Removing event groups.

doc/scripts/DocSourcesList.cmake

@@ -25,6 +25,7 @@ rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/protocols/http/functions.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/protocols/ssl/events.bif.bro)
+rest_target(${CMAKE_BINARY_DIR}/src base/protocols/syslog/events.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro)
@@ -134,7 +135,6 @@ rest_target(${psd} policy/frameworks/software/vulnerable.bro)
 rest_target(${psd} policy/integration/barnyard2/main.bro)
 rest_target(${psd} policy/integration/barnyard2/types.bro)
 rest_target(${psd} policy/integration/collective-intel/main.bro)
-rest_target(${psd} policy/misc/analysis-groups.bro)
 rest_target(${psd} policy/misc/capture-loss.bro)
 rest_target(${psd} policy/misc/loaded-scripts.bro)
 rest_target(${psd} policy/misc/profiling.bro)

scripts/policy/misc/analysis-groups.bro

@@ -1,31 +0,0 @@
-##! This script gives the capability to selectively enable and disable event 
-##! groups at runtime. No events will be raised for all members of a disabled
-##! event group.
-
-module AnalysisGroups;
-
-export {
-	## By default, all event groups are enabled. 
-	## We disable all groups in this table.
-	const disabled: set[string] &redef;
-}
-
-# Set to remember all groups which were disabled by the last update.
-global currently_disabled: set[string];
-
-# This is the event that the control framework uses when it needs to indicate
-# that an update control action happened.
-event Control::configuration_update()
-	{
-	# Reenable those which are not to be disabled anymore.
-	for ( g in currently_disabled )
-		if ( g !in disabled ) 
-			enable_event_group(g);
-	
-	# Disable those which are not already disabled.
-	for ( g in disabled )
-		if ( g !in currently_disabled )
-			disable_event_group(g);
-	
-	currently_disabled = copy(disabled);
-	}

scripts/test-all-policy.bro

@@ -34,7 +34,6 @@
 @load integration/barnyard2/types.bro
 @load integration/collective-intel/__load__.bro
 @load integration/collective-intel/main.bro
-@load misc/analysis-groups.bro
 @load misc/capture-loss.bro
 @load misc/loaded-scripts.bro
 @load misc/profiling.bro

src/EventHandler.cc

@@ -10,7 +10,6 @@ EventHandler::EventHandler(const char* arg_name)
 	used = false;
 	local = 0;
 	type = 0;
-	group = 0;
 	error_handler = false;
 	enabled = true;
 	}
@@ -19,7 +18,6 @@ EventHandler::~EventHandler()
 	{
 	Unref(local);
 	delete [] name;
-	delete [] group;
 	}
 
 EventHandler::operator bool() const

src/EventHandler.h

@@ -41,10 +41,6 @@ public:
 	void SetErrorHandler()	{ error_handler = true; }
 	bool ErrorHandler()	{ return error_handler; }
 
-	const char* Group()	{ return group; }
-	void SetGroup(const char* arg_group)
-				{ group = copy_string(arg_group); }
-
 	void SetEnable(bool arg_enable)	{ enabled = arg_enable; }
 
 	// We don't serialize the handler(s) itself here, but
@@ -54,7 +50,6 @@ public:
 
 private:
 	const char* name;
-	const char* group;
 	Func* local;
 	FuncType* type;
 	bool used;		// this handler is indeed used somewhere

src/EventRegistry.cc

@@ -85,17 +85,6 @@ void EventRegistry::PrintDebug()
 		}
 	}
 
-void EventRegistry::SetGroup(const char* name, const char* group)
-	{
-	return; // FIXME. THis triggers the error below for plugin events.
-
-	EventHandler* eh = Lookup(name);
-	if ( ! eh )
-		reporter->InternalError("unknown event handler %s in SetGroup()", name);
-
-	eh->SetGroup(group);
-	}
-
 void EventRegistry::SetErrorHandler(const char* name)
 	{
 	EventHandler* eh = Lookup(name);
@@ -105,18 +94,3 @@ void EventRegistry::SetErrorHandler(const char* name)
 	eh->SetErrorHandler();
 	}
 
-void EventRegistry::EnableGroup(const char* group, bool enable)
-	{
-	IterCookie* c = handlers.InitForIteration();
-
-	HashKey* k;
-	EventHandler* v;
-	while ( (v = handlers.NextEntry(k, c)) )
-		{
-		delete k;
-
-		if ( v->Group() && strcmp(v->Group(), group) == 0 )
-			v->SetEnable(enable);
-		}
-	}
-

src/EventRegistry.h

@@ -26,17 +26,11 @@ public:
 	typedef PList(constchar) string_list;
 	string_list* Match(RE_Matcher* pattern);
 
-	// Associates a group with the given event.
-	void SetGroup(const char* name, const char* group);
-
 	// Marks a handler as handling errors. Error handler will not be called
 	// recursively to avoid infinite loops in case they trigger an error
 	// themselves.
 	void SetErrorHandler(const char* name);
 
-	// Enable/disable all members of the group.
-	void EnableGroup(const char* group, bool enable);
-
 	string_list* UnusedHandlers();
 	string_list* UsedHandlers();
 	void PrintDebug();

src/ID.cc

@@ -221,21 +221,7 @@ void ID::UpdateValAttrs()
 
 	if ( Type()->Tag() == TYPE_FUNC )
 		{
-		Attr* attr = attrs->FindAttr(ATTR_GROUP);
+		Attr* attr = attrs->FindAttr(ATTR_ERROR_HANDLER);
-
-		if ( attr )
-			{
-			Val* group = attr->AttrExpr()->ExprVal();
-			if ( group )
-				{
-				if ( group->Type()->Tag() == TYPE_STRING )
-					event_registry->SetGroup(Name(), group->AsString()->CheckString());
-				else
-					Error("&group attribute takes string");
-				}
-			}
-
-		attr = attrs->FindAttr(ATTR_ERROR_HANDLER);
 
 		if ( attr )
 			event_registry->SetErrorHandler(Name());

src/bro.bif

@@ -4342,31 +4342,6 @@ function skip_smtp_data%(c: connection%): any
 	return 0;
 	%}
 
-## Enables all event handlers in a given group. One can tag event handlers with
-## the :bro:attr:`&group` attribute to logically group them together, e.g,
-## ``event foo() &group="bar"``. This function enables all event handlers that
-## belong to such a group.
-##
-## group: The group.
-##
-## .. bro:see:: disable_event_group
-function enable_event_group%(group: string%) : any
-	%{
-	event_registry->EnableGroup(group->CheckString(), true);
-	return 0;
-	%}
-
-## Disables all event handlers in a given group.
-##
-## group: The group.
-##
-## .. bro:see:: enable_event_group
-function disable_event_group%(group: string%) : any
-	%{
-	event_registry->EnableGroup(group->CheckString(), false);
-	return 0;
-	%}
-
 # ===========================================================================
 #
 #                            Files and Directories

src/event.bif

@@ -2219,7 +2219,7 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
 ##
 ## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
 ##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
-event ftp_request%(c: connection, command: string, arg: string%) &group="ftp";
+event ftp_request%(c: connection, command: string, arg: string%);
 
 ## Generated for server-side FTP replies.
 ##
@@ -2239,7 +2239,7 @@ event ftp_request%(c: connection, command: string, arg: string%) &group="ftp";
 ##
 ## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
 ##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
-event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &group="ftp";
+event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%);
 
 ## Generated for client-side SMTP commands.
 ##
@@ -2264,7 +2264,7 @@ event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%) &gro
 ##    smtp_data smtp_reply
 ##
 ## .. note:: Bro does not support the newer ETRN extension yet.
-event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%) &group="smtp";
+event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%);
 
 ## Generated for server-side SMTP commands.
 ##
@@ -2295,7 +2295,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%)
 ##    smtp_data  smtp_request
 ##
 ## .. note:: Bro doesn't support the newer ETRN extension yet.
-event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%) &group="smtp";
+event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%);
 
 ## Generated for DATA transmitted on SMTP sessions. This event is raised for
 ## subsequent chunks of raw data following the ``DATA`` SMTP command until the
@@ -2320,7 +2320,7 @@ event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: s
 ## .. note:: This event receives the unprocessed raw data. There is a separate
 ##    set of ``mime_*`` events that strip out the outer MIME-layer of emails and
 ##    provide structured access to their content.
-event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp";
+event smtp_data%(c: connection, is_orig: bool, data: string%);
 
 ## Generated for unexpected activity on SMTP sessions. The SMTP analyzer tracks
 ## the state of SMTP sessions and reports commands and other activity with this
@@ -2340,7 +2340,7 @@ event smtp_data%(c: connection, is_orig: bool, data: string%) &group="smtp";
 ## detail: The actual SMTP line triggering the event.
 ##
 ## .. bro:see:: smtp_data  smtp_request smtp_reply
-event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%) &group="smtp";
+event smtp_unexpected%(c: connection, is_orig: bool, msg: string, detail: string%);
 
 ## Generated when starting to parse an email MIME entity. MIME is a
 ## protocol-independent data format for encoding text and files, along with
@@ -4014,7 +4014,7 @@ event smb_error%(c: connection, hdr: smb_hdr, cmd: count, cmd_str: string, data:
 ##    dns_mapping_unverified dns_mapping_valid  dns_query_reply dns_rejected
 ##    dns_request non_dns_request  dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &group="dns";
+event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 
 ## Generated for DNS requests. For requests with multiple queries, this event
 ## is raised once for each.
@@ -4041,7 +4041,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%) &gro
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
+event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
 
 ## Generated for DNS replies that reject a query. This event is raised if a DNS
 ## reply either indicates failure via its status code or does not pass on any
@@ -4070,7 +4070,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%) &group="dns";
+event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
 
 ## Generated for DNS replies with an *ok* status code but no question section.
 ##
@@ -4097,7 +4097,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_query_reply%(c: connection, msg: dns_msg, query: string,
-			qtype: count, qclass: count%) &group="dns";
+			qtype: count, qclass: count%);
 
 ## Generated when the DNS analyzer processes what seems to be a non-DNS packet.
 ##
@@ -4108,7 +4108,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ##
 ## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
 ##    detection framework.
-event non_dns_request%(c: connection, msg: string%) &group="dns";
+event non_dns_request%(c: connection, msg: string%);
 
 ## Generated for DNS replies of type *A*. For replies with multiple answers, an
 ## individual event of the corresponding type is raised for each.
@@ -4133,7 +4133,7 @@ event non_dns_request%(c: connection, msg: string%) &group="dns";
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
+event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 
 ## Generated for DNS replies of type *AAAA*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4158,7 +4158,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &grou
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
+event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 
 ## Generated for DNS replies of type *A6*. For replies with multiple answers, an
 ## individual event of the corresponding type is raised for each.
@@ -4183,7 +4183,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &g
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &group="dns";
+event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 
 ## Generated for DNS replies of type *NS*. For replies with multiple answers, an
 ## individual event of the corresponding type is raised for each.
@@ -4208,7 +4208,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%) &gro
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
 
 ## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4233,7 +4233,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
 
 ## Generated for DNS replies of type *PTR*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4258,7 +4258,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%) &group="dns";
+event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
 
 ## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4283,7 +4283,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%) &group="dns";
+event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%);
 
 ## Generated for DNS replies of type *WKS*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4306,7 +4306,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 
 ## Generated for DNS replies of type *HINFO*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4329,7 +4329,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 
 ## Generated for DNS replies of type *MX*. For replies with multiple answers, an
 ## individual event of the corresponding type is raised for each.
@@ -4356,7 +4356,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dn
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%) &group="dns";
+event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%);
 
 ## Generated for DNS replies of type *TXT*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4381,7 +4381,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%) &group="dns";
+event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%);
 
 ## Generated for DNS replies of type *SRV*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4404,7 +4404,7 @@ event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%)
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns";
+event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 
 ## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4427,7 +4427,7 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%) &group="dns"
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &group="dns";
+event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 
 ## Generated for DNS replies of type *TSIG*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
@@ -4450,7 +4450,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%) &gr
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &group="dns";
+event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%);
 
 ## Generated at the end of processing a DNS packet. This event is the last
 ## ``dns_*`` event that will be raised for a DNS query/reply and signals that
@@ -4472,7 +4472,7 @@ event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%) &gr
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
-event dns_end%(c: connection, msg: dns_msg%) &group="dns";
+event dns_end%(c: connection, msg: dns_msg%);
 
 ## Generated for DHCP messages of type *discover*.
 ##
@@ -6610,7 +6610,7 @@ event gaobot_signature_found%(c: connection%);
 ##
 ## .. todo:: Unclear what this event is for; it's never raised. We should just
 ##    remove it.
-event dns_full_request%(%) &group="dns";
+event dns_full_request%(%);
 
 ## Deprecated. Will be removed.
 event anonymization_mapping%(orig: addr, mapped: addr%);

src/parse.y

@@ -2,7 +2,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 %}
 
-%expect 88
+%expect 85
 
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
@@ -23,7 +23,7 @@
 %token TOK_ATTR_EXPIRE_CREATE TOK_ATTR_EXPIRE_READ TOK_ATTR_EXPIRE_WRITE
 %token TOK_ATTR_PERSISTENT TOK_ATTR_SYNCHRONIZED
 %token TOK_ATTR_RAW_OUTPUT TOK_ATTR_MERGEABLE
-%token TOK_ATTR_PRIORITY TOK_ATTR_GROUP TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER
+%token TOK_ATTR_PRIORITY TOK_ATTR_LOG TOK_ATTR_ERROR_HANDLER
 %token TOK_ATTR_TYPE_COLUMN
 
 %token TOK_DEBUG
@@ -1362,8 +1362,6 @@ attr:
 			{ $$ = new Attr(ATTR_MERGEABLE); }
 	|	TOK_ATTR_PRIORITY '=' expr
 			{ $$ = new Attr(ATTR_PRIORITY, $3); }
-	|	TOK_ATTR_GROUP '=' expr
-			{ $$ = new Attr(ATTR_GROUP, $3); }
 	|	TOK_ATTR_TYPE_COLUMN '=' expr
 			{ $$ = new Attr(ATTR_TYPE_COLUMN, $3); }
 	|	TOK_ATTR_LOG

src/protocols/http/events.bif

@@ -20,7 +20,7 @@
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done ply http_stats
 ##    truncate_http_URI
-event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%) &group="http-request";
+event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
 
 ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
@@ -41,7 +41,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_request
 ##    http_stats
-event http_reply%(c: connection, version: string, code: count, reason: string%) &group="http-reply";
+event http_reply%(c: connection, version: string, code: count, reason: string%);
 
 ## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
@@ -64,7 +64,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%)
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
-event http_header%(c: connection, is_orig: bool, name: string, value: string%) &group="http-header";
+event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 
 ## Generated for HTTP headers, passing on all headers of an HTTP message at
 ## once. Bro supports persistent and pipelined HTTP sessions and raises
@@ -86,7 +86,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%) &
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
-event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%) &group="http-header";
+event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 
 ## Generated when starting to parse an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
@@ -105,7 +105,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%)
 ## .. bro:see:: http_all_headers  http_content_type http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    mime_begin_entity
-event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body";
+event http_begin_entity%(c: connection, is_orig: bool%);
 
 ## Generated when finishing parsing an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
@@ -124,7 +124,7 @@ event http_begin_entity%(c: connection, is_orig: bool%) &group="http-body";
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
 ##    http_event http_header http_message_done http_reply http_request
 ##    http_stats   mime_end_entity
-event http_end_entity%(c: connection, is_orig: bool%) &group="http-body";
+event http_end_entity%(c: connection, is_orig: bool%);
 
 ## Generated when parsing an HTTP body entity, passing on the data. This event
 ## can potentially be raised many times for each entity, each time passing a
@@ -152,7 +152,7 @@ event http_end_entity%(c: connection, is_orig: bool%) &group="http-body";
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    mime_entity_data http_entity_data_delivery_size skip_http_data
-event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%) &group="http-body";
+event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%);
 
 ## Generated for reporting an HTTP body's content type.  This event is
 ## generated at the end of parsing an HTTP header, passing on the MIME
@@ -176,7 +176,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
-event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%) &group="http-body";
+event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%);
 
 ## Generated once at the end of parsing an HTTP message. Bro supports persistent
 ## and pipelined HTTP sessions and raises corresponding events as it parses
@@ -198,7 +198,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header  http_reply http_request http_stats
-event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%) &group="http-body";
+event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%);
 
 ## Generated for errors found when decoding HTTP requests or replies.
 ##

src/scan.l

@@ -332,7 +332,6 @@ when	return TOK_WHEN;
 &encrypt	return TOK_ATTR_ENCRYPT;
 &error_handler	return TOK_ATTR_ERROR_HANDLER;
 &expire_func	return TOK_ATTR_EXPIRE_FUNC;
-&group		return TOK_ATTR_GROUP;
 &log		return TOK_ATTR_LOG;
 &mergeable	return TOK_ATTR_MERGEABLE;
 &optional	return TOK_ATTR_OPTIONAL;

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-04-01-19-44-31
+#open	2013-04-09-22-37-59
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -36,5 +36,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/./HTTP.events.bif.bro
     build/scripts/base/bif/plugins/./HTTP.functions.bif.bro
     build/scripts/base/bif/plugins/./SSL.events.bif.bro
+    build/scripts/base/bif/plugins/./Syslog.events.bif.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-04-01-19-44-31
+#close	2013-04-09-22-37-59

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-04-01-19-44-38
+#open	2013-04-09-22-38-15
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -36,6 +36,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/./HTTP.events.bif.bro
     build/scripts/base/bif/plugins/./HTTP.functions.bif.bro
     build/scripts/base/bif/plugins/./SSL.events.bif.bro
+    build/scripts/base/bif/plugins/./Syslog.events.bif.bro
 scripts/base/init-default.bro
   scripts/base/utils/site.bro
     scripts/base/utils/./patterns.bro
@@ -126,4 +127,4 @@ scripts/base/init-default.bro
     scripts/base/protocols/syslog/./main.bro
   scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-04-01-19-44-38
+#close	2013-04-09-22-38-15