Working on TODOs.

- Introducing analyzer::<protocol> namespaces.
- Moving protocol-specific events out of events.bif into analyzer/protocol/<protocol>/events.bif
- Moving ARP over (even though it's not an actual analyzer).
- Moving NetFlow over (even though it's not an actual analyzer).
- Moving MIME over (even though it's not an actual analyzer).

cmake

@@ -1 +1 @@
-Subproject commit 8cc03d64d00676cb75a38543800ac0de192557dd
+Subproject commit c50757259f509f13227cf28bbd4fd281828a39d2

src/CMakeLists.txt

@@ -133,9 +133,6 @@ set(BINPAC_AUXSRC
 binpac_target(binpac-lib.pac)
 binpac_target(binpac_bro-lib.pac)
 
-binpac_target(netflow.pac
-    netflow-protocol.pac netflow-analyzer.pac)
-
 ########################################################################
 ## Including subdirectories.
 ########################################################################
@@ -212,7 +209,6 @@ set(bro_SRCS
     util.cc
     module_util.cc
     Anon.cc
-    ARP.cc
     Attr.cc
     Base64.cc
     BPF_Program.cc
@@ -254,7 +250,6 @@ set(bro_SRCS
     IPAddr.cc
     List.cc
     Reporter.cc
-    MIME.cc
     NFA.cc
     Net.cc
     NetVar.cc

src/Conn.cc

@@ -935,7 +935,7 @@ error:
 	return false;
 	}
 
-void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia)
+void Connection::SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia)
 	{
 	root_analyzer = analyzer;
 	primary_PIA = pia;

src/Conn.h

@@ -245,9 +245,9 @@ public:
 	void DeleteTimer(double t);
 
 	// Sets the root of the analyzer tree as well as the primary PIA.
-	void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, PIA* pia);
+	void SetRootAnalyzer(analyzer::TransportLayerAnalyzer* analyzer, analyzer::pia::PIA* pia);
 	analyzer::TransportLayerAnalyzer* GetRootAnalyzer()	{ return root_analyzer; }
-	PIA* GetPrimaryPIA()	{ return primary_PIA; }
+	analyzer::pia::PIA* GetPrimaryPIA()	{ return primary_PIA; }
 
 	// Sets the transport protocol in use.
 	void SetTransport(TransportProto arg_proto)	{ proto = arg_proto; }
@@ -319,7 +319,7 @@ protected:
 	uint32 hist_seen;
 
 	analyzer::TransportLayerAnalyzer* root_analyzer;
-	PIA* primary_PIA;
+	analyzer::pia::PIA* primary_PIA;
 
 	uint64 uid;	// Globally unique connection ID.
 };

src/NetVar.cc

@@ -93,7 +93,6 @@ RecordType* http_stats_rec;
 RecordType* http_message_stat;
 int truncate_http_URI;
 
-int pm_request;
 RecordType* pm_mapping;
 TableType* pm_mappings;
 RecordType* pm_port_request;
@@ -408,14 +407,6 @@ void init_net_var()
 	http_message_stat = internal_type("http_message_stat")->AsRecordType();
 	truncate_http_URI = opt_internal_int("truncate_http_URI");
 
-	pm_request = pm_request_null || pm_request_set ||
-		pm_request_unset || pm_request_getport ||
-		pm_request_dump || pm_request_callit ||
-		pm_attempt_null || pm_attempt_set ||
-		pm_attempt_unset || pm_attempt_getport ||
-		pm_attempt_dump || pm_attempt_callit ||
-		pm_bad_port;
-
 	pm_mapping = internal_type("pm_mapping")->AsRecordType();
 	pm_mappings = internal_type("pm_mappings")->AsTableType();
 	pm_port_request = internal_type("pm_port_request")->AsRecordType();

src/NetVar.h

@@ -96,7 +96,6 @@ extern RecordType* http_stats_rec;
 extern RecordType* http_message_stat;
 extern int truncate_http_URI;
 
-extern int pm_request;
 extern RecordType* pm_mapping;
 extern TableType* pm_mappings;
 extern RecordType* pm_port_request;

src/RuleCondition.cc

@@ -4,15 +4,15 @@
 #include "analyzer/protocols/tcp/TCP.h"
 #include "Scope.h"
 
-static inline bool is_established(const TCP_Endpoint* e)
+static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
 	{
 	// We more or less follow Snort here: an established session
 	// is one for which the initial handshake has succeded (but we
 	// add partial connections).  The connection tear-down is part
 	// of the connection.
-	return e->state != TCP_ENDPOINT_INACTIVE &&
-	       e->state != TCP_ENDPOINT_SYN_SENT &&
-	       e->state != TCP_ENDPOINT_SYN_ACK_SENT;
+	return e->state != analyzer::tcp::TCP_ENDPOINT_INACTIVE &&
+	       e->state != analyzer::tcp::TCP_ENDPOINT_SYN_SENT &&
+	       e->state != analyzer::tcp::TCP_ENDPOINT_SYN_ACK_SENT;
 	}
 
 bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
@@ -23,7 +23,7 @@ bool RuleConditionTCPState::DoMatch(Rule* rule, RuleEndpointState* state,
 	if ( ! root || ! root->IsAnalyzer("TCP") )
 		return false;
 
-	TCP_Analyzer* ta = static_cast<TCP_Analyzer*>(root);
+	analyzer::tcp::TCP_Analyzer* ta = static_cast<analyzer::tcp::TCP_Analyzer*>(root);
 
 	if ( tcpstates & STATE_STATELESS )
 		return true;

src/RuleMatcher.cc

@@ -161,7 +161,7 @@ void RuleHdrTest::PrintDebug()
 
 RuleEndpointState::RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
 					  RuleEndpointState* arg_opposite,
-					  ::PIA* arg_PIA)
+					  analyzer::pia::PIA* arg_PIA)
 	{
 	payload_size = -1;
 	analyzer = arg_analyzer;
@@ -565,7 +565,7 @@ static inline bool compare(const vector<IPPrefix>& prefixes, const IPAddr& a,
 RuleEndpointState* RuleMatcher::InitEndpoint(analyzer::Analyzer* analyzer,
 						const IP_Hdr* ip, int caplen,
 						RuleEndpointState* opposite,
-						bool from_orig, PIA* pia)
+						bool from_orig, analyzer::pia::PIA* pia)
 	{
 	RuleEndpointState* state =
 		new RuleEndpointState(analyzer, from_orig, opposite, pia);
@@ -1301,7 +1301,7 @@ uint32 id_to_uint(const char* id)
 	}
 
 void RuleMatcherState::InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
-					int caplen, bool from_orig, PIA* pia)
+					   int caplen, bool from_orig, analyzer::pia::PIA* pia)
 	{
 	if ( ! rule_matcher )
 		return;

src/RuleMatcher.h

@@ -35,8 +35,10 @@ extern const char* current_rule_file;
 class RuleMatcher;
 extern RuleMatcher* rule_matcher;
 
-namespace analyzer { class Analyzer; }
-class PIA;
+namespace analyzer {
+	namespace pia { class PIA; }
+	class Analyzer;
+}
 
 // RuleHdrTest and associated things:
 
@@ -152,7 +154,7 @@ public:
 	// Returns -1 if no chunk has been fed yet at all.
 	int PayloadSize()	{ return payload_size; }
 
-	::PIA* PIA() const	{ return pia; }
+	analyzer::pia::PIA* PIA() const	{ return pia; }
 
 private:
 	friend class RuleMatcher;
@@ -160,7 +162,7 @@ private:
 	// Constructor is private; use RuleMatcher::InitEndpoint()
 	// for creating an instance.
 	RuleEndpointState(analyzer::Analyzer* arg_analyzer, bool arg_is_orig,
-			  RuleEndpointState* arg_opposite, ::PIA* arg_PIA);
+			  RuleEndpointState* arg_opposite, analyzer::pia::PIA* arg_PIA);
 
 	struct Matcher {
 		RE_Match_State* state;
@@ -173,7 +175,7 @@ private:
 	bool is_orig;
 	analyzer::Analyzer* analyzer;
 	RuleEndpointState* opposite;
-	::PIA* pia;
+	analyzer::pia::PIA* pia;
 
 	matcher_list matchers;
 	rule_hdr_test_list hdr_tests;
@@ -208,7 +210,7 @@ public:
 	// this endpoint). If the matching is triggered by an PIA, a pointer to
 	// it needs to be given.
 	RuleEndpointState* InitEndpoint(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
-		int caplen, RuleEndpointState* opposite, bool is_orig, PIA* pia);
+					int caplen, RuleEndpointState* opposite, bool is_orig, analyzer::pia::PIA* pia);
 
 	// Finish matching for this stream.
 	void FinishEndpoint(RuleEndpointState* state);
@@ -311,7 +313,7 @@ public:
 
 	// ip may be nil.
 	void InitEndpointMatcher(analyzer::Analyzer* analyzer, const IP_Hdr* ip,
-				int caplen, bool from_orig, PIA* pia = 0);
+				 int caplen, bool from_orig, analyzer::pia::PIA* pia = 0);
 
 	// bol/eol should be set to false for type Rule::PAYLOAD; they're
 	// deduced automatically.

src/Sessions.cc

@@ -20,8 +20,13 @@
 #include "analyzer/protocols/udp/UDP.h"
 
 #include "analyzer/protocols/stepping-stone/SteppingStone.h"
+#include "analyzer/protocols/stepping-stone/events.bif.h"
 #include "analyzer/protocols/backdoor/BackDoor.h"
+#include "analyzer/protocols/backdoor/events.bif.h"
 #include "analyzer/protocols/interconn/InterConn.h"
+#include "analyzer/protocols/interconn/events.bif.h"
+#include "analyzer/protocols/arp/ARP.h"
+#include "analyzer/protocols/arp/events.bif.h"
 #include "Discard.h"
 #include "RuleMatcher.h"
 
@@ -102,7 +107,7 @@ NetSessions::NetSessions()
 	fragments.SetDeleteFunc(bro_obj_delete_func);
 
 	if ( stp_correlate_pair )
-		stp_manager = new SteppingStoneManager();
+		stp_manager = new analyzer::stepping_stone::SteppingStoneManager();
 	else
 		stp_manager = 0;
 
@@ -141,7 +146,7 @@ NetSessions::NetSessions()
 		pkt_profiler = 0;
 
 	if ( arp_request || arp_reply || bad_arp )
-		arp_analyzer = new ARP_Analyzer();
+		arp_analyzer = new analyzer::arp::ARP_Analyzer();
 	else
 		arp_analyzer = 0;
 	}
@@ -254,7 +259,7 @@ void NetSessions::NextPacket(double t, const struct pcap_pkthdr* hdr,
 			DoNextPacket(t, hdr, &ip_hdr, pkt, hdr_size, 0);
 			}
 
-		else if ( ARP_Analyzer::IsARP(pkt, hdr_size) )
+		else if ( analyzer::arp::ARP_Analyzer::IsARP(pkt, hdr_size) )
 			{
 			if ( arp_analyzer )
 				arp_analyzer->NextPacket(t, hdr, pkt, hdr_size);
@@ -521,7 +526,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		const struct icmp* icmpp = (const struct icmp *) data;
 
 		id.src_port = icmpp->icmp_type;
-		id.dst_port = ICMP4_counterpart(icmpp->icmp_type,
+		id.dst_port = analyzer::icmp::ICMP4_counterpart(icmpp->icmp_type,
 								icmpp->icmp_code,
 								id.is_one_way);
 
@@ -537,7 +542,7 @@ void NetSessions::DoNextPacket(double t, const struct pcap_pkthdr* hdr,
 		const struct icmp* icmpp = (const struct icmp *) data;
 
 		id.src_port = icmpp->icmp_type;
-		id.dst_port = ICMP6_counterpart(icmpp->icmp_type,
+		id.dst_port = analyzer::icmp::ICMP6_counterpart(icmpp->icmp_type,
 								icmpp->icmp_code,
 								id.is_one_way);
 
@@ -962,12 +967,12 @@ void NetSessions::Remove(Connection* c)
 		{
 		c->CancelTimers();
 
-		TCP_Analyzer* ta = (TCP_Analyzer*) c->GetRootAnalyzer();
+		analyzer::tcp::TCP_Analyzer* ta = (analyzer::tcp::TCP_Analyzer*) c->GetRootAnalyzer();
 		if ( ta && c->ConnTransport() == TRANSPORT_TCP )
 			{
 			assert(ta->IsAnalyzer("TCP"));
-			TCP_Endpoint* to = ta->Orig();
-			TCP_Endpoint* tr = ta->Resp();
+			analyzer::tcp::TCP_Endpoint* to = ta->Orig();
+			analyzer::tcp::TCP_Endpoint* tr = ta->Resp();
 
 			tcp_stats.StateLeft(to->state, tr->state);
 			}

src/Sessions.h

@@ -6,7 +6,6 @@
 #include "Dict.h"
 #include "CompHash.h"
 #include "IP.h"
-#include "ARP.h"
 #include "Frag.h"
 #include "PacketFilter.h"
 #include "Stats.h"
@@ -28,11 +27,12 @@ declare(PDict,Connection);
 declare(PDict,FragReassembler);
 
 class Discarder;
-class SteppingStoneManager;
 class PacketFilter;
-
 class PacketSortElement;
 
+namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
+namespace analyzer { namespace arp { class ARP_Analyzer; } }
+
 struct SessionStats {
 	int num_TCP_conns;
 	int num_UDP_conns;
@@ -129,7 +129,7 @@ public:
 
 	void ExpireTimerMgrs();
 
-	SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
+	analyzer::stepping_stone::SteppingStoneManager* GetSTPManager()	{ return stp_manager; }
 
 	unsigned int CurrentConnections()
 		{
@@ -185,7 +185,7 @@ public:
 	unsigned int ConnectionMemoryUsage();
 	unsigned int ConnectionMemoryUsageConnVals();
 	unsigned int MemoryAllocation();
-	TCPStateStats tcp_stats;	// keeps statistics on TCP states
+	analyzer::tcp::TCPStateStats tcp_stats;	// keeps statistics on TCP states
 
 protected:
 	friend class RemoteSerializer;
@@ -257,9 +257,9 @@ protected:
 	typedef std::map<IPPair, TunnelActivity> IPTunnelMap;
 	IPTunnelMap ip_tunnels;
 
-	ARP_Analyzer* arp_analyzer;
+	analyzer::arp::ARP_Analyzer* arp_analyzer;
 
-	SteppingStoneManager* stp_manager;
+	analyzer::stepping_stone::SteppingStoneManager* stp_manager;
 	Discarder* discarder;
 	PacketFilter* packet_filter;
 	OSFingerprint* SYN_OS_Fingerprinter;

src/analyzer/Analyzer.h

@@ -13,12 +13,13 @@
 
 class Rule;
 class Connection;
-class PIA;
 class IP_Hdr;
-class TCP_ApplicationAnalyzer;
 
 namespace analyzer {
 
+namespace tcp { class TCP_ApplicationAnalyzer; }
+namespace pia { class PIA; }
+
 class Analyzer;
 class AnalyzerTimer;
 class SupportAnalyzer;
@@ -546,7 +547,7 @@ protected:
 	friend class AnalyzerTimer;
 	friend class Manager;
 	friend class ::Connection;
-	friend class ::TCP_ApplicationAnalyzer;
+	friend class tcp::TCP_ApplicationAnalyzer;
 
 	/**
 	 * Associates a connection with this analyzer.  Must be called if
@@ -825,13 +826,13 @@ public:
 	 * transport-layer input and determine which protocol analyzer(s) to
 	 * use for parsing it.
 	 */
-	void SetPIA(PIA* arg_PIA)	{ pia = arg_PIA; }
+	void SetPIA(pia::PIA* arg_PIA)	{ pia = arg_PIA; }
 
 	/**
 	 * Returns the associated PIA, or null of none. Does not take
 	 * ownership.
 	 */
-	PIA* GetPIA() const		{ return pia; }
+	pia::PIA* GetPIA() const		{ return pia; }
 
 	/**
 	 * Helper to raise a \c packet_contents event.
@@ -843,7 +844,7 @@ public:
 	void PacketContents(const u_char* data, int len);
 
 private:
-	PIA* pia;
+	pia::PIA* pia;
 };
 
 }

src/analyzer/CMakeLists.txt

@@ -15,4 +15,8 @@ set(analyzer_SRCS
 
 bif_target_for_subdir(analyzer.bif)
 
+bro_plugin_dependencies(DCE_RPC generate_analyzer.bif)
+
 add_library(bro_analyzer OBJECT ${analyzer_SRCS} ${BIF_OUTPUT_CC} ${BIF_OUTPUT_H})
+
+add_dependencies(bro_analyzer generate_events.bif)

src/analyzer/Manager.cc

@@ -15,6 +15,8 @@
 
 #include "plugin/Manager.h"
 
+#include "protocols/tcp/events.bif.h"
+
 using namespace analyzer;
 
 Manager::ConnIndex::ConnIndex(const IPAddr& _orig, const IPAddr& _resp,
@@ -414,35 +416,35 @@ Manager::tag_set* Manager::LookupPort(PortVal* val, bool add_if_not_found)
 bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 	{
 	Analyzer* analyzer = 0;
-	TCP_Analyzer* tcp = 0;
-	UDP_Analyzer* udp = 0;
-	ICMP_Analyzer* icmp = 0;
+	tcp::TCP_Analyzer* tcp = 0;
+	udp::UDP_Analyzer* udp = 0;
+	icmp::ICMP_Analyzer* icmp = 0;
 	TransportLayerAnalyzer* root = 0;
 	tag_set expected;
-	PIA* pia = 0;
+	pia::PIA* pia = 0;
 	bool analyzed = false;
 	bool check_port = false;
 
 	switch ( conn->ConnTransport() ) {
 
 	case TRANSPORT_TCP:
-		root = tcp = new TCP_Analyzer(conn);
-		pia = new PIA_TCP(conn);
+		root = tcp = new tcp::TCP_Analyzer(conn);
+		pia = new pia::PIA_TCP(conn);
 		expected = GetScheduled(conn);
 		check_port = true;
 		DBG_ANALYZER(conn, "activated TCP analyzer");
 		break;
 
 	case TRANSPORT_UDP:
-		root = udp = new UDP_Analyzer(conn);
-		pia = new PIA_UDP(conn);
+		root = udp = new udp::UDP_Analyzer(conn);
+		pia = new pia::PIA_UDP(conn);
 		expected = GetScheduled(conn);
 		check_port = true;
 		DBG_ANALYZER(conn, "activated UDP analyzer");
 		break;
 
 	case TRANSPORT_ICMP: {
-		root = icmp = new ICMP_Analyzer(conn);
+		root = icmp = new icmp::ICMP_Analyzer(conn);
 		DBG_ANALYZER(conn, "activated ICMP analyzer");
 		analyzed = true;
 		break;
@@ -531,12 +533,12 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 		if ( IsEnabled(analyzer_backdoor) )
 			// Add a BackDoor analyzer if requested.  This analyzer
 			// can handle both reassembled and non-reassembled input.
-			tcp->AddChildAnalyzer(new BackDoor_Analyzer(conn), false);
+			tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false);
 
 		if ( IsEnabled(analyzer_interconn) )
 			// Add a InterConn analyzer if requested.  This analyzer
 			// can handle both reassembled and non-reassembled input.
-			tcp->AddChildAnalyzer(new InterConn_Analyzer(conn), false);
+			tcp->AddChildAnalyzer(new interconn::InterConn_Analyzer(conn), false);
 
 		if ( IsEnabled(analyzer_stepping) )
 			{
@@ -550,25 +552,25 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 				{
 				AddrVal src(conn->OrigAddr());
 				if ( ! stp_skip_src->Lookup(&src) )
-					tcp->AddChildAnalyzer(new SteppingStone_Analyzer(conn), false);
+					tcp->AddChildAnalyzer(new stepping_stone::SteppingStone_Analyzer(conn), false);
 				}
 			}
 
 		if ( IsEnabled(analyzer_tcpstats) )
 			// Add TCPStats analyzer. This needs to see packets so
 			// we cannot add it as a normal child.
-			tcp->AddChildPacketAnalyzer(new TCPStats_Analyzer(conn));
+			tcp->AddChildPacketAnalyzer(new tcp::TCPStats_Analyzer(conn));
 
 		if ( IsEnabled(analyzer_connsize) )
 			// Add ConnSize analyzer. Needs to see packets, not stream.
-			tcp->AddChildPacketAnalyzer(new ConnSize_Analyzer(conn));
+			tcp->AddChildPacketAnalyzer(new conn_size::ConnSize_Analyzer(conn));
 		}
 
 	else
 		{
 		if ( IsEnabled(analyzer_connsize) )
 			// Add ConnSize analyzer. Needs to see packets, not stream.
-			root->AddChildAnalyzer(new ConnSize_Analyzer(conn));
+			root->AddChildAnalyzer(new conn_size::ConnSize_Analyzer(conn));
 		}
 
 	if ( pia )

src/analyzer/protocols/CMakeLists.txt

@@ -1,4 +1,5 @@
 
+add_subdirectory(arp)
 add_subdirectory(ayiya)
 add_subdirectory(backdoor)
 add_subdirectory(bittorrent)
@@ -18,7 +19,9 @@ add_subdirectory(interconn)
 add_subdirectory(irc)
 add_subdirectory(login)
 add_subdirectory(modbus)
+add_subdirectory(mime)
 add_subdirectory(ncp)
+add_subdirectory(netflow)
 add_subdirectory(netbios-ssn)
 add_subdirectory(ntp)
 add_subdirectory(pia)

src/analyzer/protocols/TODO

@@ -1,10 +1,8 @@
 
-- introduce namespace into analyzers
-- fill events.bif
 - add functions.bif where needed
-- move ARP
-- move NetFlow
 - update *.h guards
 - cleanup analyzer descriptions
 - can now lower-case the analyzer name in plugin
+- not sure cmake dependencies work right yet
+- rename analyzers/protocols to analyzer/protocol
 

src/analyzer/protocols/arp/ARP.cc

@@ -5,6 +5,9 @@
 #include "Event.h"
 #include "Reporter.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::arp;
 
 ARP_Analyzer::ARP_Analyzer()
 	{

src/analyzer/protocols/arp/ARP.h

@@ -24,7 +24,9 @@
 #endif
 
 #include "NetVar.h"
+#include "PacketSort.h"
 
+namespace analyzer { namespace arp {
 
 class ARP_Analyzer : public BroObj {
 public:
@@ -53,4 +55,6 @@ protected:
 	EventHandlerPtr arp_reply;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/arp/CMakeLists.txt

@@ -0,0 +1,15 @@
+
+# This is not an actual analyzer, but used by the core. We still
+# maintain it here along with the other analyzers because conceptually
+# it's also parsing a protocol just like them. The current structure
+# is merely a left-over from when this code was written.
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(ARP)
+bro_plugin_cc(ARP.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()
+

src/analyzer/protocols/arp/Plugin.cc

@@ -0,0 +1,7 @@
+
+#include "plugin/Plugin.h"
+
+BRO_PLUGIN_BEGIN(ARP)
+	BRO_PLUGIN_DESCRIPTION("ARP Parsing Code");
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocols/arp/events.bif

@@ -0,0 +1,63 @@
+## Generated for ARP requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+## for more information about the ARP protocol.
+##
+## mac_src: The request's source MAC address.
+##
+## mac_dst: The request's destination MAC address.
+##
+## SPA: The sender protocol address.
+##
+## SHA: The sender hardware address.
+##
+## TPA: The target protocol address.
+##
+## THA: The target hardware address.
+##
+## .. bro:see:: arp_reply  bad_arp
+event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
+			TPA: addr, THA: string%);
+
+## Generated for ARP replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+## for more information about the ARP protocol.
+##
+## mac_src: The reply's source MAC address.
+##
+## mac_dst: The reply's destination MAC address.
+##
+## SPA: The sender protocol address.
+##
+## SHA: The sender hardware address.
+##
+## TPA: The target protocol address.
+##
+## THA: The target hardware address.
+##
+## .. bro:see::  arp_request bad_arp
+event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
+			TPA: addr, THA: string%);
+
+## Generated for ARP packets that Bro cannot interpret. Examples are packets
+## with non-standard hardware address formats or hardware addresses that do not
+## match the originator of the packet.
+##
+## SPA: The sender protocol address.
+##
+## SHA: The sender hardware address.
+##
+## TPA: The target protocol address.
+##
+## THA: The target hardware address.
+##
+## explanation: A short description of why the ARP packet is considered "bad".
+##
+## .. bro:see:: arp_reply arp_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

src/analyzer/protocols/ayiya/AYIYA.cc

@@ -1,4 +1,9 @@
+
 #include "AYIYA.h"
+#include "Func.h"
+#include "events.bif.h"
+
+using namespace analyzer::ayiya;
 
 AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn)
 : Analyzer("AYIYA", conn)

src/analyzer/protocols/ayiya/AYIYA.h

@@ -3,6 +3,8 @@
 
 #include "ayiya_pac.h"
 
+namespace analyzer { namespace ayiya {
+
 class AYIYA_Analyzer : public analyzer::Analyzer {
 public:
 	AYIYA_Analyzer(Connection* conn);
@@ -21,4 +23,6 @@ protected:
 	binpac::AYIYA::AYIYA_Conn* interp;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/ayiya/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(AYIYA)
 	BRO_PLUGIN_DESCRIPTION("AYIYA Analyzer");
-	BRO_PLUGIN_ANALYZER("AYIYA", AYIYA_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("AYIYA", ayiya::AYIYA_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/ayiya/ayiya.pac

@@ -2,6 +2,10 @@
 %include binpac.pac
 %include bro.pac
 
+%extern{
+#include "events.bif.h"
+%}
+
 analyzer AYIYA withcontext {
 	connection:	AYIYA_Conn;
 	flow:		AYIYA_Flow;

src/analyzer/protocols/backdoor/BackDoor.cc

@@ -7,7 +7,11 @@
 #include "Net.h"
 #include "analyzer/protocols/tcp/TCP.h"
 
-BackDoorEndpoint::BackDoorEndpoint(TCP_Endpoint* e)
+#include "events.bif.h"
+
+using namespace analyzer::backdoor;
+
+BackDoorEndpoint::BackDoorEndpoint(tcp::TCP_Endpoint* e)
 	{
 	endp = e;
 	is_partial = 0;
@@ -53,7 +57,7 @@ int BackDoorEndpoint::DataSent(double /* t */, int seq,
 	if ( len <= 0 )
 		return 0;
 
-	if ( endp->state == TCP_ENDPOINT_PARTIAL )
+	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
 		is_partial = 1;
 
 	int ack = endp->AckSeq() - endp->StartSeq();
@@ -681,7 +685,7 @@ int BackDoorEndpoint::CheckForString(const char* str,
 
 
 BackDoor_Analyzer::BackDoor_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer("BACKDOOR", c)
+: tcp::TCP_ApplicationAnalyzer("BACKDOOR", c)
 	{
 	orig_endp = resp_endp = 0;
 
@@ -701,7 +705,7 @@ BackDoor_Analyzer::~BackDoor_Analyzer()
 
 void BackDoor_Analyzer::Init()
 	{
-	TCP_ApplicationAnalyzer::Init();
+	tcp::TCP_ApplicationAnalyzer::Init();
 
 	assert(TCP());
 	orig_endp = new BackDoorEndpoint(TCP()->Orig());
@@ -740,7 +744,7 @@ void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 void BackDoor_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	if ( ! IsFinished() )
 		{

src/analyzer/protocols/backdoor/BackDoor.h

@@ -8,9 +8,11 @@
 #include "NetVar.h"
 #include "analyzer/protocols/login/Login.h"
 
+namespace analyzer { namespace backdoor {
+
 class BackDoorEndpoint {
 public:
-	BackDoorEndpoint(TCP_Endpoint* e);
+	BackDoorEndpoint(tcp::TCP_Endpoint* e);
 
 	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
@@ -44,7 +46,7 @@ protected:
 	int CheckForFullString(const char* str, const u_char* data, int len);
 	int CheckForString(const char* str, const u_char* data, int len);
 
-	TCP_Endpoint* endp;
+	tcp::TCP_Endpoint* endp;
 	int is_partial;
 	int max_top_seq;
 
@@ -62,7 +64,7 @@ protected:
 	uint32 num_7bit_ascii;
 };
 
-class BackDoor_Analyzer : public TCP_ApplicationAnalyzer {
+class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	BackDoor_Analyzer(Connection* c);
 	~BackDoor_Analyzer();
@@ -105,4 +107,6 @@ protected:
 	BackDoor_Analyzer* analyzer;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/backdoor/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(BackDoor)
 	BRO_PLUGIN_DESCRIPTION("Backdoor Analyzer (deprecated)");
-	BRO_PLUGIN_ANALYZER("BACKDOOR", BackDoor_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("BACKDOOR", backdoor::BackDoor_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/backdoor/events.bif

@@ -0,0 +1,32 @@
+## Deprecated. Will be removed.
+event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);
+
+## Deprecated. Will be removed.
+event backdoor_remove_conn%(c: connection%);
+
+## Deprecated. Will be removed.
+event ftp_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event gnutella_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event http_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event irc_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event telnet_signature_found%(c: connection, is_orig: bool, len: count%);
+
+## Deprecated. Will be removed.
+event ssh_signature_found%(c: connection, is_orig: bool%);
+
+## Deprecated. Will be removed.
+event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);
+
+## Deprecated. Will be removed.
+event smtp_signature_found%(c: connection%);
+
+## Deprecated. Will be removed.
+event http_proxy_signature_found%(c: connection%);

src/analyzer/protocols/bittorrent/BitTorrent.cc

@@ -3,8 +3,12 @@
 #include "BitTorrent.h"
 #include "analyzer/protocols/tcp/TCP_Reassembler.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::bittorrent;
+
 BitTorrent_Analyzer::BitTorrent_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer("BITTORRENT", c)
+: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
 	{
 	interp = new binpac::BitTorrent::BitTorrent_Conn(this);
 	stop_orig = stop_resp = false;
@@ -18,7 +22,7 @@ BitTorrent_Analyzer::~BitTorrent_Analyzer()
 
 void BitTorrent_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	interp->FlowEOF(true);
 	interp->FlowEOF(false);
@@ -29,7 +33,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	uint64& this_stream_len = orig ? stream_len_orig : stream_len_resp;
 	bool& this_stop = orig ? stop_orig : stop_resp;
 
-	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
 	assert(TCP());
 
@@ -66,7 +70,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 
 void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
 	{
-	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
 	// TODO: Code commented out for now. I think that shoving data that
 	// is definitely wrong into the parser seems like a really bad idea.
@@ -108,7 +112,7 @@ void BitTorrent_Analyzer::Undelivered(int seq, int len, bool orig)
 
 void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
 	{
-	TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	interp->FlowEOF(is_orig);
 	}
 

src/analyzer/protocols/bittorrent/BitTorrent.h

@@ -7,7 +7,9 @@
 
 #include "bittorrent_pac.h"
 
-class BitTorrent_Analyzer : public TCP_ApplicationAnalyzer {
+namespace analyzer { namespace bittorrent {
+
+class BitTorrent_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	BitTorrent_Analyzer(Connection* conn);
 	virtual ~BitTorrent_Analyzer();
@@ -28,4 +30,6 @@ protected:
 	uint64 stream_len_orig, stream_len_resp;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/bittorrent/BitTorrentTracker.cc

@@ -3,6 +3,8 @@
 #include "BitTorrentTracker.h"
 #include "analyzer/protocols/tcp/TCP_Reassembler.h"
 
+#include "events.bif.h"
+
 #include <sys/types.h>
 #include <regex.h>
 
@@ -11,6 +13,8 @@
 # define FMT_INT "%" PRId64
 # define FMT_UINT "%" PRIu64
 
+using namespace analyzer::bittorrent;
+
 static TableType* bt_tracker_headers = 0;
 static RecordType* bittorrent_peer;
 static TableType* bittorrent_peer_set;
@@ -18,7 +22,7 @@ static RecordType* bittorrent_benc_value;
 static TableType* bittorrent_benc_dir;
 
 BitTorrentTracker_Analyzer::BitTorrentTracker_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer("BITTORRENT", c)
+: tcp::TCP_ApplicationAnalyzer("BITTORRENT", c)
 	{
 	if ( ! bt_tracker_headers )
 		{
@@ -74,13 +78,13 @@ BitTorrentTracker_Analyzer::~BitTorrentTracker_Analyzer()
 
 void BitTorrentTracker_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 	}
 
 void BitTorrentTracker_Analyzer::DeliverStream(int len, const u_char* data,
 						bool orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
 	assert(TCP());
 
@@ -205,7 +209,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
 
 void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
 	{
-	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
 	ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
 
@@ -217,7 +221,7 @@ void BitTorrentTracker_Analyzer::Undelivered(int seq, int len, bool orig)
 
 void BitTorrentTracker_Analyzer::EndpointEOF(bool is_orig)
 	{
-	TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 	}
 
 void BitTorrentTracker_Analyzer::InitBencParser(void)

src/analyzer/protocols/bittorrent/BitTorrentTracker.h

@@ -7,6 +7,8 @@
 
 #define BTTRACKER_BUF 2048
 
+namespace analyzer { namespace bittorrent {
+
 // If the following is defined, then the analyzer will store all of
 // the headers seen in tracker messages.
 //#define BTTRACKER_STORE_HEADERS 1
@@ -40,7 +42,7 @@ enum btt_benc_states {
 	BENC_STATE_STR2,
 };
 
-class BitTorrentTracker_Analyzer : public TCP_ApplicationAnalyzer {
+class BitTorrentTracker_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	BitTorrentTracker_Analyzer(Connection* conn);
 	virtual ~BitTorrentTracker_Analyzer();
@@ -126,4 +128,6 @@ protected:
 	bool stop_orig, stop_resp;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/bittorrent/Plugin.cc

@@ -6,7 +6,7 @@
 
 BRO_PLUGIN_BEGIN(BitTorrent)
 	BRO_PLUGIN_DESCRIPTION("BitTorrent Analyzer");
-	BRO_PLUGIN_ANALYZER("BitTorrent", BitTorrent_Analyzer::InstantiateAnalyzer);
-	BRO_PLUGIN_ANALYZER("BitTorrentTracker", BitTorrentTracker_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("BitTorrent", bittorrent::BitTorrent_Analyzer);
+	BRO_PLUGIN_ANALYZER("BitTorrentTracker", bittorrent::BitTorrent_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/bittorrent/bittorrent.pac

@@ -5,6 +5,8 @@
 
 %extern{
 #define MSGLEN_LIMIT 0x40000
+
+#include "events.bif.h"
 %}
 
 analyzer BitTorrent withcontext {

src/analyzer/protocols/bittorrent/events.bif

@@ -0,0 +1,226 @@
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_handshake%(c: connection, is_orig: bool,
+			reserved: string, info_hash: string, peer_id: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_keep_alive%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
+event bittorrent_peer_choke%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request
+##    bittorrent_peer_unknown bittorrent_peer_weird
+event bittorrent_peer_unchoke%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_interested%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive  bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_not_interested%(c: connection, is_orig: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake  bittorrent_peer_interested bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_have%(c: connection, is_orig: bool, piece_index: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see::  bittorrent_peer_cancel bittorrent_peer_choke bittorrent_peer_handshake
+##    bittorrent_peer_have bittorrent_peer_interested bittorrent_peer_keep_alive
+##    bittorrent_peer_not_interested bittorrent_peer_piece bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_bitfield%(c: connection, is_orig: bool, bitfield: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port  bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_request%(c: connection, is_orig: bool, index: count,
+				begin: count, length: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_port
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_piece%(c: connection, is_orig: bool, index: count,
+				begin: count, piece_length: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield  bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
+event bittorrent_peer_cancel%(c: connection, is_orig: bool, index: count,
+				begin: count, length: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_request bittorrent_peer_unchoke bittorrent_peer_unknown
+##    bittorrent_peer_weird
+event bittorrent_peer_port%(c: connection, is_orig: bool, listen_port: port%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_weird
+event bittorrent_peer_unknown%(c: connection, is_orig: bool, message_id: count,
+				data: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown
+event bittorrent_peer_weird%(c: connection, is_orig: bool, msg: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
+event bt_tracker_request%(c: connection, uri: string,
+				headers: bt_tracker_headers%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
+event bt_tracker_response%(c: connection, status: count,
+					headers: bt_tracker_headers,
+					peers: bittorrent_peer_set,
+					benc: bittorrent_benc_dir%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
+event bt_tracker_response_not_ok%(c: connection, status: count,
+					headers: bt_tracker_headers%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/BitTorrent_(protocol)>`__ for
+## more information about the BitTorrent protocol.
+##
+## .. bro:see:: bittorrent_peer_bitfield bittorrent_peer_cancel bittorrent_peer_choke
+##    bittorrent_peer_handshake bittorrent_peer_have bittorrent_peer_interested
+##    bittorrent_peer_keep_alive bittorrent_peer_not_interested bittorrent_peer_piece
+##    bittorrent_peer_port bittorrent_peer_request bittorrent_peer_unchoke
+##    bittorrent_peer_unknown bittorrent_peer_weird
+event bt_tracker_weird%(c: connection, is_orig: bool, msg: string%);
+

src/analyzer/protocols/conn-size/ConnSize.cc

@@ -6,7 +6,9 @@
 #include "ConnSize.h"
 #include "analyzer/protocols/tcp/TCP.h"
 
+#include "events.bif.h"
 
+using namespace analyzer::conn_size;
 
 ConnSize_Analyzer::ConnSize_Analyzer(Connection* c)
 : Analyzer("CONNSIZE", c)

src/analyzer/protocols/conn-size/ConnSize.h

@@ -7,6 +7,7 @@
 #include "analyzer/Analyzer.h"
 #include "NetVar.h"
 
+namespace analyzer { namespace conn_size {
 
 class ConnSize_Analyzer : public analyzer::Analyzer {
 public:
@@ -34,4 +35,6 @@ protected:
 	uint64_t resp_pkts;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/conn-size/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(ConnSize)
 	BRO_PLUGIN_DESCRIPTION("Connection size analyzer");
-	BRO_PLUGIN_ANALYZER("CONNSIZE", ConnSize_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("CONNSIZE", conn_size::ConnSize_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/dce-rpc/DCE_RPC.cc

@@ -13,6 +13,10 @@ using namespace std;
 
 #include "analyzer/Manager.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::dce_rpc;
+
 #define xbyte(b, n) (((const u_char*) (b))[n])
 
 #define extract_uint16(little_endian, bytes) \
@@ -27,7 +31,7 @@ static int uuid_index[] = {
 	12, 13, 14, 15
 };
 
-const char* uuid_to_string(const u_char* uuid_data)
+const char* analyzer::dce_rpc::uuid_to_string(const u_char* uuid_data)
 	{
 	static char s[1024];
 	char* sp = s;
@@ -443,7 +447,7 @@ void DCE_RPC_Session::DeliverEpmapperMapResponse(
 
 Contents_DCE_RPC_Analyzer::Contents_DCE_RPC_Analyzer(Connection* conn,
 		bool orig, DCE_RPC_Session* arg_session, bool speculative)
-: TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig)
+: tcp::TCP_SupportAnalyzer("CONTENTS_DCE_RPC", conn, orig)
 	{
 	session = arg_session;
 	msg_buf = 0;
@@ -475,10 +479,10 @@ Contents_DCE_RPC_Analyzer::~Contents_DCE_RPC_Analyzer()
 
 void Contents_DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	TCP_SupportAnalyzer::DeliverStream(len, data, orig);
+	tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
 
-	TCP_Analyzer* tcp =
-		static_cast<TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	tcp::TCP_Analyzer* tcp =
+		static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
 
 	if ( tcp->HadGap(orig) || tcp->IsPartial() )
 		return;
@@ -567,7 +571,7 @@ bool Contents_DCE_RPC_Analyzer::ParseHeader()
 	}
 
 DCE_RPC_Analyzer::DCE_RPC_Analyzer(Connection* conn, bool arg_speculative)
-: TCP_ApplicationAnalyzer("DCE_RPC", conn)
+: tcp::TCP_ApplicationAnalyzer("DCE_RPC", conn)
 	{
 	session = new DCE_RPC_Session(this);
 	speculative = arg_speculative;

src/analyzer/protocols/dce-rpc/DCE_RPC.h

@@ -8,10 +8,14 @@
 
 #include "NetVar.h"
 #include "analyzer/protocols/tcp/TCP.h"
+#include "analyzer/protocols/dce-rpc/events.bif.h"
 #include "IPAddr.h"
 
 #include "dce_rpc_simple_pac.h"
 
+
+namespace analyzer { namespace dce_rpc {
+
 class UUID {
 public:
 	UUID();
@@ -145,7 +149,7 @@ protected:
 	} mapped;
 };
 
-class Contents_DCE_RPC_Analyzer : public TCP_SupportAnalyzer {
+class Contents_DCE_RPC_Analyzer : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_DCE_RPC_Analyzer(Connection* conn, bool orig, DCE_RPC_Session* session,
 		bool speculative);
@@ -169,7 +173,7 @@ protected:
 	DCE_RPC_Session* session;
 };
 
-class DCE_RPC_Analyzer : public TCP_ApplicationAnalyzer {
+class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	DCE_RPC_Analyzer(Connection* conn, bool speculative = false);
 	~DCE_RPC_Analyzer();
@@ -182,4 +186,6 @@ protected:
 	bool speculative;
 };
 
+} } // namespace analyzer::* 
+
 #endif /* dce_rpc_h */

src/analyzer/protocols/dce-rpc/Plugin.cc

@@ -5,7 +5,7 @@
 
 BRO_PLUGIN_BEGIN(DCE_RPC)
 	BRO_PLUGIN_DESCRIPTION("DCE-RPC Analyzer");
-	BRO_PLUGIN_ANALYZER("DCE_RPC", DCE_RPC_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("DCE_RPC", dce_rpc::DCE_RPC_Analyzer);
 	BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DCE_RPC");
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/dce-rpc/dce_rpc.pac

@@ -1,6 +1,10 @@
 %include binpac.pac
 %include bro.pac
 
+%extern{
+#include "events.bif.h"
+%}
+
 analyzer DCE_RPC withcontext {
 	connection: DCE_RPC_Conn;
 	flow: DCE_RPC_Flow;

src/analyzer/protocols/dce-rpc/dce_rpc_simple.pac

@@ -1,5 +1,9 @@
 %include bro.pac
 
+%extern{
+#include "events.bif.h"
+%}
+
 analyzer DCE_RPC_Simple withcontext {};
 
 %include dce_rpc-protocol.pac

src/analyzer/protocols/dce-rpc/events.bif

@@ -0,0 +1,55 @@
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_request
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dce_rpc_message%(c: connection, is_orig: bool, ptype: dce_rpc_ptype, msg: string%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply  dce_rpc_message dce_rpc_request
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dce_rpc_bind%(c: connection, uuid: string%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
+##    dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dce_rpc_request%(c: connection, opnum: count, stub: string%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
+##    dce_rpc_request  rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dce_rpc_response%(c: connection, opnum: count, stub: string%);
+
+## TODO.
+##
+## .. bro:see:: rpc_call rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message
+##    dce_rpc_request dce_rpc_response rpc_timeout
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event epm_map_response%(c: connection, uuid: string, p: port, h: addr%);
+

src/analyzer/protocols/dhcp/DHCP.cc

@@ -1,6 +1,10 @@
 
 #include "DHCP.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::dhcp;
+
 DHCP_Analyzer::DHCP_Analyzer(Connection* conn)
 : Analyzer("DHCP", conn)
 	{

src/analyzer/protocols/dhcp/DHCP.h

@@ -5,6 +5,8 @@
 
 #include "dhcp_pac.h"
 
+namespace analyzer { namespace dhcp {
+
 class DHCP_Analyzer : public analyzer::Analyzer {
 public:
 	DHCP_Analyzer(Connection* conn);
@@ -21,4 +23,6 @@ protected:
 	binpac::DHCP::DHCP_Conn* interp;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/dhcp/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(DHCP)
 	BRO_PLUGIN_DESCRIPTION("DHCP Analyzer");
-	BRO_PLUGIN_ANALYZER("DHCP", DHCP_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("DHCP", dhcp::DHCP_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/dhcp/dhcp.pac

@@ -1,5 +1,9 @@
 %include bro.pac
 
+%extern{
+#include "events.bif.h"
+%}
+
 analyzer DHCP withcontext {
 	connection:	DHCP_Conn;
 	flow:		DHCP_Flow;

src/analyzer/protocols/dhcp/events.bif

@@ -0,0 +1,239 @@
+## Generated for DHCP messages of type *discover*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## req_addr: The specific address requested by the client.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr%);
+
+## Generated for DHCP messages of type *offer*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: TODO.
+##
+## mask: The subnet mask specified by the message.
+##
+## router: The list of routers specified by the message.
+##
+## lease: The least interval specified by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
+
+## Generated for DHCP messages of type *request*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## req_addr: The client address specified by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr%);
+
+## Generated for DHCP messages of type *decline*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_decline%(c: connection, msg: dhcp_msg%);
+
+## Generated for DHCP messages of type *acknowledgment*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## mask: The subnet mask specified by the message.
+##
+## router: The list of routers specified by the message.
+##
+## lease: The least interval specified by the message.
+##
+## serv_addr: The server address specified by the message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr%);
+
+## Generated for DHCP messages of type *negative acknowledgment*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_nak%(c: connection, msg: dhcp_msg%);
+
+## Generated for DHCP messages of type *release*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_release%(c: connection, msg: dhcp_msg%);
+
+## Generated for DHCP messages of type *inform*.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol>`__ for
+## more information about the DHCP protocol.
+##
+## c: The connection record describing the underlying UDP flow.
+##
+## msg: The parsed type-independent part of the DHCP message.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request
+##
+## .. note:: Bro does not support broadcast packets (as used by the DHCP
+##    protocol). It treats broadcast addresses just like any other and
+##    associates packets into transport-level flows in the same way as usual.
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event dhcp_inform%(c: connection, msg: dhcp_msg%);
+

src/analyzer/protocols/dns/DNS.cc

@@ -12,6 +12,10 @@
 #include "Sessions.h"
 #include "Event.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::dns;
+
 DNS_Interpreter::DNS_Interpreter(analyzer::Analyzer* arg_analyzer)
 	{
 	analyzer = arg_analyzer;
@@ -993,7 +997,7 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
 
 Contents_DNS::Contents_DNS(Connection* conn, bool orig,
 				DNS_Interpreter* arg_interp)
-: TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
+: tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)
 	{
 	interp = arg_interp;
 
@@ -1080,7 +1084,7 @@ void Contents_DNS::DeliverStream(int len, const u_char* data, bool orig)
 	}
 
 DNS_Analyzer::DNS_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("DNS", conn)
+: tcp::TCP_ApplicationAnalyzer("DNS", conn)
 	{
 	interp = new DNS_Interpreter(this);
 	contents_dns_orig = contents_dns_resp = 0;
@@ -1112,7 +1116,7 @@ void DNS_Analyzer::Init()
 
 void DNS_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	if ( Conn()->ConnTransport() == TRANSPORT_UDP && ! did_session_done )
 		Event(udp_session_done);
@@ -1123,7 +1127,7 @@ void DNS_Analyzer::Done()
 void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 					int seq, const IP_Hdr* ip, int caplen)
 	{
-	TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
 
 	if ( orig )
 		{
@@ -1141,10 +1145,10 @@ void DNS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	}
 
 
-void DNS_Analyzer::ConnectionClosed(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
+void DNS_Analyzer::ConnectionClosed(tcp::TCP_Endpoint* endpoint, tcp::TCP_Endpoint* peer,
 					int gen_event)
 	{
-	TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
+	tcp::TCP_ApplicationAnalyzer::ConnectionClosed(endpoint, peer, gen_event);
 
 	assert(contents_dns_orig && contents_dns_resp);
 	contents_dns_orig->Flush();

src/analyzer/protocols/dns/DNS.h

@@ -6,6 +6,8 @@
 #include "analyzer/protocols/tcp/TCP.h"
 #include "binpac_bro.h"
 
+namespace analyzer { namespace dns {
+
 typedef enum {
 	DNS_OP_QUERY = 0,		///< standard query
 	DNS_OP_IQUERY = 1,		///< reverse query
@@ -229,7 +231,7 @@ typedef enum {
 
 // Support analyzer which chunks the TCP stream into "packets".
 // ### This should be merged with TCP_Contents_RPC.
-class Contents_DNS : public TCP_SupportAnalyzer {
+class Contents_DNS : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp);
 	~Contents_DNS();
@@ -251,7 +253,7 @@ protected:
 };
 
 // Works for both TCP and UDP.
-class DNS_Analyzer : public TCP_ApplicationAnalyzer {
+class DNS_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	DNS_Analyzer(Connection* conn);
 	~DNS_Analyzer();
@@ -261,8 +263,8 @@ public:
 
 	virtual void Init();
 	virtual void Done();
-	virtual void ConnectionClosed(TCP_Endpoint* endpoint,
-					TCP_Endpoint* peer, int gen_event);
+	virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
+					tcp::TCP_Endpoint* peer, int gen_event);
 
 	void ExpireTimer(double t);
 
@@ -279,4 +281,6 @@ protected:
 // FIXME: Doesn't really fit into new analyzer structure. What to do?
 int IsReuse(double t, const u_char* pkt);
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/dns/Plugin.cc

@@ -5,7 +5,7 @@
 
 BRO_PLUGIN_BEGIN(DNS)
 	BRO_PLUGIN_DESCRIPTION("DNS Analyzer");
-	BRO_PLUGIN_ANALYZER("DNS", DNS_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("DNS", dns::DNS_Analyzer);
 	BRO_PLUGIN_SUPPORT_ANALYZER("Contents_DNS");
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/dns/events.bif

@@ -0,0 +1,482 @@
+## Generated for all DNS messages.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## is_orig:  True if the message was sent by the originator of the connection.
+##
+## msg: The parsed DNS message header.
+##
+## len: The length of the message's raw representation (i.e., the DNS payload).
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid  dns_query_reply dns_rejected
+##    dns_request non_dns_request  dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
+
+## Generated for DNS requests. For requests with multiple queries, this event
+## is raised once for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
+
+## Generated for DNS replies that reject a query. This event is raised if a DNS
+## reply either indicates failure via its status code or does not pass on any
+## answers to a query. Note that all of the event's parameters are parsed out of
+## the reply; there's no stateful correlation with the query.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count%);
+
+## Generated for DNS replies with an *ok* status code but no question section.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
+##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_query_reply%(c: connection, msg: dns_msg, query: string,
+			qtype: count, qclass: count%);
+
+## Generated for DNS replies of type *A*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## a: The address returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
+##    dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
+
+## Generated for DNS replies of type *AAAA*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## a: The address returned by the reply.
+##
+## .. bro:see::  dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
+
+## Generated for DNS replies of type *A6*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## a: The address returned by the reply.
+##
+## .. bro:see::  dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
+
+## Generated for DNS replies of type *NS*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply  dns_PTR_reply dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
+
+## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
+
+## Generated for DNS replies of type *PTR*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply  dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%);
+
+## Generated for DNS replies of type *CNAME*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## soa: The parsed SOA value.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%);
+
+## Generated for DNS replies of type *WKS*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply  dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
+
+## Generated for DNS replies of type *HINFO*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
+
+## Generated for DNS replies of type *MX*. For replies with multiple answers, an
+## individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## name: The name returned by the reply.
+##
+## preference: The preference for *name* specified by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply  dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string, preference: count%);
+
+## Generated for DNS replies of type *TXT*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## str: The textual information returned by the reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, str: string%);
+
+## Generated for DNS replies of type *SRV*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
+
+## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The parsed EDNS reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
+##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
+##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
+##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
+##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
+
+## Generated for DNS replies of type *TSIG*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The parsed TSIG reply.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply  dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%);
+
+## Generated at the end of processing a DNS packet. This event is the last
+## ``dns_*`` event that will be raised for a DNS query/reply and signals that
+## all resource records have been passed on.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_end%(c: connection, msg: dns_msg%);
+
+## Deprecated. Will be removed.
+##
+## .. todo:: Unclear what this event is for; it's never raised. We should just
+##    remove it.
+event dns_full_request%(%);
+
+## msg: The raw DNS payload.
+##
+## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
+##    detection framework.
+event non_dns_request%(c: connection, msg: string%);

src/analyzer/protocols/file/File.cc

@@ -4,11 +4,15 @@
 #include "Reporter.h"
 #include "util.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::file;
+
 magic_t File_Analyzer::magic = 0;
 magic_t File_Analyzer::magic_mime = 0;
 
 File_Analyzer::File_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("FILE", conn)
+: tcp::TCP_ApplicationAnalyzer("FILE", conn)
 	{
 	buffer_len = 0;
 
@@ -18,7 +22,7 @@ File_Analyzer::File_Analyzer(Connection* conn)
 
 void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
 	int n = min(len, BUFFER_SIZE - buffer_len);
 
@@ -35,7 +39,7 @@ void File_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 
 void File_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	if ( buffer_len && buffer_len != BUFFER_SIZE )
 		Identify();

src/analyzer/protocols/file/File.h

@@ -7,7 +7,9 @@
 
 #include <magic.h>
 
-class File_Analyzer : public TCP_ApplicationAnalyzer {
+namespace analyzer { namespace file {
+
+class File_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	File_Analyzer(Connection* conn);
 
@@ -29,4 +31,6 @@ protected:
 	static magic_t magic_mime;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/file/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(File)
 	BRO_PLUGIN_DESCRIPTION("Generic File Analyzer");
-	BRO_PLUGIN_ANALYZER("File", File_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("File", file::File_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/file/events.bif

@@ -0,0 +1,3 @@
+## TODO.
+##
+event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);

src/analyzer/protocols/finger/Finger.cc

@@ -9,25 +9,29 @@
 #include "Event.h"
 #include "analyzer/protocols/tcp/ContentLine.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::finger;
+
 Finger_Analyzer::Finger_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("FINGER", conn)
+: tcp::TCP_ApplicationAnalyzer("FINGER", conn)
 	{
 	did_deliver = 0;
-	content_line_orig = new ContentLine_Analyzer(conn, true);
+	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
 	content_line_orig->SetIsNULSensitive(true);
-	content_line_resp = new ContentLine_Analyzer(conn, false);
+	content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
 	AddSupportAnalyzer(content_line_orig);
 	AddSupportAnalyzer(content_line_resp);
 	}
 
 void Finger_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	if ( TCP() )
 		if ( (! did_deliver || content_line_orig->HasPartialLine()) &&
-		     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
-		      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) )
+		     (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
+		      TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
 			// ### should include the partial text
 			Weird("partial_finger_request");
 	}

src/analyzer/protocols/finger/Finger.h

@@ -4,10 +4,11 @@
 #define finger_h
 
 #include "analyzer/protocols/tcp/TCP.h"
+#include "analyzer/protocols/tcp/ContentLine.h"
 
-class ContentLine_Analyzer;
+namespace analyzer { namespace finger {
 
-class Finger_Analyzer : public TCP_ApplicationAnalyzer {
+class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	Finger_Analyzer(Connection* conn);
 	virtual ~Finger_Analyzer()	{}
@@ -20,9 +21,11 @@ public:
 		{ return new Finger_Analyzer(conn); }
 
 protected:
-	ContentLine_Analyzer* content_line_orig;
-	ContentLine_Analyzer* content_line_resp;
+	tcp::ContentLine_Analyzer* content_line_orig;
+	tcp::ContentLine_Analyzer* content_line_resp;
 	int did_deliver;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/finger/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(Finger)
 	BRO_PLUGIN_DESCRIPTION("Finger Analyzer");
-	BRO_PLUGIN_ANALYZER("FINGER", Finger_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("FINGER", finger::Finger_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/finger/events.bif

@@ -0,0 +1,38 @@
+## Generated for Finger requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## full: True if verbose information is requested (``/W`` switch).
+##
+## username: The request's user name.
+##
+## hostname: The request's host name.
+##
+## .. bro:see:: finger_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event finger_request%(c: connection, full: bool, username: string, hostname: string%);
+
+## Generated for Finger replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Finger_protocol>`__ for more
+## information about the Finger protocol.
+##
+## c: The connection.
+##
+## reply_line: The reply as returned by the server
+##
+## .. bro:see:: finger_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event finger_reply%(c: connection, reply_line: string%);
+

src/analyzer/protocols/ftp/FTP.cc

@@ -11,18 +11,22 @@
 #include "analyzer/Manager.h"
 #include "analyzer/protocols/login/NVT.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::ftp;
+
 FTP_Analyzer::FTP_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("FTP", conn)
+: tcp::TCP_ApplicationAnalyzer("FTP", conn)
 	{
 	pending_reply = 0;
 
-	nvt_orig = new NVT_Analyzer(conn, true);
+	nvt_orig = new login::NVT_Analyzer(conn, true);
 	nvt_orig->SetIsNULSensitive(true);
 	nvt_orig->SetIsNULSensitive(true);
 	nvt_orig->SetCRLFAsEOL(LF_as_EOL);
 	nvt_orig->SetIsNULSensitive(LF_as_EOL);
 
-	nvt_resp = new NVT_Analyzer(conn, false);
+	nvt_resp = new login::NVT_Analyzer(conn, false);
 	nvt_resp->SetIsNULSensitive(true);
 	nvt_resp->SetIsNULSensitive(true);
 	nvt_resp->SetCRLFAsEOL(LF_as_EOL);
@@ -37,11 +41,11 @@ FTP_Analyzer::FTP_Analyzer(Connection* conn)
 
 void FTP_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	if ( nvt_orig->HasPartialLine() &&
-	     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
-	      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) )
+	     (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
+	      TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) )
 		// ### should include the partial text
 		Weird("partial_ftp_request");
 	}
@@ -56,7 +60,7 @@ static uint32 get_reply_code(int len, const char* line)
 
 void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
 
 	if ( (orig && ! ftp_request) || (! orig && ! ftp_reply) )
 		return;

src/analyzer/protocols/ftp/FTP.h

@@ -6,7 +6,9 @@
 #include "analyzer/protocols/login/NVT.h"
 #include "analyzer/protocols/tcp/TCP.h"
 
-class FTP_Analyzer : public TCP_ApplicationAnalyzer {
+namespace analyzer { namespace ftp {
+
+class FTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	FTP_Analyzer(Connection* conn);
 
@@ -19,8 +21,8 @@ public:
 		}
 
 protected:
-	NVT_Analyzer* nvt_orig;
-	NVT_Analyzer* nvt_resp;
+	login::NVT_Analyzer* nvt_orig;
+	login::NVT_Analyzer* nvt_resp;
 	uint32 pending_reply;	// code associated with multi-line reply, or 0
 	string auth_requested;	// AUTH method requested
 };
@@ -47,4 +49,6 @@ protected:
 	bool first_token;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/ftp/Plugin.cc

@@ -5,7 +5,7 @@
 
 BRO_PLUGIN_BEGIN(FTP)
 	BRO_PLUGIN_DESCRIPTION("FTP Analyzer");
-	BRO_PLUGIN_ANALYZER("FTP", FTP_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("FTP", ftp::FTP_Analyzer);
 	BRO_PLUGIN_SUPPORT_ANALYZER("FTP_ADAT");
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/ftp/events.bif

@@ -0,0 +1,35 @@
+## Generated for client-side FTP commands.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
+## more information about the FTP protocol.
+##
+## c: The connection.
+##
+## command: The FTP command issued by the client (without any arguments).
+##
+## arg: The arguments going with the command.
+##
+## .. bro:see:: ftp_reply fmt_ftp_port parse_eftp_port
+##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
+event ftp_request%(c: connection, command: string, arg: string%);
+
+## Generated for server-side FTP replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/File_Transfer_Protocol>`__ for
+## more information about the FTP protocol.
+##
+## c: The connection.
+##
+## code: The numerical response code the server responded with.
+##
+## msg:  The textual message of the response.
+##
+## cont_resp: True if the reply line is tagged as being continued to the next
+##            line. If so, further events will be raised and a handler may want
+##            to reassemble the pieces before processing the response any
+##            further.
+##
+## .. bro:see:: ftp_request fmt_ftp_port parse_eftp_port
+##    parse_ftp_epsv parse_ftp_pasv parse_ftp_port
+event ftp_reply%(c: connection, code: count, msg: string, cont_resp: bool%);
+

src/analyzer/protocols/gnutella/Gnutella.cc

@@ -12,6 +12,10 @@
 #include "analyzer/protocols/pia/PIA.h"
 #include "analyzer/Manager.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::gnutella;
+
 GnutellaMsgState::GnutellaMsgState()
 	{
 	buffer = "";
@@ -30,7 +34,7 @@ GnutellaMsgState::GnutellaMsgState()
 
 
 Gnutella_Analyzer::Gnutella_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("GNUTELLA", conn)
+: tcp::TCP_ApplicationAnalyzer("GNUTELLA", conn)
 	{
 	state = 0;
 	new_state = 0;
@@ -50,7 +54,7 @@ Gnutella_Analyzer::~Gnutella_Analyzer()
 
 void Gnutella_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
 		{
@@ -138,9 +142,9 @@ int Gnutella_Analyzer::IsHTTP(string header)
 		if ( Parent()->IsAnalyzer("TCP") )
 			{
 			// Replay buffered data.
-			PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
+			pia::PIA* pia = static_cast<analyzer::TransportLayerAnalyzer *>(Parent())->GetPIA();
 			if ( pia )
-				static_cast<PIA_TCP *>(pia)->ReplayStreamBuffer(a);
+				static_cast<pia::PIA_TCP *>(pia)->ReplayStreamBuffer(a);
 			}
 
 		Parent()->RemoveChildAnalyzer(this);
@@ -328,7 +332,7 @@ void Gnutella_Analyzer::DeliverMessages(int len, const u_char* data, bool orig)
 
 void Gnutella_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
 
 	ms = orig ? orig_msg_state : resp_msg_state;
 	ms->current_offset = 0;

src/analyzer/protocols/gnutella/Gnutella.h

@@ -11,6 +11,8 @@
 #define GNUTELLA_MSG_SIZE     23
 #define GNUTELLA_MAX_PAYLOAD  1024
 
+namespace analyzer { namespace gnutella {
+
 class GnutellaMsgState {
 public:
 	GnutellaMsgState ();
@@ -32,7 +34,7 @@ public:
 };
 
 
-class Gnutella_Analyzer : public TCP_ApplicationAnalyzer {
+class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	Gnutella_Analyzer(Connection* conn);
 	~Gnutella_Analyzer();
@@ -67,4 +69,6 @@ private:
 	GnutellaMsgState* ms;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/gnutella/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(Gnutella)
 	BRO_PLUGIN_DESCRIPTION("Gnutella Analyzer");
-	BRO_PLUGIN_ANALYZER("GNUTELLA", Gnutella_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("GNUTELLA", gnutella::Gnutella_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/gnutella/events.bif

@@ -0,0 +1,88 @@
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see::  gnutella_binary_msg gnutella_establish gnutella_http_notify
+##    gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
+##
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
+				ttl: count, hops: count, msg_len: count,
+				payload: string, payload_len: count,
+				trunc: bool, complete: bool%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+##    gnutella_not_establish  gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event gnutella_partial_binary_msg%(c: connection, orig: bool,
+					msg: string, len: count%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event gnutella_establish%(c: connection%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event gnutella_not_establish%(c: connection%);
+
+## TODO.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Gnutella>`__ for more
+## information about the Gnutella protocol.
+##
+## .. bro:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
+##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event gnutella_http_notify%(c: connection%);

src/analyzer/protocols/gtpv1/GTPv1.cc

@@ -1,5 +1,11 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
 #include "GTPv1.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::gtpv1;
+
 GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
 : Analyzer("GTPV1", conn)
 	{

src/analyzer/protocols/gtpv1/GTPv1.h

@@ -3,6 +3,8 @@
 
 #include "gtpv1_pac.h"
 
+namespace analyzer { namespace gtpv1 {
+
 class GTPv1_Analyzer : public analyzer::Analyzer {
 public:
 	GTPv1_Analyzer(Connection* conn);
@@ -21,4 +23,6 @@ protected:
 	binpac::GTPv1::GTPv1_Conn* interp;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/gtpv1/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(GTPV1)
 	BRO_PLUGIN_DESCRIPTION("GTPv1 Analyzer");
-	BRO_PLUGIN_ANALYZER("GTPV1", GTPv1_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("GTPV1", gtpv1::GTPv1_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/gtpv1/events.bif

@@ -0,0 +1,74 @@
+## Generated for any GTP message with a GTPv1 header.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
+
+## Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+## that includes a GTP header followed by an IPv4 or IPv6 packet.
+##
+## outer: The GTP outer tunnel connection.
+##
+## inner_gtp: The GTP header.
+##
+## inner_ip: The inner IP and transport layer packet headers.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
+
+## Generated for GTPv1-C Create PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Create PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Update PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Update PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);
+

src/analyzer/protocols/gtpv1/gtpv1.pac

@@ -1,6 +1,10 @@
 %include binpac.pac
 %include bro.pac
 
+%extern{
+#include "events.bif.h"
+%}
+
 analyzer GTPv1 withcontext {
 	connection:	GTPv1_Conn;
 	flow:		GTPv1_Flow;

src/analyzer/protocols/http/HTTP.cc

@@ -11,7 +11,11 @@
 #include "NetVar.h"
 #include "HTTP.h"
 #include "Event.h"
-#include "MIME.h"
+#include "analyzer/protocols/mime/MIME.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::http;
 
 const bool DEBUG_http = false;
 
@@ -77,7 +81,7 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
 	if ( end_of_data )
 		{
 		// Multipart entities may have trailers
-		if ( content_type != CONTENT_TYPE_MULTIPART )
+		if ( content_type != mime::CONTENT_TYPE_MULTIPART )
 			IllegalFormat("data trailing the end of entity");
 		return;
 		}
@@ -93,8 +97,8 @@ void HTTP_Entity::Deliver(int len, const char* data, int trailing_CRLF)
 		}
 
 	// Entity body.
-	if ( content_type == CONTENT_TYPE_MULTIPART ||
-	     content_type == CONTENT_TYPE_MESSAGE )
+	if ( content_type == mime::CONTENT_TYPE_MULTIPART ||
+	     content_type == mime::CONTENT_TYPE_MESSAGE )
 		DeliverBody(len, data, trailing_CRLF);
 
 	else if ( chunked_transfer_state != NON_CHUNKED_TRANSFER )
@@ -177,14 +181,14 @@ void HTTP_Entity::DeliverBody(int len, const char* data, int trailing_CRLF)
 	{
 	if ( encoding == GZIP || encoding == DEFLATE )
 		{
-		ZIP_Analyzer::Method method =
+		zip::ZIP_Analyzer::Method method =
 			encoding == GZIP ?
-				ZIP_Analyzer::GZIP : ZIP_Analyzer::DEFLATE;
+				zip::ZIP_Analyzer::GZIP : zip::ZIP_Analyzer::DEFLATE;
 
 		if ( ! zip )
 			{
 			// We don't care about the direction here.
-			zip = new ZIP_Analyzer(
+			zip = new zip::ZIP_Analyzer(
 				http_message->MyHTTP_Analyzer()->Conn(),
 						false, method);
 			zip->SetOutputHandler(new UncompressedOutput(this));
@@ -291,12 +295,12 @@ void HTTP_Entity::SetPlainDelivery(int64_t length)
 	// expect_data_length.
 	}
 
-void HTTP_Entity::SubmitHeader(MIME_Header* h)
+void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 	{
-	if ( strcasecmp_n(h->get_name(), "content-length") == 0 )
+	if ( mime::strcasecmp_n(h->get_name(), "content-length") == 0 )
 		{
 		data_chunk_t vt = h->get_value_token();
-		if ( ! is_null_data_chunk(vt) )
+		if ( ! mime::is_null_data_chunk(vt) )
 			{
 			int64_t n;
 			if ( atoi_n(vt.length, vt.data, 0, 10, n) )
@@ -308,8 +312,8 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
 
 	// Figure out content-length for HTTP 206 Partial Content response
 	// that uses multipart/byteranges content-type.
-	else if ( strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() &&
-	          Parent()->MIMEContentType() == CONTENT_TYPE_MULTIPART &&
+	else if ( mime::strcasecmp_n(h->get_name(), "content-range") == 0 && Parent() &&
+	          Parent()->MIMEContentType() == mime::CONTENT_TYPE_MULTIPART &&
 		      http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 )
 		{
 		data_chunk_t vt = h->get_value_token();
@@ -367,19 +371,19 @@ void HTTP_Entity::SubmitHeader(MIME_Header* h)
 			}
 		}
 
-	else if ( strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
+	else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
 		{
 		data_chunk_t vt = h->get_value_token();
-		if ( strcasecmp_n(vt, "chunked") == 0 )
+		if ( mime::strcasecmp_n(vt, "chunked") == 0 )
 			chunked_transfer_state = BEFORE_CHUNK;
 		}
 
-	else if ( strcasecmp_n(h->get_name(), "content-encoding") == 0 )
+	else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 )
 		{
 		data_chunk_t vt = h->get_value_token();
-		if ( strcasecmp_n(vt, "gzip") == 0 )
+		if ( mime::strcasecmp_n(vt, "gzip") == 0 )
 			encoding = GZIP;
-		if ( strcasecmp_n(vt, "deflate") == 0 )
+		if ( mime::strcasecmp_n(vt, "deflate") == 0 )
 			encoding = DEFLATE;
 		}
 
@@ -413,8 +417,8 @@ void HTTP_Entity::SubmitAllHeaders()
 		return;
 		}
 
-	if ( content_type == CONTENT_TYPE_MULTIPART ||
-	     content_type == CONTENT_TYPE_MESSAGE )
+	if ( content_type == mime::CONTENT_TYPE_MULTIPART ||
+	     content_type == mime::CONTENT_TYPE_MESSAGE )
 		{
 		// Do nothing.
 		// Make sure that we check for multiple/message contents first,
@@ -463,7 +467,7 @@ void HTTP_Entity::SubmitAllHeaders()
 	}
 
 HTTP_Message::HTTP_Message(HTTP_Analyzer* arg_analyzer,
-				ContentLine_Analyzer* arg_cl, bool arg_is_orig,
+				tcp::ContentLine_Analyzer* arg_cl, bool arg_is_orig,
 				int expect_body, int64_t init_header_length)
 : MIME_Message (arg_analyzer)
 	{
@@ -546,7 +550,7 @@ int HTTP_Message::Undelivered(int64_t len)
 	return 0;
 	}
 
-void HTTP_Message::BeginEntity(MIME_Entity* entity)
+void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
 	{
 	if ( DEBUG_http )
 		DEBUG_MSG("%.6f: begin entity (%d)\n", network_time, is_orig);
@@ -562,7 +566,7 @@ void HTTP_Message::BeginEntity(MIME_Entity* entity)
 		}
 	}
 
-void HTTP_Message::EndEntity(MIME_Entity* entity)
+void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 	{
 	if ( DEBUG_http )
 		DEBUG_MSG("%.6f: end entity (%d)\n", network_time, is_orig);
@@ -588,12 +592,12 @@ void HTTP_Message::EndEntity(MIME_Entity* entity)
 		Done();
 	}
 
-void HTTP_Message::SubmitHeader(MIME_Header* h)
+void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
 	{
 	MyHTTP_Analyzer()->HTTP_Header(is_orig, h);
 	}
 
-void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist)
+void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 	{
 	if ( http_all_headers )
 		{
@@ -620,7 +624,7 @@ void HTTP_Message::SubmitAllHeaders(MIME_HeaderList& hlist)
 		}
 	}
 
-void HTTP_Message::SubmitTrailingHeaders(MIME_HeaderList& /* hlist */)
+void HTTP_Message::SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */)
 	{
 	// Do nothing for now.
 	}
@@ -664,15 +668,15 @@ void HTTP_Message::SubmitEvent(int event_type, const char* detail)
 	const char* category = "";
 
 	switch ( event_type ) {
-	case MIME_EVENT_ILLEGAL_FORMAT:
+	case mime::MIME_EVENT_ILLEGAL_FORMAT:
 		category = "illegal format";
 		break;
 
-	case MIME_EVENT_ILLEGAL_ENCODING:
+	case mime::MIME_EVENT_ILLEGAL_ENCODING:
 		category = "illegal encoding";
 		break;
 
-	case MIME_EVENT_CONTENT_GAP:
+	case mime::MIME_EVENT_CONTENT_GAP:
 		category = "content gap";
 		break;
 
@@ -787,7 +791,7 @@ void HTTP_Message::Weird(const char* msg)
 	}
 
 HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("HTTP", conn)
+: tcp::TCP_ApplicationAnalyzer("HTTP", conn)
 	{
 	num_requests = num_replies = 0;
 	num_request_lines = num_reply_lines = 0;
@@ -807,10 +811,10 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
 	reply_code = 0;
 	reply_reason_phrase = 0;
 
-	content_line_orig = new ContentLine_Analyzer(conn, true);
+	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(content_line_orig);
 
-	content_line_resp = new ContentLine_Analyzer(conn, false);
+	content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
 	content_line_resp->SetSkipPartial(true);
 	AddSupportAnalyzer(content_line_resp);
 	}
@@ -828,7 +832,7 @@ void HTTP_Analyzer::Done()
 	if ( IsFinished() )
 		return;
 
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	RequestMade(1, "message interrupted when connection done");
 	ReplyMade(1, "message interrupted when connection done");
@@ -850,7 +854,7 @@ void HTTP_Analyzer::Done()
 
 void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
 
 	if ( TCP() && TCP()->IsPartial() )
 		return;
@@ -858,7 +862,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	const char* line = reinterpret_cast<const char*>(data);
 	const char* end_of_line = line + len;
 
-	ContentLine_Analyzer* content_line =
+	tcp::ContentLine_Analyzer* content_line =
 		is_orig ? content_line_orig : content_line_resp;
 
 	if ( content_line->IsPlainDelivery() )
@@ -907,7 +911,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 				{
 				if ( ! RequestExpected() )
 					HTTP_Event("crud_trailing_HTTP_request",
-						   new_string_val(line, end_of_line));
+						   mime::new_string_val(line, end_of_line));
 				else
 					{
 					// We do see HTTP requests with a
@@ -986,20 +990,20 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 
 void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
 	{
-	TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, is_orig);
 
 	// DEBUG_MSG("Undelivered from %d: %d bytes\n", seq, length);
 
 	HTTP_Message* msg =
 		is_orig ? request_message : reply_message;
 
-	ContentLine_Analyzer* content_line =
+	tcp::ContentLine_Analyzer* content_line =
 		is_orig ? content_line_orig : content_line_resp;
 
 	if ( ! content_line->IsSkippedContents(seq, len) )
 		{
 		if ( msg )
-			msg->SubmitEvent(MIME_EVENT_CONTENT_GAP,
+			msg->SubmitEvent(mime::MIME_EVENT_CONTENT_GAP,
 				fmt("seq=%d, len=%d", seq, len));
 		}
 
@@ -1030,7 +1034,7 @@ void HTTP_Analyzer::Undelivered(int seq, int len, bool is_orig)
 
 void HTTP_Analyzer::EndpointEOF(bool is_orig)
 	{
-	TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
 
 	// DEBUG_MSG("%.6f eof\n", network_time);
 
@@ -1042,7 +1046,7 @@ void HTTP_Analyzer::EndpointEOF(bool is_orig)
 
 void HTTP_Analyzer::ConnectionFinished(int half_finished)
 	{
-	TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
+	tcp::TCP_ApplicationAnalyzer::ConnectionFinished(half_finished);
 
 	// DEBUG_MSG("%.6f connection finished\n", network_time);
 	RequestMade(1, "message ends as connection is finished");
@@ -1051,7 +1055,7 @@ void HTTP_Analyzer::ConnectionFinished(int half_finished)
 
 void HTTP_Analyzer::ConnectionReset()
 	{
-	TCP_ApplicationAnalyzer::ConnectionReset();
+	tcp::TCP_ApplicationAnalyzer::ConnectionReset();
 
 	RequestMade(1, "message interrupted by RST");
 	ReplyMade(1, "message interrupted by RST");
@@ -1059,7 +1063,7 @@ void HTTP_Analyzer::ConnectionReset()
 
 void HTTP_Analyzer::PacketWithRST()
 	{
-	TCP_ApplicationAnalyzer::PacketWithRST();
+	tcp::TCP_ApplicationAnalyzer::PacketWithRST();
 
 	RequestMade(1, "message interrupted by RST");
 	ReplyMade(1, "message interrupted by RST");
@@ -1203,10 +1207,10 @@ int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)
 			version_end = version_start + 3;
 			if ( skip_whitespace(version_end, end_of_line) != end_of_line )
 				HTTP_Event("crud after HTTP version is ignored",
-					   new_string_val(line, end_of_line));
+					   mime::new_string_val(line, end_of_line));
 			}
 		else
-			HTTP_Event("bad_HTTP_version", new_string_val(line, end_of_line));
+			HTTP_Event("bad_HTTP_version", mime::new_string_val(line, end_of_line));
 		}
 
 	// NormalizeURI(line, end_of_uri);
@@ -1230,7 +1234,7 @@ double HTTP_Analyzer::HTTP_Version(int len, const char* data)
 		}
 	else
 		{
-	        HTTP_Event("bad_HTTP_version", new_string_val(len, data));
+	        HTTP_Event("bad_HTTP_version", mime::new_string_val(len, data));
 		return 0;
 		}
 	}
@@ -1409,20 +1413,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line)
 		// ##TODO: some server replies with an HTML document
 		// without a status line and a MIME header, when the
 		// request is malformed.
-		HTTP_Event("bad_HTTP_reply", new_string_val(line, end_of_line));
+		HTTP_Event("bad_HTTP_reply", mime::new_string_val(line, end_of_line));
 		return 0;
 		}
 
 	SetVersion(reply_version, HTTP_Version(end_of_line - rest, rest));
 
 	for ( ; rest < end_of_line; ++rest )
-		if ( is_lws(*rest) )
+		if ( mime::is_lws(*rest) )
 			break;
 
 	if ( rest >= end_of_line )
 		{
 		HTTP_Event("HTTP_reply_code_missing",
-				new_string_val(line, end_of_line));
+				mime::new_string_val(line, end_of_line));
 		return 0;
 		}
 
@@ -1431,20 +1435,20 @@ int HTTP_Analyzer::HTTP_ReplyLine(const char* line, const char* end_of_line)
 	if ( rest + 3 > end_of_line )
 		{
 		HTTP_Event("HTTP_reply_code_missing",
-			new_string_val(line, end_of_line));
+			mime::new_string_val(line, end_of_line));
 		return 0;
 		}
 
 	reply_code = HTTP_ReplyCode(rest);
 
 	for ( rest += 3; rest < end_of_line; ++rest )
-		if ( is_lws(*rest) )
+		if ( mime::is_lws(*rest) )
 			break;
 
 	if ( rest >= end_of_line )
 		{
 		HTTP_Event("HTTP_reply_reason_phrase_missing",
-			new_string_val(line, end_of_line));
+			mime::new_string_val(line, end_of_line));
 		// Tolerate missing reason phrase?
 		return 1;
 		}
@@ -1491,7 +1495,7 @@ int HTTP_Analyzer::ExpectReplyMessageBody()
 	return HTTP_BODY_EXPECTED;
 	}
 
-void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h)
+void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 	{
 #if 0
 	// ### Only call ParseVersion if we're tracking versions:
@@ -1508,16 +1512,16 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h)
 	// side, and if seen assume the connection to be persistent.
 	// This seems fairly safe - at worst, the client does indeed
 	// send additional requests, and the server ignores them.
-	if ( is_orig && strcasecmp_n(h->get_name(), "connection") == 0 )
+	if ( is_orig && mime::strcasecmp_n(h->get_name(), "connection") == 0 )
 		{
-		if ( strcasecmp_n(h->get_value_token(), "keep-alive") == 0 )
+		if ( mime::strcasecmp_n(h->get_value_token(), "keep-alive") == 0 )
 			keep_alive = 1;
 		}
 
 	if ( ! is_orig &&
-	     strcasecmp_n(h->get_name(), "connection") == 0 )
+	     mime::strcasecmp_n(h->get_name(), "connection") == 0 )
 	        {
-		if ( strcasecmp_n(h->get_value_token(), "close") == 0 )
+		if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 )
 		        connection_close = 1;
 		}
 
@@ -1540,8 +1544,8 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, MIME_Header* h)
 		val_list* vl = new val_list();
 		vl->append(BuildConnVal());
 		vl->append(new Val(is_orig, TYPE_BOOL));
-		vl->append(new_string_val(h->get_name())->ToUpper());
-		vl->append(new_string_val(h->get_value()));
+		vl->append(mime::new_string_val(h->get_name())->ToUpper());
+		vl->append(mime::new_string_val(h->get_value()));
 		if ( DEBUG_http )
 			DEBUG_MSG("%.6f http_header\n", network_time);
 		ConnectionEvent(http_header, vl);
@@ -1570,7 +1574,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
 	while ( len > 0 )
 		{
 		// Skip white space.
-		while ( len && is_lws(*data) )
+		while ( len && mime::is_lws(*data) )
 			{
 			++data;
 			--len;
@@ -1583,7 +1587,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
 			// Find end of comment.
 			const char* data_start = data;
 			const char* eoc =
-				data + MIME_skip_lws_comments(len, data);
+				data + mime::MIME_skip_lws_comments(len, data);
 
 			// Split into parts.
 			// (This may get confused by nested comments,
@@ -1593,7 +1597,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
 			while ( 1 )
 				{
 				// Eat spaces.
-				while ( data < eoc && is_lws(*data) )
+				while ( data < eoc && mime::is_lws(*data) )
 					++data;
 
 				// Find end of token.
@@ -1606,7 +1610,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
 					break;
 
 				// Delete spaces at end of token.
-				for ( ; eot > data && is_lws(*(eot-1)); --eot )
+				for ( ; eot > data && mime::is_lws(*(eot-1)); --eot )
 					;
 
 				if ( data != eot && software_version_found )
@@ -1619,7 +1623,7 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
 			continue;
 			}
 
-		offset = MIME_get_slash_token_pair(len, data,
+		offset = mime::MIME_get_slash_token_pair(len, data,
 						&product, &product_version);
 		if ( offset < 0 )
 			{
@@ -1627,10 +1631,10 @@ void HTTP_Analyzer::ParseVersion(data_chunk_t ver, const IPAddr& host,
 			// so we do not complain in the final version
 			if ( num_version == 0 )
 				HTTP_Event("bad_HTTP_version",
-						new_string_val(len, data));
+						mime::new_string_val(len, data));
 
 			// Try to simply skip next token.
-			offset = MIME_get_token(len, data, &product);
+			offset = mime::MIME_get_token(len, data, &product);
 			if ( offset < 0 )
 				break;
 
@@ -1694,7 +1698,7 @@ void HTTP_Analyzer::HTTP_MessageDone(int is_orig, HTTP_Message* /* message */)
 		ReplyMade(0, "message ends normally");
 	}
 
-void HTTP_Analyzer::InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message,
+void HTTP_Analyzer::InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message,
 		bool is_orig, int expect_body, int64_t init_header_length)
 	{
 	if ( message )
@@ -1718,24 +1722,24 @@ void HTTP_Analyzer::SkipEntityData(int is_orig)
 		msg->SkipEntityData();
 	}
 
-int is_reserved_URI_char(unsigned char ch)
+int analyzer::http::is_reserved_URI_char(unsigned char ch)
 	{ // see RFC 2396 (definition of URI)
 	return strchr(";/?:@&=+$,", ch) != 0;
 	}
 
-int is_unreserved_URI_char(unsigned char ch)
+int analyzer::http::is_unreserved_URI_char(unsigned char ch)
 	{ // see RFC 2396 (definition of URI)
 	return isalnum(ch) || strchr("-_.!~*\'()", ch) != 0;
 	}
 
-void escape_URI_char(unsigned char ch, unsigned char*& p)
+void analyzer::http::escape_URI_char(unsigned char ch, unsigned char*& p)
 	{
 	*p++ = '%';
 	*p++ = encode_hex((ch >> 4) & 0xf);
 	*p++ = encode_hex(ch & 0xf);
 	}
 
-BroString* unescape_URI(const u_char* line, const u_char* line_end,
+BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_end,
 			analyzer::Analyzer* analyzer)
 	{
 	byte_vec decoded_URI = new u_char[line_end - line + 1];

src/analyzer/protocols/http/HTTP.h

@@ -6,13 +6,15 @@
 #include "analyzer/protocols/tcp/TCP.h"
 #include "analyzer/protocols/tcp/ContentLine.h"
 #include "analyzer/protocols/zip/ZIP.h"
-#include "MIME.h"
+#include "analyzer/protocols/mime/MIME.h"
 #include "binpac_bro.h"
 #include "IPAddr.h"
 #include "events.bif.h"
 
 #include "HTTP.h"
 
+namespace analyzer { namespace http {
+
 enum CHUNKED_TRANSFER_STATE {
 	NON_CHUNKED_TRANSFER,
 	BEFORE_CHUNK,
@@ -27,7 +29,7 @@ class HTTP_Entity;
 class HTTP_Message;
 class HTTP_Analyzer;
 
-class HTTP_Entity : public MIME_Entity {
+class HTTP_Entity : public mime::MIME_Entity {
 public:
 	HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity,
 			int expect_body);
@@ -57,7 +59,7 @@ protected:
 	int64_t header_length;
 	int deliver_body;
 	enum { IDENTITY, GZIP, COMPRESS, DEFLATE } encoding;
-	ZIP_Analyzer* zip;
+	zip::ZIP_Analyzer* zip;
 
 	MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
 
@@ -68,7 +70,7 @@ protected:
 
 	void SetPlainDelivery(int64_t length);
 
-	void SubmitHeader(MIME_Header* h);
+	void SubmitHeader(mime::MIME_Header* h);
 	void SubmitAllHeaders();
 };
 
@@ -89,9 +91,9 @@ enum {
 // HTTP_Message::EndEntity	-> Message::Done
 // HTTP_MessageDone	-> {Request,Reply}Made
 
-class HTTP_Message : public MIME_Message {
+class HTTP_Message : public mime::MIME_Message {
 public:
-	HTTP_Message(HTTP_Analyzer* analyzer, ContentLine_Analyzer* cl,
+	HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl,
 			 bool is_orig, int expect_body, int64_t init_header_length);
 	~HTTP_Message();
 	void Done(const int interrupted, const char* msg);
@@ -99,16 +101,16 @@ public:
 
 	int Undelivered(int64_t len);
 
-	void BeginEntity(MIME_Entity* /* entity */);
-	void EndEntity(MIME_Entity* entity);
-	void SubmitHeader(MIME_Header* h);
-	void SubmitAllHeaders(MIME_HeaderList& /* hlist */);
+	void BeginEntity(mime::MIME_Entity* /* entity */);
+	void EndEntity(mime::MIME_Entity* entity);
+	void SubmitHeader(mime::MIME_Header* h);
+	void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */);
 	void SubmitData(int len, const char* buf);
 	int RequestBuffer(int* plen, char** pbuf);
 	void SubmitAllData();
 	void SubmitEvent(int event_type, const char* detail);
 
-	void SubmitTrailingHeaders(MIME_HeaderList& /* hlist */);
+	void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */);
 	void SetPlainDelivery(int64_t length);
 	void SkipEntityData();
 
@@ -120,7 +122,7 @@ public:
 
 protected:
 	HTTP_Analyzer* analyzer;
-	ContentLine_Analyzer* content_line;
+	tcp::ContentLine_Analyzer* content_line;
 	bool is_orig;
 
 	vector<const BroString*> buffers;
@@ -148,14 +150,14 @@ protected:
 	Val* BuildMessageStat(const int interrupted, const char* msg);
 };
 
-class HTTP_Analyzer : public TCP_ApplicationAnalyzer {
+class HTTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	HTTP_Analyzer(Connection* conn);
 	~HTTP_Analyzer();
 
-	void Undelivered(TCP_Endpoint* sender, int seq, int len);
+	void Undelivered(tcp::TCP_Endpoint* sender, int seq, int len);
 
-	void HTTP_Header(int is_orig, MIME_Header* h);
+	void HTTP_Header(int is_orig, mime::MIME_Header* h);
 	void HTTP_EntityData(int is_orig, const BroString* entity_data);
 	void HTTP_MessageDone(int is_orig, HTTP_Message* message);
 	void HTTP_Event(const char* category, const char* detail);
@@ -171,7 +173,7 @@ public:
 	virtual void DeliverStream(int len, const u_char* data, bool orig);
 	virtual void Undelivered(int seq, int len, bool orig);
 
-	// Overriden from TCP_ApplicationAnalyzer
+	// Overriden from tcp::TCP_ApplicationAnalyzer
 	virtual void EndpointEOF(bool is_orig);
 	virtual void ConnectionFinished(int half_finished);
 	virtual void ConnectionReset();
@@ -192,7 +194,7 @@ protected:
 	int HTTP_RequestLine(const char* line, const char* end_of_line);
 	int HTTP_ReplyLine(const char* line, const char* end_of_line);
 
-	void InitHTTPMessage(ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
+	void InitHTTPMessage(tcp::ContentLine_Analyzer* cl, HTTP_Message*& message, bool is_orig,
 				int expect_body, int64_t init_header_length);
 
 	const char* PrefixMatch(const char* line, const char* end_of_line,
@@ -244,8 +246,8 @@ protected:
 	int reply_code;
 	Val* reply_reason_phrase;
 
-	ContentLine_Analyzer* content_line_orig;
-	ContentLine_Analyzer* content_line_resp;
+	tcp::ContentLine_Analyzer* content_line_orig;
+	tcp::ContentLine_Analyzer* content_line_resp;
 
 	HTTP_Message* request_message;
 	HTTP_Message* reply_message;
@@ -257,4 +259,6 @@ extern void escape_URI_char(unsigned char ch, unsigned char*& p);
 extern BroString* unescape_URI(const u_char* line, const u_char* line_end,
 				analyzer::Analyzer* analyzer);
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/http/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(HTTP)
 	BRO_PLUGIN_DESCRIPTION("HTTP Analyzer");
-	BRO_PLUGIN_ANALYZER("HTTP", HTTP_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("HTTP", http::HTTP_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/http/functions.bif

@@ -20,7 +20,7 @@ function skip_http_entity_data%(c: connection, is_orig: bool%): any
 		if ( ha )
 			{
 			if ( ha->IsAnalyzer("HTTP") )
-				static_cast<HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
+				static_cast<analyzer::http::HTTP_Analyzer*>(ha)->SkipEntityData(is_orig);
 			else
 				reporter->Error("non-HTTP analyzer associated with connection record");
 			}
@@ -52,5 +52,5 @@ function unescape_URI%(URI: string%): string
 	const u_char* line = URI->Bytes();
 	const u_char* const line_end = line + URI->Len();
 
-	return new StringVal(unescape_URI(line, line_end, 0));
+	return new StringVal(analyzer::http::unescape_URI(line, line_end, 0));
 	%}

src/analyzer/protocols/icmp/ICMP.cc

@@ -10,8 +10,12 @@
 #include "ICMP.h"
 #include "Conn.h"
 
+#include "events.bif.h"
+
 #include <netinet/icmp6.h>
 
+using namespace analyzer::icmp;
+
 ICMP_Analyzer::ICMP_Analyzer(Connection* c)
 : TransportLayerAnalyzer("ICMP", c)
 	{
@@ -828,7 +832,7 @@ VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
 	return vv;
 	}
 
-int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
+int analyzer::icmp::ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
 	{
 	is_one_way = false;
 
@@ -855,7 +859,7 @@ int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
 	}
 	}
 
-int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
+int analyzer::icmp::ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way)
 	{
 	is_one_way = false;
 

src/analyzer/protocols/icmp/ICMP.h

@@ -6,6 +6,8 @@
 #include "RuleMatcher.h"
 #include "analyzer/Analyzer.h"
 
+namespace analyzer { namespace icmp {
+
 typedef enum {
 	ICMP_INACTIVE,	// no packet seen
 	ICMP_ACTIVE,	// packets seen
@@ -92,4 +94,6 @@ private:
 extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
 extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way);
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/icmp/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(ICMP)
 	BRO_PLUGIN_DESCRIPTION("ICMP Analyzer");
-	BRO_PLUGIN_ANALYZER("ICMP", ICMP_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("ICMP", icmp::ICMP_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/icmp/events.bif

@@ -0,0 +1,300 @@
+## Generated for all ICMP messages that are not handled separately with
+## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
+## directly with dedicated events. This event acts as a fallback for those it
+## doesn't.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard
+##       connection record *c*.
+##
+## .. bro:see:: icmp_error_message
+event icmp_sent%(c: connection, icmp: icmp_conn%);
+
+## Generated for ICMP *echo request* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard
+##       connection record *c*.
+##
+## id: The *echo request* identifier.
+##
+## seq: The *echo request* sequence number.
+##
+## payload: The message-specific data of the packet payload, i.e., everything
+##          after the first 8 bytes of the ICMP header.
+##
+## .. bro:see:: icmp_echo_reply
+event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
+
+## Generated for ICMP *echo reply* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## id: The *echo reply* identifier.
+##
+## seq: The *echo reply* sequence number.
+##
+## payload: The message-specific data of the packet payload, i.e., everything
+##          after the first 8 bytes of the ICMP header.
+##
+## .. bro:see:: icmp_echo_request
+event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
+
+## Generated for all ICMPv6 error messages that are not handled
+## separately with dedicated events. Bro's ICMP analyzer handles a number
+## of ICMP error messages directly with dedicated events. This event acts
+## as a fallback for those it doesn't.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
+## information about the ICMPv6 protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard
+##       connection record *c*.
+##
+## code: The ICMP code of the error message.
+##
+## context: A record with specifics of the original packet that the message
+##          refers to.
+##
+## .. bro:see:: icmp_unreachable icmp_packet_too_big
+##    icmp_time_exceeded icmp_parameter_problem
+event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+
+## Generated for ICMP *destination unreachable* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## code: The ICMP code of the *unreachable* message.
+##
+## context: A record with specifics of the original packet that the message
+##          refers to. *Unreachable* messages should include the original IP
+##          header from the packet that triggered them, and Bro parses that
+##          into the *context* structure. Note that if the *unreachable*
+##          includes only a partial IP header for some reason, no
+##          fields of *context* will be filled out.
+##
+## .. bro:see:: icmp_error_message icmp_packet_too_big
+##    icmp_time_exceeded icmp_parameter_problem
+event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+
+## Generated for ICMPv6 *packet too big* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
+## information about the ICMPv6 protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## code: The ICMP code of the *too big* message.
+##
+## context: A record with specifics of the original packet that the message
+##          refers to. *Too big* messages should include the original IP header
+##          from the packet that triggered them, and Bro parses that into
+##          the *context* structure. Note that if the *too big* includes only
+##          a partial IP header for some reason, no fields of *context* will
+##          be filled out.
+##
+## .. bro:see:: icmp_error_message icmp_unreachable
+##    icmp_time_exceeded icmp_parameter_problem
+event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+
+## Generated for ICMP *time exceeded* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## code: The ICMP code of the *exceeded* message.
+##
+## context: A record with specifics of the original packet that the message
+##          refers to. *Unreachable* messages should include the original IP
+##          header from the packet that triggered them, and Bro parses that
+##          into the *context* structure. Note that if the *exceeded* includes
+##          only a partial IP header for some reason, no fields of *context*
+##          will be filled out.
+##
+## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
+##    icmp_parameter_problem
+event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+
+## Generated for ICMPv6 *parameter problem* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/ICMPv6>`__ for more
+## information about the ICMPv6 protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## code: The ICMP code of the *parameter problem* message.
+##
+## context: A record with specifics of the original packet that the message
+##          refers to. *Parameter problem* messages should include the original
+##          IP header from the packet that triggered them, and Bro parses that
+##          into the *context* structure. Note that if the *parameter problem*
+##          includes only a partial IP header for some reason, no fields
+##          of *context* will be filled out.
+##
+## .. bro:see:: icmp_error_message icmp_unreachable icmp_packet_too_big
+##    icmp_time_exceeded
+event icmp_parameter_problem%(c: connection, icmp: icmp_conn, code: count, context: icmp_context%);
+
+## Generated for ICMP *router solicitation* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+##
+## .. bro:see:: icmp_router_advertisement
+##    icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
+event icmp_router_solicitation%(c: connection, icmp: icmp_conn, options: icmp6_nd_options%);
+
+## Generated for ICMP *router advertisement* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## cur_hop_limit: The default value that should be placed in Hop Count field
+##                for outgoing IP packets.
+##
+## managed: Managed address configuration flag, :rfc:`4861`.
+##
+## other: Other stateful configuration flag, :rfc:`4861`.
+##
+## home_agent: Mobile IPv6 home agent flag, :rfc:`3775`.
+##
+## pref: Router selection preferences, :rfc:`4191`.
+##
+## proxy: Neighbor discovery proxy flag, :rfc:`4389`.
+##
+## rsv: Remaining two reserved bits of router advertisement flags.
+##
+## router_lifetime: How long this router should be used as a default router.
+##
+## reachable_time: How long a neighbor should be considered reachable.
+##
+## retrans_timer: How long a host should wait before retransmitting.
+##
+## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+##
+## .. bro:see:: icmp_router_solicitation
+##    icmp_neighbor_solicitation icmp_neighbor_advertisement icmp_redirect
+event icmp_router_advertisement%(c: connection, icmp: icmp_conn, cur_hop_limit: count, managed: bool, other: bool, home_agent: bool, pref: count, proxy: bool, rsv: count, router_lifetime: interval, reachable_time: interval, retrans_timer: interval, options: icmp6_nd_options%);
+
+## Generated for ICMP *neighbor solicitation* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## tgt: The IP address of the target of the solicitation.
+##
+## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+##
+## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
+##    icmp_neighbor_advertisement icmp_redirect
+event icmp_neighbor_solicitation%(c: connection, icmp: icmp_conn, tgt: addr, options: icmp6_nd_options%);
+
+## Generated for ICMP *neighbor advertisement* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## router: Flag indicating the sender is a router.
+##
+## solicited: Flag indicating advertisement is in response to a solicitation.
+##
+## override: Flag indicating advertisement should override existing caches.
+##
+## tgt: the Target Address in the soliciting message or the address whose
+##      link-layer address has changed for unsolicited adverts.
+##
+## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+##
+## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
+##    icmp_neighbor_solicitation icmp_redirect
+event icmp_neighbor_advertisement%(c: connection, icmp: icmp_conn, router: bool, solicited: bool, override: bool, tgt: addr, options: icmp6_nd_options%);
+
+## Generated for ICMP *redirect* messages.
+##
+## See `Wikipedia
+## <http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol>`__ for more
+## information about the ICMP protocol.
+##
+## c: The connection record for the corresponding ICMP flow.
+##
+## icmp: Additional ICMP-specific information augmenting the standard connection
+##       record *c*.
+##
+## tgt: The address that is supposed to be a better first hop to use for
+##      ICMP Destination Address.
+##
+## dest: The address of the destination which is redirected to the target.
+##
+## options: Any Neighbor Discovery options included with message (:rfc:`4861`).
+##
+## .. bro:see:: icmp_router_solicitation icmp_router_advertisement
+##    icmp_neighbor_solicitation icmp_neighbor_advertisement
+event icmp_redirect%(c: connection, icmp: icmp_conn, tgt: addr, dest: addr, options: icmp6_nd_options%);
+

src/analyzer/protocols/ident/Ident.cc

@@ -8,13 +8,17 @@
 #include "Ident.h"
 #include "Event.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::ident;
+
 Ident_Analyzer::Ident_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("IDENT", conn)
+: tcp::TCP_ApplicationAnalyzer("IDENT", conn)
 	{
 	did_bad_reply = did_deliver = 0;
 
-	orig_ident = new ContentLine_Analyzer(conn, true);
-	resp_ident = new ContentLine_Analyzer(conn, false);
+	orig_ident = new tcp::ContentLine_Analyzer(conn, true);
+	resp_ident = new tcp::ContentLine_Analyzer(conn, false);
 
 	orig_ident->SetIsNULSensitive(true);
 	resp_ident->SetIsNULSensitive(true);
@@ -25,29 +29,29 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn)
 
 void Ident_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 
 	if ( TCP() )
 		if ( (! did_deliver || orig_ident->HasPartialLine()) &&
-		     (TCP()->OrigState() == TCP_ENDPOINT_CLOSED ||
-		      TCP()->OrigPrevState() == TCP_ENDPOINT_CLOSED) &&
-		     TCP()->OrigPrevState() != TCP_ENDPOINT_PARTIAL &&
-		     TCP()->RespPrevState() != TCP_ENDPOINT_PARTIAL &&
-		     TCP()->OrigPrevState() != TCP_ENDPOINT_INACTIVE &&
-		     TCP()->RespPrevState() != TCP_ENDPOINT_INACTIVE )
+		     (TCP()->OrigState() == tcp::TCP_ENDPOINT_CLOSED ||
+		      TCP()->OrigPrevState() == tcp::TCP_ENDPOINT_CLOSED) &&
+		     TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
+		     TCP()->RespPrevState() != tcp::TCP_ENDPOINT_PARTIAL &&
+		     TCP()->OrigPrevState() != tcp::TCP_ENDPOINT_INACTIVE &&
+		     TCP()->RespPrevState() != tcp::TCP_ENDPOINT_INACTIVE )
 			Weird("partial_ident_request");
 	}
 
 void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
 
 	int remote_port, local_port;
 	const char* line = (const char*) data;
 	const char* orig_line = line;
 	const char* end_of_line = line + length;
 
-	TCP_Endpoint* s = 0;
+	tcp::TCP_Endpoint* s = 0;
 
 	if ( TCP() )
 		s = is_orig ? TCP()->Orig() : TCP()->Resp();
@@ -60,9 +64,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		line = ParsePair(line, end_of_line, remote_port, local_port);
 		if ( ! line )
 			{
-			if ( s && s->state == TCP_ENDPOINT_CLOSED &&
-			     (s->prev_state == TCP_ENDPOINT_INACTIVE ||
-			      s->prev_state == TCP_ENDPOINT_PARTIAL) )
+			if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
+			     (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
+			      s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
 				// not surprising the request is mangled.
 				return;
 
@@ -95,9 +99,9 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 
 		if ( ! line || line == end_of_line || line[0] != ':' )
 			{
-			if ( s && s->state == TCP_ENDPOINT_CLOSED &&
-			     (s->prev_state == TCP_ENDPOINT_INACTIVE ||
-			      s->prev_state == TCP_ENDPOINT_PARTIAL) )
+			if ( s && s->state == tcp::TCP_ENDPOINT_CLOSED &&
+			     (s->prev_state == tcp::TCP_ENDPOINT_INACTIVE ||
+			      s->prev_state == tcp::TCP_ENDPOINT_PARTIAL) )
 				// not surprising the request is mangled.
 				return;
 

src/analyzer/protocols/ident/Ident.h

@@ -6,7 +6,9 @@
 #include "analyzer/protocols/tcp/TCP.h"
 #include "analyzer/protocols/tcp/ContentLine.h"
 
-class Ident_Analyzer : public TCP_ApplicationAnalyzer {
+namespace analyzer { namespace ident {
+
+class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	Ident_Analyzer(Connection* conn);
 	virtual void Done();
@@ -25,11 +27,13 @@ protected:
 	void BadRequest(int length, const char* line);
 	void BadReply(int length, const char* line);
 
-	ContentLine_Analyzer* orig_ident;
-	ContentLine_Analyzer* resp_ident;
+	tcp::ContentLine_Analyzer* orig_ident;
+	tcp::ContentLine_Analyzer* resp_ident;
 
 	unsigned int did_deliver:1;
 	unsigned int did_bad_reply:1;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/ident/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(Ident)
 	BRO_PLUGIN_DESCRIPTION("Ident Analyzer");
-	BRO_PLUGIN_ANALYZER("IDENT", Ident_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("IDENT", ident::Ident_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/ident/events.bif

@@ -0,0 +1,63 @@
+## Generated for Ident requests.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+## information about the Ident protocol.
+##
+## c: The connection.
+##
+## lport: The request's local port.
+##
+## rport: The request's remote port.
+##
+## .. bro:see:: ident_error ident_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event ident_request%(c: connection, lport: port, rport: port%);
+
+## Generated for Ident replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+## information about the Ident protocol.
+##
+## c: The connection.
+##
+## lport: The corresponding request's local port.
+##
+## rport: The corresponding request's remote port.
+##
+## user_id: The user id returned by the reply.
+##
+## system: The operating system returned by the reply.
+##
+## .. bro:see:: ident_error  ident_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
+
+## Generated for Ident error replies.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/ident_protocol>`__ for more
+## information about the Ident protocol.
+##
+## c: The connection.
+##
+## lport: The corresponding request's local port.
+##
+## rport: The corresponding request's remote port.
+##
+## line: The error description returned by the reply.
+##
+## .. bro:see:: ident_reply ident_request
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event ident_error%(c: connection, lport: port, rport: port, line: string%);
+

src/analyzer/protocols/interconn/InterConn.cc

@@ -7,7 +7,11 @@
 #include "Net.h"
 #include "analyzer/protocols/tcp/TCP.h"
 
-InterConnEndpoint::InterConnEndpoint(TCP_Endpoint* e)
+#include "events.bif.h"
+
+using namespace analyzer::interconn;
+
+InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e)
 	{
 	endp = e;
 	max_top_seq = 0;
@@ -30,7 +34,7 @@ int InterConnEndpoint::DataSent(double t, int seq, int len, int caplen,
 	if ( len <= 0 )
 		return 0;
 
-	if ( endp->state == TCP_ENDPOINT_PARTIAL )
+	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
 		is_partial = 1;
 
 	int ack = endp->AckSeq() - endp->StartSeq();
@@ -153,7 +157,7 @@ int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const
 	}
 
 InterConn_Analyzer::InterConn_Analyzer(Connection* c)
-: TCP_ApplicationAnalyzer("INTERCONN", c)
+: tcp::TCP_ApplicationAnalyzer("INTERCONN", c)
 	{
 	orig_endp = resp_endp = 0;
 	orig_stream_pos = resp_stream_pos = 1;
@@ -172,7 +176,7 @@ InterConn_Analyzer::~InterConn_Analyzer()
 
 void InterConn_Analyzer::Init()
 	{
-	TCP_ApplicationAnalyzer::Init();
+	tcp::TCP_ApplicationAnalyzer::Init();
 
 	assert(TCP());
 	orig_endp = new InterConnEndpoint(TCP()->Orig());
@@ -182,7 +186,7 @@ void InterConn_Analyzer::Init()
 void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
 			bool is_orig, int seq, const IP_Hdr* ip, int caplen)
 	{
-	TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig,
+	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig,
 						seq, ip, caplen);
 
 	if ( is_orig )
@@ -193,7 +197,7 @@ void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
 
 void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
 
 	if ( is_orig )
 		{
@@ -218,7 +222,7 @@ void InterConn_Analyzer::Done()
 		RemoveEvent();
 		}
 
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 	}
 
 void InterConn_Analyzer::StatTimer(double t, int is_expire)

src/analyzer/protocols/interconn/InterConn.h

@@ -7,9 +7,11 @@
 #include "Timer.h"
 #include "NetVar.h"
 
+namespace analyzer { namespace interconn {
+
 class InterConnEndpoint : public BroObj {
 public:
-	InterConnEndpoint(TCP_Endpoint* e);
+	InterConnEndpoint(tcp::TCP_Endpoint* e);
 
 	int DataSent(double t, int seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
@@ -21,7 +23,7 @@ protected:
 	int IsPotentialKeystrokePacket(int len) const;
 	int IsNormalKeystrokeInterarrival(double t) const;
 
-	TCP_Endpoint* endp;
+	tcp::TCP_Endpoint* endp;
 	double last_keystroke_time;
 	int max_top_seq;
 	uint32 num_pkts;
@@ -38,7 +40,7 @@ protected:
 };
 
 
-class InterConn_Analyzer : public TCP_ApplicationAnalyzer {
+class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	InterConn_Analyzer(Connection* c);
 	~InterConn_Analyzer();
@@ -81,4 +83,6 @@ protected:
 	InterConn_Analyzer* analyzer;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/interconn/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(InterConn)
 	BRO_PLUGIN_DESCRIPTION("InterConn Analyzer (deprecated)");
-	BRO_PLUGIN_ANALYZER("INTERCONN", InterConn_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("INTERCONN", interconn::InterConn_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/interconn/events.bif

@@ -0,0 +1,8 @@
+# ##### Deprecated events. Proposed for removal.
+
+## Deprecated. Will be removed.
+event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
+
+## Deprecated. Will be removed.
+event interconn_remove_conn%(c: connection%);
+

src/analyzer/protocols/irc/IRC.cc

@@ -6,11 +6,14 @@
 #include "NetVar.h"
 #include "Event.h"
 #include "analyzer/protocols/zip/ZIP.h"
-
 #include "analyzer/Manager.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::irc;
+
 IRC_Analyzer::IRC_Analyzer(Connection* conn)
-: TCP_ApplicationAnalyzer("IRC", conn)
+: tcp::TCP_ApplicationAnalyzer("IRC", conn)
 	{
 	invalid_msg_count = 0;
 	invalid_msg_max_count = 20;
@@ -18,18 +21,18 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn)
 	resp_status = WAIT_FOR_REGISTRATION;
 	orig_zip_status = NO_ZIP;
 	resp_zip_status = NO_ZIP;
-	AddSupportAnalyzer(new ContentLine_Analyzer(conn, true));
-	AddSupportAnalyzer(new ContentLine_Analyzer(conn, false));
+	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true));
+	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false));
 	}
 
 void IRC_Analyzer::Done()
 	{
-	TCP_ApplicationAnalyzer::Done();
+	tcp::TCP_ApplicationAnalyzer::Done();
 	}
 
 void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 
 	// check line size
 	if ( length > 512 )
@@ -1158,8 +1161,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		orig_zip_status = ZIP_LOADED;
 		resp_zip_status = ZIP_LOADED;
-		AddSupportAnalyzer(new ZIP_Analyzer(Conn(), true));
-		AddSupportAnalyzer(new ZIP_Analyzer(Conn(), false));
+		AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), true));
+		AddSupportAnalyzer(new zip::ZIP_Analyzer(Conn(), false));
 		}
 
 	return;

src/analyzer/protocols/irc/IRC.h

@@ -4,10 +4,12 @@
 #define irc_h
 #include "analyzer/protocols/tcp/TCP.h"
 
+namespace analyzer { namespace irc {
+
 /**
 * \brief Main class for analyzing IRC traffic.
 */
-class IRC_Analyzer : public TCP_ApplicationAnalyzer {
+class IRC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 	enum { WAIT_FOR_REGISTRATION, REGISTERED, };
 	enum { NO_ZIP, ACCEPT_ZIP, ZIP_LOADED, };
 public:
@@ -60,4 +62,6 @@ private:
 
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/irc/Plugin.cc

@@ -5,6 +5,6 @@
 
 BRO_PLUGIN_BEGIN(IRC)
 	BRO_PLUGIN_DESCRIPTION("IRC Analyzer");
-	BRO_PLUGIN_ANALYZER("IRC", IRC_Analyzer::InstantiateAnalyzer);
+	BRO_PLUGIN_ANALYZER("IRC", irc::IRC_Analyzer);
 	BRO_PLUGIN_BIF_FILE(events);
 BRO_PLUGIN_END

src/analyzer/protocols/irc/events.bif

@@ -0,0 +1,799 @@
+
+## Generated for all client-side IRC commands.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: Always true.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## command: The command.
+##
+## arguments: The arguments for the command.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+##
+## .. note:: This event is generated only for messages that originate
+##    at the client-side. Commands coming in from remote trigger
+##    the :bro:id:`irc_message` event instead.
+event irc_request%(c: connection, is_orig: bool, prefix: string,
+			command: string, arguments: string%);
+
+## Generated for all IRC replies. IRC replies are sent in response to a
+## request and come with a reply code.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the reply. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## code: The reply code, as specified by the protocol.
+##
+## params: The reply's parameters.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_reply%(c: connection, is_orig: bool, prefix: string,
+			code: count, params: string%);
+
+## Generated for IRC commands forwarded from the server to the client.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: Always false.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## command: The command.
+##
+## message: TODO.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message  irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+##
+## .. note::
+##
+##    This event is generated only for messages that are forwarded by the server
+##    to the client. Commands coming from client trigger the
+##    :bro:id:`irc_request` event instead.
+event irc_message%(c: connection, is_orig: bool, prefix: string,
+			command: string, message: string%);
+
+## Generated for IRC messages of type *quit*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## nick: The nickname coming with the message.
+##
+## message: The text included with the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%);
+
+## Generated for IRC messages of type *privmsg*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## source: The source of the private communication.
+##
+## target: The target of the private communication.
+##
+## message: The text of communication.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
+				target: string, message: string%);
+
+## Generated for IRC messages of type *notice*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## source: The source of the private communication.
+##
+## target: The target of the private communication.
+##
+## message: The text of communication.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message  irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_notice_message%(c: connection, is_orig: bool, source: string,
+				target: string, message: string%);
+
+## Generated for IRC messages of type *squery*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## source: The source of the private communication.
+##
+## target: The target of the private communication.
+##
+## message: The text of communication.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_squery_message%(c: connection, is_orig: bool, source: string,
+				target: string, message: string%);
+
+## Generated for IRC messages of type *join*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## info_list: The user information coming with the command.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%);
+
+## Generated for IRC messages of type *part*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## nick: The nickname coming with the message.
+##
+## chans: The set of channels affected.
+##
+## message: The text coming with the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_password_message
+event irc_part_message%(c: connection, is_orig: bool, nick: string,
+				chans: string_set, message: string%);
+
+## Generated for IRC messages of type *nick*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## who: The user changing its nickname.
+##
+## newnick: The new nickname.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%);
+
+## Generated when a server rejects an IRC nickname.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users  irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_invalid_nick%(c: connection, is_orig: bool%);
+
+## Generated for an IRC reply of type *luserclient*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## users: The number of users as returned in the reply.
+##
+## services: The number of services as returned in the reply.
+##
+## servers: The number of servers as returned in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_network_info%(c: connection, is_orig: bool, users: count,
+				services: count, servers: count%);
+
+## Generated for an IRC reply of type *luserme*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## users: The number of users as returned in the reply.
+##
+## services: The number of services as returned in the reply.
+##
+## servers: The number of servers as returned in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_server_info%(c: connection, is_orig: bool, users: count,
+				services: count, servers: count%);
+
+## Generated for an IRC reply of type *luserchannels*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## chans: The number of channels as returned in the reply.
+##
+## .. bro:see::  irc_channel_topic irc_dcc_message irc_error_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
+
+## Generated for an IRC reply of type *whoreply*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## target_nick: The target nickname.
+##
+## channel: The channel.
+##
+## user: The user.
+##
+## host: The host.
+##
+## server: The server.
+##
+## nick: The nickname.
+##
+## params: The parameters.
+##
+## hops: The hop count.
+##
+## real_name: The real name.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
+				channel: string, user: string, host: string,
+				server: string, nick: string, params: string,
+				hops: count, real_name: string%);
+
+
+## Generated for an IRC reply of type *namereply*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## c_type: The channel type.
+##
+## channel: The channel.
+##
+## users: The set of users.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message  irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_names_info%(c: connection, is_orig: bool, c_type: string,
+				channel: string, users: string_set%);
+
+## Generated for an IRC reply of type *whoisoperator*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## nick: The nickname specified in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
+
+## Generated for an IRC reply of type *whoischannels*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## nick: The nickname specified in the reply.
+##
+## chans: The set of channels returned.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
+				chans: string_set%);
+
+## Generated for an IRC reply of type *whoisuser*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## nick: The nickname specified in the reply.
+##
+## user: The user name specified in the reply.
+##
+## host: The host name specified in the reply.
+##
+## real_name: The real name specified in the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
+				user: string, host: string, real_name: string%);
+
+## Generated for IRC replies of type *youreoper* and *nooperhost*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## got_oper: True if the *oper* command was executed successfully
+##           (*youreport*) and false otherwise (*nooperhost*).
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_part_message
+##    irc_password_message
+event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
+
+## Generated for an IRC reply of type *globalusers*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## msg: The message coming with the reply.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%);
+
+## Generated for an IRC reply of type *topic*.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## channel: The channel name specified in the reply.
+##
+## topic: The topic specified in the reply.
+##
+## .. bro:see:: irc_channel_info  irc_dcc_message irc_error_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%);
+
+## Generated for IRC messages of type *who*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## mask: The mask specified in the message.
+##
+## oper: True if the operator flag was set.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
+
+## Generated for IRC messages of type *whois*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## server: TODO.
+##
+## users: TODO.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%);
+
+## Generated for IRC messages of type *oper*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## user: The user specified in the message.
+##
+## password: The password specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message  irc_oper_response irc_part_message
+##    irc_password_message
+event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%);
+
+## Generated for IRC messages of type *kick*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## chans: The channels specified in the message.
+##
+## users: The users specified in the message.
+##
+## comment: The comment specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
+			chans: string, users: string, comment: string%);
+
+## Generated for IRC messages of type *error*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## message: The textual description specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%);
+
+## Generated for IRC messages of type *invite*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## nickname: The nickname specified in the message.
+##
+## channel: The channel specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick  irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
+				nickname: string, channel: string%);
+
+## Generated for IRC messages of type *mode*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## params: The parameters coming with the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message  irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%);
+
+## Generated for IRC messages of type *squit*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## server: The server specified in the message.
+##
+## message: The textual description specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
+				server: string, message: string%);
+
+## Generated for IRC messages of type *dcc*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## prefix: The optional prefix coming with the command. IRC uses the prefix to
+##         indicate the true origin of a message.
+##
+## target: The target specified in the message.
+##
+## dcc_type: The DCC type specified in the message.
+##
+## argument:  The argument specified in the message.
+##
+## address: The address specified in the message.
+##
+## dest_port: The destination port specified in the message.
+##
+## size: The size specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic  irc_error_message irc_global_users
+##    irc_invalid_nick irc_invite_message irc_join_message irc_kick_message
+##    irc_message irc_mode_message irc_names_info irc_network_info irc_nick_message
+##    irc_notice_message irc_oper_message irc_oper_response irc_part_message
+##    irc_password_message
+event irc_dcc_message%(c: connection, is_orig: bool,
+				prefix: string, target: string,
+				dcc_type: string, argument: string,
+				address: addr, dest_port: count, size: count%);
+
+## Generated for IRC messages of type *user*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## user: The user specified in the message.
+##
+## host: The host name specified in the message.
+##
+## server: The server name specified in the message.
+##
+## real_name: The real name specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message irc_password_message
+event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%);
+
+## Generated for IRC messages of type *password*. This event is generated for
+## messages coming from both the client and the server.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Internet_Relay_Chat>`__ for more
+## information about the IRC protocol.
+##
+## c: The connection.
+##
+## is_orig: True if the command was sent by the originator of the TCP
+##          connection.
+##
+## password: The password specified in the message.
+##
+## .. bro:see:: irc_channel_info irc_channel_topic irc_dcc_message irc_error_message
+##    irc_global_users irc_invalid_nick irc_invite_message irc_join_message
+##    irc_kick_message irc_message irc_mode_message irc_names_info irc_network_info
+##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
+##    irc_part_message
+event irc_password_message%(c: connection, is_orig: bool, password: string%);

src/analyzer/protocols/login/Login.cc

@@ -10,6 +10,10 @@
 #include "RE.h"
 #include "Event.h"
 
+#include "events.bif.h"
+
+using namespace analyzer::login;
+
 static RE_Matcher* re_skip_authentication = 0;
 static RE_Matcher* re_direct_login_prompts;
 static RE_Matcher* re_login_prompts;
@@ -21,7 +25,7 @@ static RE_Matcher* re_login_timeouts;
 static RE_Matcher* init_RE(ListVal* l);
 
 Login_Analyzer::Login_Analyzer(const char* name, Connection* conn)
-: TCP_ApplicationAnalyzer(name, conn)
+: tcp::TCP_ApplicationAnalyzer(name, conn)
 	{
 	state = LOGIN_STATE_AUTHENTICATE;
 	num_user_lines_seen = lines_scanned = 0;
@@ -65,7 +69,7 @@ Login_Analyzer::~Login_Analyzer()
 
 void Login_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
-	TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 
 	char* str = new char[length+1];
 
@@ -102,8 +106,8 @@ void Login_Analyzer::NewLine(bool orig, char* line)
 
 	if ( state == LOGIN_STATE_AUTHENTICATE )
 		{
-		if ( TCP()->OrigState() == TCP_ENDPOINT_PARTIAL ||
-		     TCP()->RespState() == TCP_ENDPOINT_PARTIAL )
+		if ( TCP()->OrigState() == tcp::TCP_ENDPOINT_PARTIAL ||
+		     TCP()->RespState() == tcp::TCP_ENDPOINT_PARTIAL )
 			state = LOGIN_STATE_CONFUSED;	// unknown login state
 		else
 			{
@@ -361,7 +365,7 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
 
 void Login_Analyzer::EndpointEOF(bool orig)
 	{
-	TCP_ApplicationAnalyzer::EndpointEOF(orig);
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(orig);
 
 	if ( state == LOGIN_STATE_AUTHENTICATE && HaveTypeahead() )
 		{

src/analyzer/protocols/login/Login.h

@@ -5,6 +5,8 @@
 
 #include "analyzer/protocols/tcp/TCP.h"
 
+namespace analyzer { namespace login {
+
 typedef enum {
 	LOGIN_STATE_AUTHENTICATE,	// trying to authenticate
 
@@ -19,7 +21,7 @@ typedef enum {
 // Maximum # lines look after login for failure.
 #define MAX_LOGIN_LOOKAHEAD 10
 
-class Login_Analyzer : public TCP_ApplicationAnalyzer {
+class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	Login_Analyzer(const char* name, Connection* conn);
 	~Login_Analyzer();
@@ -82,4 +84,6 @@ protected:
 	int saw_ploy;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/login/NVT.cc

@@ -9,6 +9,8 @@
 #include "Event.h"
 #include "analyzer/protocols/tcp/TCP.h"
 
+#include "events.bif.h"
+
 #define IS_3_BYTE_OPTION(c) (c >= 251 && c <= 254)
 
 #define TELNET_OPT_SB 250
@@ -24,6 +26,8 @@
 
 #define TELNET_IAC 255
 
+using namespace analyzer::login;
+
 TelnetOption::TelnetOption(NVT_Analyzer* arg_endp, unsigned int arg_code)
 	{
 	endp = arg_endp;
@@ -287,7 +291,7 @@ void TelnetEnvironmentOption::RecvSubOption(u_char* data, int len)
 			break;
 			}
 
-		static_cast<TCP_ApplicationAnalyzer*>
+		static_cast<tcp::TCP_ApplicationAnalyzer*>
 			(endp->Parent())->SetEnv(endp->IsOrig(),
 							var_name, var_val);
 		}
@@ -360,7 +364,7 @@ void TelnetBinaryOption::InconsistentOption(unsigned int /* type */)
 
 
 NVT_Analyzer::NVT_Analyzer(Connection* conn, bool orig)
-: ContentLine_Analyzer("NVT", conn, orig)
+: tcp::ContentLine_Analyzer("NVT", conn, orig)
 	{
 	peer = 0;
 	is_suboption = last_was_IAC = pending_IAC = 0;

src/analyzer/protocols/login/NVT.h

@@ -5,7 +5,6 @@
 
 #include "analyzer/protocols/tcp/ContentLine.h"
 
-
 #define TELNET_OPTION_BINARY 0
 #define TELNET_OPTION_TERMINAL 24
 #define TELNET_OPTION_AUTHENTICATE 37
@@ -13,8 +12,9 @@
 #define TELNET_OPTION_ENVIRON 39
 #define NUM_TELNET_OPTIONS 5
 
-class NVT_Analyzer;
+namespace analyzer { namespace login {
 
+class NVT_Analyzer;
 
 class TelnetOption {
 public:
@@ -123,7 +123,7 @@ protected:
 	void InconsistentOption(unsigned int type);
 };
 
-class NVT_Analyzer : public ContentLine_Analyzer {
+class NVT_Analyzer : public tcp::ContentLine_Analyzer {
 public:
 	NVT_Analyzer(Connection* conn, bool orig);
 	~NVT_Analyzer();
@@ -170,4 +170,6 @@ protected:
 	int num_options;
 };
 
+} } // namespace analyzer::* 
+
 #endif

src/analyzer/protocols/login/Plugin.cc

@@ -8,11 +8,11 @@
 
 BRO_PLUGIN_BEGIN(Login)
 	BRO_PLUGIN_DESCRIPTION("Telnet/Rsh/Rlogin Analyzer");
-	BRO_PLUGIN_ANALYZER("TELNET", Telnet_Analyzer::InstantiateAnalyzer);
-	BRO_PLUGIN_ANALYZER("RSH", Rsh_Analyzer::InstantiateAnalyzer);
-	BRO_PLUGIN_ANALYZER("RLOGIN", Rlogin_Analyzer::InstantiateAnalyzer);
-	BRO_PLUGIN_ANALYZER("NVT", 0);
-	BRO_PLUGIN_ANALYZER("Login", 0);
+	BRO_PLUGIN_ANALYZER("TELNET", login::Telnet_Analyzer);
+	BRO_PLUGIN_ANALYZER("RSH", login::Rsh_Analyzer);
+	BRO_PLUGIN_ANALYZER("RLOGIN", login::Rlogin_Analyzer);
+	BRO_PLUGIN_ANALYZER_BARE("NVT");
+	BRO_PLUGIN_ANALYZER_BARE("Login");
 	BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rsh");
 	BRO_PLUGIN_SUPPORT_ANALYZER("Contents_Rlogin");
 	BRO_PLUGIN_BIF_FILE(events);