],
 	["Apache"] = 
-		[$name="Apache", $host=host, $ts=ts],
+		[$name="Apache", $unparsed_version=""],
 	["Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown"] =
-		[$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $host=host, $ts=ts],
+		[$name="Zope/(Zope", $version=[$major=2,$minor=7,$minor2=8,$addl="final"], $unparsed_version=""],
 	["The Bat! (v2.00.9) Personal"] =
-		[$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $host=host, $ts=ts],
+		[$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $unparsed_version=""],
 	["Flash/10,2,153,1"] =
-		[$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $host=host, $ts=ts],
+		[$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$addl="1"], $unparsed_version=""],
 	["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = 
-		[$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $host=host, $ts=ts],
+		[$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$addl="967"], $unparsed_version=""],
 	["CacheFlyServe v26b"] =
-		[$name="CacheFlyServe", $version=[$major=26,$addl="b"], $host=host, $ts=ts],
+		[$name="CacheFlyServe", $version=[$major=26,$addl="b"], $unparsed_version=""],
 	["Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4"] =
-		[$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $host=host, $ts=ts],
+		[$name="Apache", $version=[$major=2,$minor=0,$minor2=46,$addl="Win32"], $unparsed_version=""],
 	# I have no clue how I'd support this without a special case.
 	#["Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635"] =
-	#	[$name="Apache", $version=[], $host=host, $ts=ts],
+	#	[$name="Apache", $version=[], $unparsed_version=""],
 	["Apple iPhone v4.3.1 Weather v1.0.0.8G4"] =
-		[$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $host=host, $ts=ts],
+		[$name="Apple iPhone", $version=[$major=4,$minor=3,$minor2=1,$addl="Weather"], $unparsed_version=""],
 	["Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5"] =
-		[$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $host=host, $ts=ts],
+		[$name="Safari", $version=[$major=5,$minor=0,$minor2=2,$addl="Mobile"], $unparsed_version=""],
 	["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16"] = 
-		[$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $host=host, $ts=ts],
+		[$name="Chrome", $version=[$major=10,$minor=0,$minor2=648,$addl="205"], $unparsed_version=""],
 	["Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01"] =
-		[$name="Opera", $version=[$major=11,$minor=1], $host=host, $ts=ts],
+		[$name="Opera", $version=[$major=11,$minor=1], $unparsed_version=""],
 	["Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5"] =
-		[$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $host=host, $ts=ts],
+		[$name="Thunderbird", $version=[$major=3,$minor=1,$minor2=5], $unparsed_version=""],
 	["iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9"] = 
-		[$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $host=host, $ts=ts],
+		[$name="iTunes", $version=[$major=9,$minor=0,$addl="Macintosh"], $unparsed_version=""],
 	["Java1.3.1_04"] =
-		[$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $host=host, $ts=ts],
+		[$name="Java", $version=[$major=1,$minor=3,$minor2=1,$addl="04"], $unparsed_version=""],
 	["Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"] = 
-		[$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $host=host, $ts=ts],
+		[$name="Safari", $version=[$major=4,$minor=0,$addl="Mobile"], $unparsed_version=""],
 	["Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"] =
-		[$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $host=host, $ts=ts],
+		[$name="Safari", $version=[$major=5,$minor=0,$minor2=4], $unparsed_version=""],
 	["Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7"] = 
-		[$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $host=host, $ts=ts],
+		[$name="Safari", $version=[$major=4,$minor=0,$minor2=5,$addl="Mobile"], $unparsed_version=""],
 	["Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54"] = 
-		[$name="Opera Mini", $version=[$major=10,$minor=54], $host=host, $ts=ts],
+		[$name="Opera Mini", $version=[$major=10,$minor=54], $unparsed_version=""],
 	["Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15"] =
-		[$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $host=host, $ts=ts],
+		[$name="Opera Mini", $version=[$major=5,$minor=0,$minor2=18741], $unparsed_version=""],
 	["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] =
-		[$name="Opera Mobi", $version=[$major=10,$minor=0], $host=host, $ts=ts],
+		[$name="Opera Mobi", $version=[$major=10,$minor=0], $unparsed_version=""],
 	["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] =
-		[$name="Opera", $version=[$major=11,$minor=0], $host=host, $ts=ts],
+		[$name="Opera", $version=[$major=11,$minor=0], $unparsed_version=""],
 	["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)"] =
-		[$name="Netscape", $version=[$major=7,$minor=2], $host=host, $ts=ts],
+		[$name="Netscape", $version=[$major=7,$minor=2], $unparsed_version=""],
 	["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] =
-		[$name="MSIE", $version=[$major=7,$minor=0], $host=host, $ts=ts],
+		[$name="MSIE", $version=[$major=7,$minor=0], $unparsed_version=""],
 	["Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"] =
-		[$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host=host, $ts=ts],
+		[$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $unparsed_version=""],
 	["Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)"] =
-		[$name="MSIE", $version=[$major=8,$minor=0], $host=host, $ts=ts],
+		[$name="MSIE", $version=[$major=8,$minor=0], $unparsed_version=""],
 	["Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"] =
-		[$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts],
+		[$name="MSIE", $version=[$major=9,$minor=0], $unparsed_version=""],
 	["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)"] =
-		[$name="MSIE", $version=[$major=9,$minor=0], $host=host, $ts=ts],
+		[$name="MSIE", $version=[$major=9,$minor=0], $unparsed_version=""],
 	["Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"] =
-		[$name="MSIE", $version=[$major=10,$minor=0], $host=host, $ts=ts],
+		[$name="MSIE", $version=[$major=10,$minor=0], $unparsed_version=""],
 	["The Bat! (3.0.1 RC3) Professional"] =
-		[$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $host=host, $ts=ts],
+		[$name="The Bat!", $version=[$major=3,$minor=0,$minor2=1,$addl="RC3"], $unparsed_version=""],
 	# This is an FTP client (found with CLNT command)
 	["Total Commander"] =
-		[$name="Total Commander", $version=[], $host=host, $ts=ts],
+		[$name="Total Commander", $version=[], $unparsed_version=""],
 	["(vsFTPd 2.0.5)"] =
-		[$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $host=host, $ts=ts],
+		[$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $unparsed_version=""],
 	["Apple Mail (2.1084)"] = 
-		[$name="Apple Mail", $version=[$major=2,$minor=1084], $host=host, $ts=ts],
+		[$name="Apple Mail", $version=[$major=2,$minor=1084], $unparsed_version=""],
 };
 event bro_init()
 	{
 	for ( sw in matched_software )
 		{
-		local output = Software::parse(sw, host, Software::UNKNOWN);
+		local output = Software::parse(sw);
-		local baseline: Software::Info;
+		local baseline = matched_software[sw];
-		baseline = matched_software[sw];
+		
 		if ( baseline$name == output$name &&
 		     sw == output$unparsed_version &&
 		     Software::cmp_versions(baseline$version,output$version) == 0 )
 			print fmt("success on: %s", sw);
 		else