Merge remote-tracking branch 'origin/topic/seth/metrics-merge' into topic/bernhard/hyperloglog-with-measurement

Conflicts: scripts/base/frameworks/sumstats/plugins/__load__.bro
2025-10-04 07:38:19 +00:00 · 2013-04-23 15:27:17 -07:00 · 2013-04-23 15:27:17 -07:00 · 567fee6439
commit 567fee6439
parent 6e532e8960 2c689b7f40
16 changed files with 35 additions and 264 deletions
--- a/DocSourcesList.cmake
+++ b/DocSourcesList.cmake
@ -1,187 +0,0 @@
 # DO NOT EDIT
 # This file is auto-generated from the genDocSourcesList.sh script.
 #
 # This is a list of Bro script sources for which to generate reST documentation.
 # It will be included inline in the CMakeLists.txt found in the same directory
 # in order to create Makefile targets that define how to generate reST from
 # a given Bro script.
 #
 # Note: any path prefix of the script (2nd argument of rest_target macro)
 # will be used to derive what path under scripts/ the generated documentation
 # will be placed.
 set(psd ${PROJECT_SOURCE_DIR}/scripts)
 rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro internal)
 rest_target(${psd} base/init-default.bro internal)
 rest_target(${psd} base/init-bare.bro internal)
 rest_target(${CMAKE_BINARY_DIR}/src base/bro.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/const.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/event.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/input.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/logging.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/reporter.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/strings.bif.bro)
 rest_target(${CMAKE_BINARY_DIR}/src base/types.bif.bro)
 rest_target(${psd} base/frameworks/cluster/main.bro)
 rest_target(${psd} base/frameworks/cluster/nodes/manager.bro)
 rest_target(${psd} base/frameworks/cluster/nodes/proxy.bro)
 rest_target(${psd} base/frameworks/cluster/nodes/worker.bro)
 rest_target(${psd} base/frameworks/cluster/setup-connections.bro)
 rest_target(${psd} base/frameworks/communication/main.bro)
 rest_target(${psd} base/frameworks/control/main.bro)
 rest_target(${psd} base/frameworks/dpd/main.bro)
 rest_target(${psd} base/frameworks/input/main.bro)
 rest_target(${psd} base/frameworks/input/readers/ascii.bro)
 rest_target(${psd} base/frameworks/input/readers/benchmark.bro)
 rest_target(${psd} base/frameworks/input/readers/raw.bro)
 rest_target(${psd} base/frameworks/intel/cluster.bro)
 rest_target(${psd} base/frameworks/intel/input.bro)
 rest_target(${psd} base/frameworks/intel/main.bro)
 rest_target(${psd} base/frameworks/logging/main.bro)
 rest_target(${psd} base/frameworks/logging/postprocessors/scp.bro)
 rest_target(${psd} base/frameworks/logging/postprocessors/sftp.bro)
 rest_target(${psd} base/frameworks/logging/writers/ascii.bro)
 rest_target(${psd} base/frameworks/logging/writers/dataseries.bro)
 rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro)
 rest_target(${psd} base/frameworks/logging/writers/none.bro)
 rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro)
 rest_target(${psd} base/frameworks/notice/actions/drop.bro)
 rest_target(${psd} base/frameworks/notice/actions/email_admin.bro)
 rest_target(${psd} base/frameworks/notice/actions/page.bro)
 rest_target(${psd} base/frameworks/notice/actions/pp-alarms.bro)
 rest_target(${psd} base/frameworks/notice/cluster.bro)
 rest_target(${psd} base/frameworks/notice/extend-email/hostnames.bro)
 rest_target(${psd} base/frameworks/notice/main.bro)
 rest_target(${psd} base/frameworks/notice/non-cluster.bro)
 rest_target(${psd} base/frameworks/notice/weird.bro)
 rest_target(${psd} base/frameworks/packet-filter/main.bro)
 rest_target(${psd} base/frameworks/packet-filter/netstats.bro)
 rest_target(${psd} base/frameworks/reporter/main.bro)
 rest_target(${psd} base/frameworks/signatures/main.bro)
 rest_target(${psd} base/frameworks/software/main.bro)
 rest_target(${psd} base/frameworks/sumstats/cluster.bro)
 rest_target(${psd} base/frameworks/sumstats/main.bro)
 rest_target(${psd} base/frameworks/sumstats/non-cluster.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/average.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/max.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/min.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/sample.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/std-dev.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/sum.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/unique.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/variance.bro)
 rest_target(${psd} base/frameworks/tunnels/main.bro)
 rest_target(${psd} base/misc/find-checksum-offloading.bro)
 rest_target(${psd} base/protocols/conn/contents.bro)
 rest_target(${psd} base/protocols/conn/inactivity.bro)
 rest_target(${psd} base/protocols/conn/main.bro)
 rest_target(${psd} base/protocols/conn/polling.bro)
 rest_target(${psd} base/protocols/dns/consts.bro)
 rest_target(${psd} base/protocols/dns/main.bro)
 rest_target(${psd} base/protocols/ftp/file-extract.bro)
 rest_target(${psd} base/protocols/ftp/gridftp.bro)
 rest_target(${psd} base/protocols/ftp/main.bro)
 rest_target(${psd} base/protocols/ftp/utils-commands.bro)
 rest_target(${psd} base/protocols/http/file-extract.bro)
 rest_target(${psd} base/protocols/http/file-hash.bro)
 rest_target(${psd} base/protocols/http/file-ident.bro)
 rest_target(${psd} base/protocols/http/main.bro)
 rest_target(${psd} base/protocols/http/utils.bro)
 rest_target(${psd} base/protocols/irc/dcc-send.bro)
 rest_target(${psd} base/protocols/irc/main.bro)
 rest_target(${psd} base/protocols/modbus/consts.bro)
 rest_target(${psd} base/protocols/modbus/main.bro)
 rest_target(${psd} base/protocols/smtp/entities-excerpt.bro)
 rest_target(${psd} base/protocols/smtp/entities.bro)
 rest_target(${psd} base/protocols/smtp/main.bro)
 rest_target(${psd} base/protocols/socks/consts.bro)
 rest_target(${psd} base/protocols/socks/main.bro)
 rest_target(${psd} base/protocols/ssh/main.bro)
 rest_target(${psd} base/protocols/ssl/consts.bro)
 rest_target(${psd} base/protocols/ssl/main.bro)
 rest_target(${psd} base/protocols/ssl/mozilla-ca-list.bro)
 rest_target(${psd} base/protocols/syslog/consts.bro)
 rest_target(${psd} base/protocols/syslog/main.bro)
 rest_target(${psd} base/utils/addrs.bro)
 rest_target(${psd} base/utils/conn-ids.bro)
 rest_target(${psd} base/utils/directions-and-hosts.bro)
 rest_target(${psd} base/utils/files.bro)
 rest_target(${psd} base/utils/numbers.bro)
 rest_target(${psd} base/utils/paths.bro)
 rest_target(${psd} base/utils/patterns.bro)
 rest_target(${psd} base/utils/queue.bro)
 rest_target(${psd} base/utils/site.bro)
 rest_target(${psd} base/utils/strings.bro)
 rest_target(${psd} base/utils/thresholds.bro)
 rest_target(${psd} base/utils/time.bro)
 rest_target(${psd} base/utils/urls.bro)
 rest_target(${psd} policy/frameworks/communication/listen.bro)
 rest_target(${psd} policy/frameworks/control/controllee.bro)
 rest_target(${psd} policy/frameworks/control/controller.bro)
 rest_target(${psd} policy/frameworks/dpd/detect-protocols.bro)
 rest_target(${psd} policy/frameworks/dpd/packet-segment-logging.bro)
 rest_target(${psd} policy/frameworks/intel/conn-established.bro)
 rest_target(${psd} policy/frameworks/intel/dns.bro)
 rest_target(${psd} policy/frameworks/intel/http-host-header.bro)
 rest_target(${psd} policy/frameworks/intel/http-url.bro)
 rest_target(${psd} policy/frameworks/intel/http-user-agents.bro)
 rest_target(${psd} policy/frameworks/intel/smtp-url-extraction.bro)
 rest_target(${psd} policy/frameworks/intel/smtp.bro)
 rest_target(${psd} policy/frameworks/intel/ssl.bro)
 rest_target(${psd} policy/frameworks/intel/where-locations.bro)
 rest_target(${psd} policy/frameworks/software/version-changes.bro)
 rest_target(${psd} policy/frameworks/software/vulnerable.bro)
 rest_target(${psd} policy/integration/barnyard2/main.bro)
 rest_target(${psd} policy/integration/barnyard2/types.bro)
 rest_target(${psd} policy/integration/collective-intel/main.bro)
 rest_target(${psd} policy/misc/analysis-groups.bro)
 rest_target(${psd} policy/misc/app-metrics.bro)
 rest_target(${psd} policy/misc/capture-loss.bro)
 rest_target(${psd} policy/misc/detect-traceroute/main.bro)
 rest_target(${psd} policy/misc/loaded-scripts.bro)
 rest_target(${psd} policy/misc/profiling.bro)
 rest_target(${psd} policy/misc/scan.bro)
 rest_target(${psd} policy/misc/stats.bro)
 rest_target(${psd} policy/misc/trim-trace-file.bro)
 rest_target(${psd} policy/protocols/conn/known-hosts.bro)
 rest_target(${psd} policy/protocols/conn/known-services.bro)
 rest_target(${psd} policy/protocols/conn/weirds.bro)
 rest_target(${psd} policy/protocols/dns/auth-addl.bro)
 rest_target(${psd} policy/protocols/dns/detect-external-names.bro)
 rest_target(${psd} policy/protocols/ftp/detect-bruteforcing.bro)
 rest_target(${psd} policy/protocols/ftp/detect.bro)
 rest_target(${psd} policy/protocols/ftp/software.bro)
 rest_target(${psd} policy/protocols/http/detect-MHR.bro)
 rest_target(${psd} policy/protocols/http/detect-sqli.bro)
 rest_target(${psd} policy/protocols/http/detect-webapps.bro)
 rest_target(${psd} policy/protocols/http/header-names.bro)
 rest_target(${psd} policy/protocols/http/software-browser-plugins.bro)
 rest_target(${psd} policy/protocols/http/software.bro)
 rest_target(${psd} policy/protocols/http/var-extraction-cookies.bro)
 rest_target(${psd} policy/protocols/http/var-extraction-uri.bro)
 rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro)
 rest_target(${psd} policy/protocols/modbus/track-memmap.bro)
 rest_target(${psd} policy/protocols/smtp/blocklists.bro)
 rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro)
 rest_target(${psd} policy/protocols/smtp/software.bro)
 rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro)
 rest_target(${psd} policy/protocols/ssh/geo-data.bro)
 rest_target(${psd} policy/protocols/ssh/interesting-hostnames.bro)
 rest_target(${psd} policy/protocols/ssh/software.bro)
 rest_target(${psd} policy/protocols/ssl/cert-hash.bro)
 rest_target(${psd} policy/protocols/ssl/expiring-certs.bro)
 rest_target(${psd} policy/protocols/ssl/extract-certs-pem.bro)
 rest_target(${psd} policy/protocols/ssl/known-certs.bro)
 rest_target(${psd} policy/protocols/ssl/notary.bro)
 rest_target(${psd} policy/protocols/ssl/validate-certs.bro)
 rest_target(${psd} policy/tuning/defaults/packet-fragments.bro)
 rest_target(${psd} policy/tuning/defaults/warnings.bro)
 rest_target(${psd} policy/tuning/logs-to-elasticsearch.bro)
 rest_target(${psd} policy/tuning/track-all-assets.bro)
 rest_target(${psd} site/local-manager.bro)
 rest_target(${psd} site/local-proxy.bro)
 rest_target(${psd} site/local-worker.bro)
 rest_target(${psd} site/local.bro)
 rest_target(${psd} test-all-policy.bro)
--- a/doc/scripts/DocSourcesList.cmake
+++ b/doc/scripts/DocSourcesList.cmake
@ -46,17 +46,6 @@ rest_target(${psd} base/frameworks/logging/writers/ascii.bro)
 rest_target(${psd} base/frameworks/logging/writers/dataseries.bro)
 rest_target(${psd} base/frameworks/logging/writers/elasticsearch.bro)
 rest_target(${psd} base/frameworks/logging/writers/none.bro)
 rest_target(${psd} base/frameworks/measurement/cluster.bro)
 rest_target(${psd} base/frameworks/measurement/main.bro)
 rest_target(${psd} base/frameworks/measurement/non-cluster.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/average.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/max.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/min.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/sample.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/std-dev.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/sum.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/unique.bro)
 rest_target(${psd} base/frameworks/measurement/plugins/variance.bro)
 rest_target(${psd} base/frameworks/notice/actions/add-geodata.bro)
 rest_target(${psd} base/frameworks/notice/actions/drop.bro)
 rest_target(${psd} base/frameworks/notice/actions/email_admin.bro)
@ -72,6 +61,17 @@ rest_target(${psd} base/frameworks/packet-filter/netstats.bro)
 rest_target(${psd} base/frameworks/reporter/main.bro)
 rest_target(${psd} base/frameworks/signatures/main.bro)
 rest_target(${psd} base/frameworks/software/main.bro)
 rest_target(${psd} base/frameworks/sumstats/cluster.bro)
 rest_target(${psd} base/frameworks/sumstats/main.bro)
 rest_target(${psd} base/frameworks/sumstats/non-cluster.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/average.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/max.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/min.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/sample.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/std-dev.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/sum.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/unique.bro)
 rest_target(${psd} base/frameworks/sumstats/plugins/variance.bro)
 rest_target(${psd} base/frameworks/tunnels/main.bro)
 rest_target(${psd} base/misc/find-checksum-offloading.bro)
 rest_target(${psd} base/protocols/conn/contents.bro)
@ -145,10 +145,8 @@ rest_target(${psd} policy/misc/profiling.bro)
 rest_target(${psd} policy/misc/scan.bro)
 rest_target(${psd} policy/misc/stats.bro)
 rest_target(${psd} policy/misc/trim-trace-file.bro)
 rest_target(${psd} policy/protocols/conn/conn-stats-per-host.bro)
 rest_target(${psd} policy/protocols/conn/known-hosts.bro)
 rest_target(${psd} policy/protocols/conn/known-services.bro)
 rest_target(${psd} policy/protocols/conn/metrics.bro)
 rest_target(${psd} policy/protocols/conn/weirds.bro)
 rest_target(${psd} policy/protocols/dns/auth-addl.bro)
 rest_target(${psd} policy/protocols/dns/detect-external-names.bro)
@ -167,7 +165,6 @@ rest_target(${psd} policy/protocols/modbus/known-masters-slaves.bro)
 rest_target(${psd} policy/protocols/modbus/track-memmap.bro)
 rest_target(${psd} policy/protocols/smtp/blocklists.bro)
 rest_target(${psd} policy/protocols/smtp/detect-suspicious-orig.bro)
 rest_target(${psd} policy/protocols/smtp/metrics.bro)
 rest_target(${psd} policy/protocols/smtp/software.bro)
 rest_target(${psd} policy/protocols/ssh/detect-bruteforcing.bro)
 rest_target(${psd} policy/protocols/ssh/geo-data.bro)
--- a/scripts/base/frameworks/sumstats/main.bro
+++ b/scripts/base/frameworks/sumstats/main.bro
@ -182,7 +182,7 @@ global thresholds_store: table[string, Key] of bool = table();
 global data_added: function(ss: SumStat, key: Key, result: Result);
 # Prototype the hook point for plugins to do calculations.
-global add_to_reducer_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal);
+global observe_hook: hook(r: Reducer, val: double, data: Observation, rv: ResultVal);
 # Prototype the hook point for plugins to initialize any result values.
 global init_resultval_hook: hook(r: Reducer, rv: ResultVal);
 # Prototype the hook point for plugins to merge Results.
@ -323,7 +323,7 @@ function observe(id: string, key: Key, obs: Observation)
 		if ( obs?$num || obs?$dbl )
 			val = obs?$dbl ? obs$dbl : obs$num;
-		hook add_to_reducer_hook(r, val, obs, result_val);
+		hook observe_hook(r, val, obs, result_val);
 		data_added(ss, key, result);
 		}
 	}
--- a/scripts/base/frameworks/sumstats/plugins/load.bro
+++ b/scripts/base/frameworks/sumstats/plugins/load.bro
@ -1,9 +1,9 @@
@load ./average
@load ./hll_unique
@load ./max
@load ./min
@load ./sample
@load ./variance
@load ./std-dev
@load ./sum
@load ./unique
-@load ./hll_unique
+@load ./variance
--- a/scripts/base/frameworks/sumstats/plugins/average.bro
+++ b/scripts/base/frameworks/sumstats/plugins/average.bro
@ -14,7 +14,7 @@ export {
 	};
 }
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( AVERAGE in r$apply )
 		{
--- a/scripts/base/frameworks/sumstats/plugins/hll_unique.bro
+++ b/scripts/base/frameworks/sumstats/plugins/hll_unique.bro
@ -31,7 +31,7 @@ hook init_resultval_hook(r: Reducer, rv: ResultVal)
 	}
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( HLLUNIQUE in r$apply )
 		{
--- a/scripts/base/frameworks/sumstats/plugins/max.bro
+++ b/scripts/base/frameworks/sumstats/plugins/max.bro
@ -14,7 +14,7 @@ export {
 	};
 }
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( MAX in r$apply )
 		{
--- a/scripts/base/frameworks/sumstats/plugins/min.bro
+++ b/scripts/base/frameworks/sumstats/plugins/min.bro
@ -14,7 +14,7 @@ export {
 	};
 }
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( MIN in r$apply )
 		{
--- a/scripts/base/frameworks/sumstats/plugins/sample.bro
+++ b/scripts/base/frameworks/sumstats/plugins/sample.bro
@ -29,7 +29,7 @@ function get_samples(rv: ResultVal): vector of Observation
 	return s;
 	}
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( r$samples > 0 )
 		{
--- a/scripts/base/frameworks/sumstats/plugins/std-dev.bro
+++ b/scripts/base/frameworks/sumstats/plugins/std-dev.bro
@ -22,7 +22,7 @@ function calc_std_dev(rv: ResultVal)
 	}
 # This depends on the variance plugin which uses priority -5
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-10
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-10
 	{
 	if ( STD_DEV in r$apply )
 		calc_std_dev(rv);
--- a/scripts/base/frameworks/sumstats/plugins/sum.bro
+++ b/scripts/base/frameworks/sumstats/plugins/sum.bro
@ -34,7 +34,7 @@ hook init_resultval_hook(r: Reducer, rv: ResultVal)
 		rv$sum = 0;
 	}
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( SUM in r$apply )
 		rv$sum += val;
--- a/scripts/base/frameworks/sumstats/plugins/unique.bro
+++ b/scripts/base/frameworks/sumstats/plugins/unique.bro
@ -23,7 +23,7 @@ redef record ResultVal += {
 	unique_vals: set[Observation] &optional;
 };
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal)
 	{
 	if ( UNIQUE in r$apply )
 		{
--- a/scripts/base/frameworks/sumstats/plugins/variance.bro
+++ b/scripts/base/frameworks/sumstats/plugins/variance.bro
@ -29,7 +29,7 @@ function calc_variance(rv: ResultVal)
 	}
 # Reduced priority since this depends on the average
-hook add_to_reducer_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-5
+hook observe_hook(r: Reducer, val: double, obs: Observation, rv: ResultVal) &priority=-5
 	{
 	if ( VARIANCE in r$apply )
 		{
--- a/scripts/base/protocols/ftp/main.bro
+++ b/scripts/base/protocols/ftp/main.bro
@ -174,8 +174,9 @@ function ftp_message(s: Info)
 		if ( s$cmdarg$cmd in file_cmds )
 			{
 			local comp_path = build_path_compressed(s$cwd, arg);
-			if ( s$cwd[0] != "/" )
+			if ( comp_path[0] != "/" )
 				comp_path = cat("/", comp_path);
 			arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path);
 			}
@ -245,17 +246,14 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=5
 	{
 	# TODO: figure out what to do with continued FTP response (not used much)
 	#if ( cont_resp ) return;
 	local id = c$id;
 	set_ftp_session(c);
 	c$ftp$cmdarg = get_pending_cmd(c$ftp$pending_commands, code, msg);
 	c$ftp$reply_code = code;
 	c$ftp$reply_msg = msg;
 	# TODO: figure out what to do with continued FTP response (not used much)
 	if ( cont_resp ) return;
 	# TODO: do some sort of generic clear text login processing here.
 	local response_xyz = parse_ftp_reply_code(code);
 	#if ( response_xyz$x == 2 &&  # successful
@ -283,10 +281,10 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 			c$ftp$passive=T;
 			if ( code == 229 && data$h == [::] )
-				data$h = id$resp_h;
+				data$h = c$id$resp_h;
 			ftp_data_expected[data$h, data$p] = c$ftp;
-			expect_connection(id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
+			expect_connection(c$id$orig_h, data$h, data$p, ANALYZER_FILE, 5mins);
 			}
 		else
 			{
--- a/scripts/policy/misc/scan.bro
+++ b/scripts/policy/misc/scan.bro
@ -1,4 +1,4 @@
-##! Scan detection
+##! TCP Scan detection
 ##!
 ##! ..Authors: Sheharbano Khattak
 ##!            Seth Hall
@ -47,22 +47,9 @@ export {
 	const addr_scan_custom_thresholds: table[port] of count &redef;
 	global Scan::addr_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
 	global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
 }
 #function check_addr_scan_threshold(key: SumStats::Key, val: SumStats::Result): bool
 #	{
 #	# We don't need to do this if no custom thresholds are defined.
 #	if ( |addr_scan_custom_thresholds| == 0 )
 #		return F;
 #
 #	local service = to_port(key$str);
 #	return ( service in addr_scan_custom_thresholds &&
 #	         val$sum > addr_scan_custom_thresholds[service] );
 #	}
 event bro_init() &priority=5
 	{
 	local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE)];
@ -125,30 +112,6 @@ function add_sumstats(id: conn_id, reverse: bool)
 		scanned_port = id$orig_p;
 		}
 	# Defaults to be implemented with a hook...
 	#local transport_layer_proto = get_port_transport_proto(service);
 	#if ( suppress_UDP_scan_checks && (transport_layer_proto == udp) )
 	#	return F;
 	#else if ( suppress_TCP_scan_checks && (transport_layer_proto == tcp) )
 	#	return F;
 	#else if ( suppress_ICMP_scan_checks && (transport_layer_proto == icmp) )
 	#	return F;
 	# TODO: all of this whitelist/blacklist will be done 
 	#       through the upcoming hook mechanism
 	# Blacklisting/whitelisting services
 	#if ( |analyze_services| > 0 )
 	#	{
 	#	if ( service !in analyze_services )
 	#		return F;
 	#	}
 	#else if ( service in skip_services )
 	#	return F;
 	#
 	## Blacklisting/whitelisting subnets
 	#if ( |analyze_subnets| > 0 && host !in analyze_subnets )
 	#	return F;
 	if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) )
 		SumStats::observe("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]);
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2013-04-16-03-43-22
+#open	2013-04-22-18-02-50
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@ -80,8 +80,8 @@ scripts/base/init-default.bro
      scripts/base/frameworks/sumstats/plugins/max.bro
      scripts/base/frameworks/sumstats/plugins/min.bro
      scripts/base/frameworks/sumstats/plugins/sample.bro
      scripts/base/frameworks/sumstats/plugins/variance.bro
      scripts/base/frameworks/sumstats/plugins/std-dev.bro
        scripts/base/frameworks/sumstats/plugins/variance.bro
      scripts/base/frameworks/sumstats/plugins/sum.bro
      scripts/base/frameworks/sumstats/plugins/unique.bro
    scripts/base/frameworks/sumstats/non-cluster.bro
@ -130,4 +130,4 @@ scripts/base/init-default.bro
    scripts/base/protocols/syslog/main.bro
  scripts/base/misc/find-checksum-offloading.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2013-04-16-03-43-22
+#close	2013-04-22-18-02-50