Add analyzer_confirmation and analyzer_violation events

scripts/base/frameworks/analyzer/main.zeek

@@ -53,7 +53,7 @@ export {
 	## ports: The set of well-known ports to associate with the analyzer.
 	##
 	## Returns: True if the ports were successfully registered.
-	global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool;
+	global register_for_ports: function(tag: AllAnalyzers::Tag, ports: set[port]) : bool;
 
 	## Registers an individual well-known port for an analyzer. If a future
 	## connection on this port is seen, the analyzer will be automatically
@@ -65,7 +65,7 @@ export {
 	## p: The well-known port to associate with the analyzer.
 	##
 	## Returns: True if the port was successfully registered.
-	global register_for_port: function(tag: Analyzer::Tag, p: port) : bool;
+	global register_for_port: function(tag: AllAnalyzers::Tag, p: port) : bool;
 
 	## Returns a set of all well-known ports currently registered for a
 	## specific analyzer.
@@ -73,13 +73,13 @@ export {
 	## tag: The tag of the analyzer.
 	##
 	## Returns: The set of ports.
-	global registered_ports: function(tag: Analyzer::Tag) : set[port];
+	global registered_ports: function(tag: AllAnalyzers::Tag) : set[port];
 
 	## Returns a table of all ports-to-analyzer mappings currently registered.
 	##
 	## Returns: A table mapping each analyzer to the set of ports
 	##          registered for it.
-	global all_registered_ports: function() : table[Analyzer::Tag] of set[port];
+	global all_registered_ports: function() : table[AllAnalyzers::Tag] of set[port];
 
 	## Translates an analyzer type to a string with the analyzer's name.
 	##
@@ -137,7 +137,7 @@ export {
 
 @load base/bif/analyzer.bif
 
-global ports: table[Analyzer::Tag] of set[port];
+global ports: table[AllAnalyzers::Tag] of set[port];
 
 event zeek_init() &priority=5
 	{
@@ -158,7 +158,7 @@ function disable_analyzer(tag: Analyzer::Tag) : bool
 	return __disable_analyzer(tag);
 	}
 
-function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
+function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool
 	{
 	local rc = T;
 
@@ -171,7 +171,7 @@ function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
 	return rc;
 	}
 
-function register_for_port(tag: Analyzer::Tag, p: port) : bool
+function register_for_port(tag: AllAnalyzers::Tag, p: port) : bool
 	{
 	if ( ! __register_for_port(tag, p) )
 		return F;
@@ -183,12 +183,12 @@ function register_for_port(tag: Analyzer::Tag, p: port) : bool
 	return T;
 	}
 
-function registered_ports(tag: Analyzer::Tag) : set[port]
+function registered_ports(tag: AllAnalyzers::Tag) : set[port]
 	{
 	return tag in ports ? ports[tag] : set();
 	}
 
-function all_registered_ports(): table[Analyzer::Tag] of set[port]
+function all_registered_ports(): table[AllAnalyzers::Tag] of set[port]
 	{
 	return ports;
 	}
@@ -230,4 +230,3 @@ function get_bpf(): string
 		}
 	return output;
 	}
-

scripts/base/frameworks/dpd/main.zeek

@@ -53,7 +53,7 @@ event zeek_init() &priority=5
 	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
 	{
 	local analyzer = Analyzer::name(atype);
 
@@ -63,7 +63,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 	add c$service[analyzer];
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
                          reason: string) &priority=10
 	{
 	local analyzer = Analyzer::name(atype);
@@ -85,7 +85,7 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
 	c$dpd = info;
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string) &priority=5
 	{
 	if ( atype in ignore_violations )
 		return;
@@ -114,8 +114,8 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason
 		}
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
-				reason: string) &priority=-5
+			 reason: string) &priority=-5
 	{
 	if ( c?$dpd )
 		{

scripts/base/init-bare.zeek

@@ -5036,14 +5036,14 @@ export {
 
 	## With this set, the Teredo analyzer waits until it sees both sides
 	## of a connection using a valid Teredo encapsulation before issuing
-	## a :zeek:see:`protocol_confirmation`.  If it's false, the first
+	## a :zeek:see:`analyzer_confirmation`.  If it's false, the first
 	## occurrence of a packet with valid Teredo encapsulation causes a
 	## confirmation.
 	const delay_teredo_confirmation = T &redef;
 
 	## With this set, the GTP analyzer waits until the most-recent upflow
 	## and downflow packets are a valid GTPv1 encapsulation before
-	## issuing :zeek:see:`protocol_confirmation`.  If it's false, the
+	## issuing :zeek:see:`analyzer_confirmation`.  If it's false, the
 	## first occurrence of a packet with valid GTPv1 encapsulation causes
 	## confirmation.  Since the same inner connection can be carried
 	## differing outer upflow/downflow connections, setting to false

scripts/base/protocols/conn/inactivity.zeek

@@ -6,7 +6,7 @@ module Conn;
 export {
 	## Define inactivity timeouts by the service detected being used over
 	## the connection.
-	option analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
+	option analyzer_inactivity_timeouts: table[AllAnalyzers::Tag] of interval = {
 		# For interactive services, allow longer periods of inactivity.
 		[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
 	};
@@ -18,7 +18,7 @@ export {
 
 }
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	if ( atype in analyzer_inactivity_timeouts )
 		set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]);

scripts/base/protocols/rdp/main.zeek

@@ -265,7 +265,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		}
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=5
 	{
 	if ( atype == Analyzer::ANALYZER_RDP )
 		{
@@ -274,7 +274,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 		}
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string) &priority=5
 	{
 	# If a protocol violation occurs, then log the record immediately.
 	if ( c?$rdp )

scripts/base/protocols/ssh/main.zeek

@@ -355,7 +355,7 @@ event ssh_server_host_key(c: connection, hash: string) &priority=5
 	c$ssh$host_key = hash;
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=20
 	{
 	if ( atype == Analyzer::ANALYZER_SSH )
 		{

scripts/base/protocols/ssl/main.zeek

@@ -474,7 +474,7 @@ hook finalize_ssl(c: connection)
 	finish(c, F);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=5
 	{
 	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
 		{
@@ -494,7 +494,7 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
 	Weird::weird(wi);
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
                          reason: string) &priority=5
 	{
 	if ( c?$ssl && ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS ) )

scripts/policy/frameworks/dpd/detect-protocols.zeek

@@ -22,7 +22,7 @@ export {
 
 	type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
 
-	option valids: table[Analyzer::Tag, addr, port] of dir = {
+	option valids: table[AllAnalyzers::Tag, addr, port] of dir = {
 		# A couple of ports commonly used for benign HTTP servers.
 
 		# For now we want to see everything.
@@ -45,7 +45,7 @@ export {
 	# log files, this also saves memory because for these we don't
 	# need to remember which servers we already have reported, which
 	# for some can be a lot.
-	option suppress_servers: set [Analyzer::Tag] = {
+	option suppress_servers: set [AllAnalyzers::Tag] = {
 		# Analyzer::ANALYZER_HTTP
 	};
 
@@ -61,7 +61,7 @@ export {
 
 	# Entry point for other analyzers to report that they recognized
 	# a certain (sub-)protocol.
-	global found_protocol: function(c: connection, analyzer: Analyzer::Tag,
+	global found_protocol: function(c: connection, analyzer: AllAnalyzers::Tag,
 					protocol: string);
 
 	# Table keeping reported (server, port, analyzer) tuples (and their
@@ -74,7 +74,7 @@ export {
 }
 
 # Table that tracks currently active dynamic analyzers per connection.
-global conns: table[conn_id] of set[Analyzer::Tag];
+global conns: table[conn_id] of set[AllAnalyzers::Tag];
 
 # Table of reports by other analyzers about the protocol used in a connection.
 global protocols: table[conn_id] of set[string];
@@ -84,7 +84,7 @@ type protocol : record {
 	sub: string;	# "sub-protocols" reported by other sources
 };
 
-function get_protocol(c: connection, a: Analyzer::Tag) : protocol
+function get_protocol(c: connection, a: AllAnalyzers::Tag) : protocol
 	{
 	local str = "";
 	if ( c$id in protocols )
@@ -101,7 +101,7 @@ function fmt_protocol(p: protocol) : string
 	return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a;
 	}
 
-function do_notice(c: connection, a: Analyzer::Tag, d: dir)
+function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
 	{
 	if ( d == BOTH )
 		return;
@@ -198,7 +198,7 @@ hook finalize_protocol_detection(c: connection)
 	report_protocols(c);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	# Don't report anything running on a well-known port.
 	if ( c$id$resp_p in Analyzer::registered_ports(atype) )
@@ -219,7 +219,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
 		}
 	}
 
-function found_protocol(c: connection, atype: Analyzer::Tag, protocol: string)
+function found_protocol(c: connection, atype: AllAnalyzers::Tag, protocol: string)
 	{
 	# Don't report anything running on a well-known port.
 	if ( c$id$resp_p in Analyzer::registered_ports(atype) )

scripts/policy/frameworks/dpd/packet-segment-logging.zeek

@@ -11,7 +11,7 @@ module DPD;
 export {
 	redef record Info += {
 		## A chunk of the payload that most likely resulted in the
-		## protocol violation.
+		## analyzer violation.
 		packet_segment: string &optional &log;
 	};
 
@@ -20,7 +20,7 @@ export {
 }
 
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
                          reason: string) &priority=4
 	{
 	if ( ! c?$dpd ) return;

scripts/policy/protocols/conn/known-services.zeek

@@ -262,7 +262,7 @@ function known_services_done(c: connection)
 		}
 
 	if ( ! has_active_service(c) )
-		# If we're here during a protocol_confirmation, it's still premature
+		# If we're here during a analyzer_confirmation, it's still premature
 		# to declare there's an actual service, so wait for the connection
 		# removal to check again (to get more timely reporting we'd have
 		# schedule some recurring event to poll for handshake/activity).
@@ -293,7 +293,7 @@ function known_services_done(c: connection)
 		event service_info_commit(info);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-5
 	{
 	known_services_done(c);
 	}

src/analyzer/Analyzer.cc

@@ -116,6 +116,7 @@ void Analyzer::CtorInit(const zeek::Tag& arg_tag, Connection* arg_conn)
 	tag = arg_tag;
 	id = ++id_counter;
 	protocol_confirmed = false;
+	analyzer_confirmed = false;
 	timers_canceled = false;
 	skip = false;
 	finished = false;
@@ -226,7 +227,7 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64_t se
 			}
 		catch ( binpac::Exception const& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -249,7 +250,7 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig)
 			}
 		catch ( binpac::Exception const& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -272,7 +273,7 @@ void Analyzer::NextUndelivered(uint64_t seq, int len, bool is_orig)
 			}
 		catch ( binpac::Exception const& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -688,6 +689,10 @@ void Analyzer::ProtocolConfirmation(zeek::Tag arg_tag)
 		return;
 
 	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
+	// The protocol remains just for handling scripts that haven't been updated. Once that event
+	// is removed, this method is also removed.
+	event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id));
 	event_mgr.Enqueue(protocol_confirmation, ConnVal(), tval, val_mgr->Count(id));
 	}
 
@@ -709,9 +714,48 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 		r = make_intrusive<StringVal>(reason);
 
 	const auto& tval = tag.AsVal();
+	// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
+	// The protocol remains just for handling scripts that haven't been updated. Once that event
+	// is removed, this method is also removed.
+	event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
 	event_mgr.Enqueue(protocol_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
 	}
 
+void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
+	{
+	if ( analyzer_confirmed )
+		return;
+
+	analyzer_confirmed = true;
+
+	if ( ! analyzer_confirmation )
+		return;
+
+	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id));
+	}
+
+void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len)
+	{
+	if ( ! analyzer_violation )
+		return;
+
+	StringValPtr r;
+
+	if ( data && len )
+		{
+		const char* tmp = util::copy_string(reason);
+		r = make_intrusive<StringVal>(util::fmt(
+			"%s [%s%s]", tmp, util::fmt_bytes(data, min(40, len)), len > 40 ? "..." : ""));
+		delete[] tmp;
+		}
+	else
+		r = make_intrusive<StringVal>(reason);
+
+	const auto& tval = tag.AsVal();
+	event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
+	}
+
 void Analyzer::AddTimer(analyzer_timer_func timer, double t, bool do_expire,
                         zeek::detail::TimerType type)
 	{

src/analyzer/Analyzer.h

@@ -533,7 +533,8 @@ public:
 	 * If tag is given, it overrides the analyzer tag passed to the
 	 * scripting layer; the default is the one of the analyzer itself.
 	 */
-	virtual void ProtocolConfirmation(zeek::Tag tag = zeek::Tag());
+	[[deprecated("Remove in v5.1. Use AnalyzerConfirmation.")]] virtual void
+	ProtocolConfirmation(zeek::Tag tag = zeek::Tag());
 
 	/**
 	 * Signals Bro's protocol detection that the analyzer has found a
@@ -550,13 +551,53 @@ public:
 	 *
 	 * @param len If \a data is given, the length of it.
 	 */
-	virtual void ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0);
+	[[deprecated("Remove in v5.1. Use AnalyzerViolation.")]] virtual void
+	ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0);
 
 	/**
 	 * Returns true if ProtocolConfirmation() has been called at least
 	 * once.
 	 */
-	bool ProtocolConfirmed() const { return protocol_confirmed; }
+	[[deprecated("Remove in v5.1. Use AnalyzerConfirmed.")]] bool ProtocolConfirmed() const
+		{
+		return protocol_confirmed;
+		}
+
+	/**
+	 * Signals Zeek's protocol detection that the analyzer has recognized
+	 * the input to indeed conform to the expected protocol. This should
+	 * be called as early as possible during a connection's life-time. It
+	 * may turn into \c analyzer_confirmed event at the script-layer (but
+	 * only once per analyzer for each connection, even if the method is
+	 * called multiple times).
+	 *
+	 * If tag is given, it overrides the analyzer tag passed to the
+	 * scripting layer; the default is the one of the analyzer itself.
+	 */
+	virtual void AnalyzerConfirmation(zeek::Tag tag = zeek::Tag());
+
+	/**
+	 * Signals Bro's protocol detection that the analyzer has found a
+	 * severe protocol violation that could indicate that it's not
+	 * parsing the expected protocol. This turns into \c
+	 * analyzer_violation events at the script-layer (one such event is
+	 * raised for each call to this method so that the script-layer can
+	 * built up a notion of how prevalent protocol violations are; the
+	 * more, the less likely it's the right protocol).
+	 *
+	 * @param reason A textual description of the error encountered.
+	 *
+	 * @param data An optional pointer to the malformed data.
+	 *
+	 * @param len If \a data is given, the length of it.
+	 */
+	virtual void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0);
+
+	/**
+	 * Returns true if ProtocolConfirmation() has been called at least
+	 * once.
+	 */
+	bool AnalyzerConfirmed() const { return analyzer_confirmed; }
 
 	/**
 	 * Called whenever the connection value is updated. Per default, this
@@ -729,6 +770,7 @@ private:
 	std::vector<zeek::Tag> prevented;
 
 	bool protocol_confirmed;
+	bool analyzer_confirmed;
 
 	TimerPList timers;
 	bool timers_canceled;

src/analyzer/protocol/ayiya/AYIYA.cc

@@ -36,7 +36,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 
 	if ( inner_packet_offset <= 0 )
@@ -52,7 +52,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 	if ( result == 0 )
 		{
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 	std:
 		shared_ptr<EncapsulationStack> e = Conn()->GetEncapsulation();
 		EncapsulatingConn ec(Conn(), BifEnum::Tunnel::AYIYA);
@@ -60,12 +60,12 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 			run_state::network_time, nullptr, inner, e, ec);
 		}
 	else if ( result == -2 )
-		ProtocolViolation("AYIYA next header internal mismatch",
+		AnalyzerViolation("AYIYA next header internal mismatch",
 		                  reinterpret_cast<const char*>(data), len);
 	else if ( result < 0 )
-		ProtocolViolation("Truncated AYIYA", reinterpret_cast<const char*>(data), len);
+		AnalyzerViolation("Truncated AYIYA", reinterpret_cast<const char*>(data), len);
 	else
-		ProtocolViolation("AYIYA payload length", reinterpret_cast<const char*>(data), len);
+		AnalyzerViolation("AYIYA payload length", reinterpret_cast<const char*>(data), len);
 	}
 
 	} // namespace zeek::analyzer::ayiya

src/analyzer/protocol/ayiya/ayiya-analyzer.pac

@@ -39,7 +39,7 @@ flow AYIYA_Flow
 
 		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
 			    ${pdu.packet}.length());
 			return false;
@@ -50,7 +50,7 @@ flow AYIYA_Flow
 		if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) ||
 		     ( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    "AYIYA next header mismatch", (const char*)${pdu.packet}.data(),
 			     ${pdu.packet}.length());
 			return false;

src/analyzer/protocol/bittorrent/BitTorrent.cc

@@ -65,7 +65,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 				orig);
 			this_stop = true;
 			if ( stop_orig && stop_resp )
-				ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+				AnalyzerViolation("BitTorrent: content gap and/or protocol violation");
 			}
 		}
 	}
@@ -92,7 +92,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	//	DeliverWeird("Stopping BitTorrent analysis: cannot recover from content gap", orig);
 	//	this_stop = true;
 	//	if ( stop_orig && stop_resp )
-	//		ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+	//		AnalyzerViolation("BitTorrent: content gap and/or protocol violation");
 	//	}
 	// else
 	//	{ // fill the gap
@@ -107,7 +107,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	//		DeliverWeird("Stopping BitTorrent analysis: filling content gap failed", orig);
 	//		this_stop = true;
 	//		if ( stop_orig && stop_resp )
-	//			ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+	//			AnalyzerViolation("BitTorrent: content gap and/or protocol violation");
 	//		}
 	//	}
 	}

src/analyzer/protocol/bittorrent/BitTorrentTracker.cc

@@ -99,7 +99,7 @@ void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data)
 
 	if ( req_buf_len + len > sizeof(req_buf) - 1 )
 		{
-		ProtocolViolation("BitTorrentTracker: request message too long");
+		AnalyzerViolation("BitTorrentTracker: request message too long");
 		stop_orig = true;
 		return;
 		}
@@ -146,7 +146,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
 
 	if ( res_buf_len + len > sizeof(res_buf) - 1 )
 		{
-		ProtocolViolation("BitTorrentTracker: response message too long");
+		AnalyzerViolation("BitTorrentTracker: response message too long");
 		stop_resp = true;
 		return;
 		}
@@ -201,7 +201,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
 	analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
-	ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
+	AnalyzerViolation("BitTorrentTracker: cannot recover from content gap");
 
 	if ( orig )
 		stop_orig = true;
@@ -260,7 +260,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 			regmatch_t match[1];
 			if ( regexec(&r_get, line, 1, match, 0) )
 				{
-				ProtocolViolation("BitTorrentTracker: invalid HTTP GET");
+				AnalyzerViolation("BitTorrentTracker: invalid HTTP GET");
 				stop_orig = true;
 				return false;
 				}
@@ -270,7 +270,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 				{
 				if ( match_end[0].rm_so <= match[0].rm_eo )
 					{
-					ProtocolViolation("BitTorrentTracker: invalid HTTP GET");
+					AnalyzerViolation("BitTorrentTracker: invalid HTTP GET");
 					stop_orig = true;
 					return false;
 					}
@@ -297,7 +297,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 			regmatch_t match[1];
 			if ( regexec(&r_hdr, line, 1, match, 0) )
 				{
-				ProtocolViolation("BitTorrentTracker: invalid HTTP request header");
+				AnalyzerViolation("BitTorrentTracker: invalid HTTP request header");
 				stop_orig = true;
 				return false;
 				}
@@ -331,7 +331,7 @@ void BitTorrentTracker_Analyzer::RequestGet(char* uri)
 
 void BitTorrentTracker_Analyzer::EmitRequest(void)
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( bt_tracker_request )
 		EnqueueConnEvent(bt_tracker_request, ConnVal(), IntrusivePtr{AdoptRef{}, req_val_uri},
@@ -369,7 +369,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 			regmatch_t match[1];
 			if ( regexec(&r_stat, line, 1, match, 0) )
 				{
-				ProtocolViolation("BitTorrentTracker: invalid HTTP status");
+				AnalyzerViolation("BitTorrentTracker: invalid HTTP status");
 				stop_resp = true;
 				return false;
 				}
@@ -402,7 +402,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 				regmatch_t match[1];
 				if ( regexec(&r_hdr, line, 1, match, 0) )
 					{
-					ProtocolViolation("BitTorrentTracker: invalid HTTP response header");
+					AnalyzerViolation("BitTorrentTracker: invalid HTTP response header");
 					stop_resp = true;
 					return false;
 					}
@@ -505,7 +505,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
 		{                                                                                          \
 		if ( expr )                                                                                \
 			{                                                                                      \
-			ProtocolViolation(msg);                                                                \
+			AnalyzerViolation(msg);                                                                \
 			stop_resp = true;                                                                      \
 			return -1;                                                                             \
 			}                                                                                      \
@@ -772,7 +772,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
 
 void BitTorrentTracker_Analyzer::EmitResponse(void)
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( bt_tracker_response )
 		EnqueueConnEvent(bt_tracker_response, ConnVal(), val_mgr->Count(res_status),

src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac

@@ -70,7 +70,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 				to_stringval(peer_id));
 			}
 
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		return true;
 		%}

src/analyzer/protocol/dce-rpc/DCE_RPC.cc

@@ -63,7 +63,7 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac

@@ -29,7 +29,7 @@ refine connection DCE_RPC_Conn += {
 	function proc_dce_rpc_pdu(pdu: DCE_RPC_PDU): bool
 		%{
 		// If a whole pdu message parsed ok, let's confirm the protocol
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		return true;
 		%}
 

src/analyzer/protocol/dhcp/DHCP.cc

@@ -32,7 +32,7 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/dhcp/dhcp-analyzer.pac

@@ -44,7 +44,7 @@ refine flow DHCP_Flow += {
 		// the message options.
 		if ( ${msg.cookie} != 0x63825363 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie}));
+			connection()->zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie}));
 			return false;
 			}
 
@@ -105,8 +105,8 @@ refine flow DHCP_Flow += {
 		// because it's not uncommon to see a single DHCP message
 		// on a "connection".
 		// The binpac analyzer would have thrown an error before this point
-		// if there was a problem too (and subsequently called ProtocolViolation).
+		// if there was a problem too (and subsequently called AnalyzerViolation).
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		return true;
 		%}

src/analyzer/protocol/dhcp/dhcp-protocol.pac

@@ -67,7 +67,7 @@ refine flow DHCP_Flow += {
 			}
 
 		if ( type == 0 )
-			connection()->zeek_analyzer()->ProtocolViolation("no DHCP message type option");
+			connection()->zeek_analyzer()->AnalyzerViolation("no DHCP message type option");
 
 		return type;
 		%}

src/analyzer/protocol/dnp3/DNP3.cc

@@ -168,12 +168,12 @@ bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig)
 			if ( ! CheckCRC(PSEUDO_LINK_LAYER_LEN, endp->buffer,
 			                endp->buffer + PSEUDO_LINK_LAYER_LEN, "header") )
 				{
-				analyzer->ProtocolViolation("broken_checksum");
+				analyzer->AnalyzerViolation("broken_checksum");
 				return false;
 				}
 
 			// If the checksum works out, we're pretty certainly DNP3.
-			analyzer->ProtocolConfirmation();
+			analyzer->AnalyzerConfirmation();
 
 			// DNP3 packets without transport and application
 			// layers can happen, we ignore them.

src/analyzer/protocol/dns/DNS.cc

@@ -59,7 +59,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 	// This should weed out most of it.
 	if ( zeek::detail::dns_max_queries > 0 && msg.qdcount > zeek::detail::dns_max_queries )
 		{
-		analyzer->ProtocolViolation("DNS_Conn_count_too_large");
+		analyzer->AnalyzerViolation("DNS_Conn_count_too_large");
 		analyzer->Weird("DNS_Conn_count_too_large");
 		EndMessage(&msg);
 		return;
@@ -82,7 +82,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 		return;
 		}
 
-	analyzer->ProtocolConfirmation();
+	analyzer->AnalyzerConfirmation();
 
 	int skip_auth = zeek::detail::dns_skip_all_auth;
 	int skip_addl = zeek::detail::dns_skip_all_addl;

src/analyzer/protocol/ftp/FTP.cc

@@ -103,7 +103,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		};
 
 		f = ftp_request;
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 
 		if ( strncmp((const char*)cmd_str->Bytes(), "AUTH", cmd_len) == 0 )
 			auth_requested = std::string(line, end_of_line - line);
@@ -146,7 +146,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 				if ( reply_code > 0 )
 					line += 3;
 				else
-					ProtocolViolation("non-numeric reply code", (const char*)data, length);
+					AnalyzerViolation("non-numeric reply code", (const char*)data, length);
 
 				if ( line < end_of_line )
 					line = util::skip_whitespace(line, end_of_line);

src/analyzer/protocol/geneve/Geneve.cc

@@ -29,7 +29,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( len < tunnel_header_len )
 		{
-		ProtocolViolation("Geneve header truncation", reinterpret_cast<const char*>(data), len);
+		AnalyzerViolation("Geneve header truncation", reinterpret_cast<const char*>(data), len);
 		return;
 		}
 
@@ -53,7 +53,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( len < tunnel_header_len + tunnel_opt_len )
 		{
-		ProtocolViolation("Geneve option header truncation", reinterpret_cast<const char*>(data),
+		AnalyzerViolation("Geneve option header truncation", reinterpret_cast<const char*>(data),
 		                  len);
 		return;
 		}
@@ -72,7 +72,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( ! packet_mgr->ProcessInnerPacket(&pkt) )
 		{
-		ProtocolViolation("Geneve invalid inner packet");
+		AnalyzerViolation("Geneve invalid inner packet");
 		return;
 		}
 
@@ -81,7 +81,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 	if ( ! pkt.ip_hdr )
 		return;
 
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( geneve_packet )
 		{

src/analyzer/protocol/gssapi/GSSAPI.cc

@@ -43,11 +43,11 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	try
 		{
 		interp->NewData(orig, data, data + len);
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/gtpv1/GTPv1.cc

@@ -35,7 +35,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 
 	if ( inner_packet_offset <= 0 )
@@ -57,7 +57,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 		if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
 		     (interp->valid(true) && interp->valid(false)) )
-			ProtocolConfirmation();
+			AnalyzerConfirmation();
 
 		if ( gtp_hdr_val )
 			BifEvent::enqueue_gtpv1_g_pdu_packet(this, Conn(), std::move(gtp_hdr_val),
@@ -69,12 +69,12 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 			run_state::network_time, nullptr, inner, e, ec);
 		}
 	else if ( result == -2 )
-		ProtocolViolation("Invalid IP version in wrapped packet",
+		AnalyzerViolation("Invalid IP version in wrapped packet",
 		                  reinterpret_cast<const char*>(odata), olen);
 	else if ( result < 0 )
-		ProtocolViolation("Truncated GTPv1", reinterpret_cast<const char*>(odata), olen);
+		AnalyzerViolation("Truncated GTPv1", reinterpret_cast<const char*>(odata), olen);
 	else
-		ProtocolViolation("GTPv1 payload length", reinterpret_cast<const char*>(odata), olen);
+		AnalyzerViolation("GTPv1 payload length", reinterpret_cast<const char*>(odata), olen);
 	}
 
 	} // namespace zeek::analyzer::gtpv1

src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac

@@ -640,7 +640,7 @@ flow GTPv1_Flow(is_orig: bool)
 		%{
 		ZeekAnalyzer a = connection()->zeek_analyzer();
 		const_bytestring b = ${pdu.sourcedata};
-		a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length());
+		a->AnalyzerViolation(r.c_str(), (const char*) b.begin(), b.length());
 		%}
 
 	function process_gtpv1(pdu: GTPv1_Header): bool

src/analyzer/protocol/http/HTTP.cc

@@ -964,7 +964,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 							Weird("empty_http_request");
 						else
 							{
-							ProtocolViolation("not a http request line");
+							AnalyzerViolation("not a http request line");
 							request_state = EXPECT_REQUEST_NOTHING;
 							}
 						}
@@ -993,7 +993,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 					++num_replies;
 
 					if ( ! unanswered_requests.empty() )
-						ProtocolConfirmation();
+						AnalyzerConfirmation();
 
 					reply_state = EXPECT_REPLY_MESSAGE;
 					reply_ongoing = 1;
@@ -1011,7 +1011,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 					{
 					if ( line != end_of_line )
 						{
-						ProtocolViolation("not a http reply line");
+						AnalyzerViolation("not a http reply line");
 						reply_state = EXPECT_REPLY_NOTHING;
 						}
 					}
@@ -1360,7 +1360,7 @@ StringValPtr HTTP_Analyzer::TruncateURI(const StringValPtr& uri)
 
 void HTTP_Analyzer::HTTP_Request()
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	const char* method = (const char*)request_method->AsString()->Bytes();
 	int method_len = request_method->AsString()->Len();

src/analyzer/protocol/imap/IMAP.cc

@@ -63,7 +63,7 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/imap/imap-analyzer.pac

@@ -17,14 +17,14 @@ refine connection IMAP_Conn += {
 		//printf("imap %s %s\n", commands.c_str(), tags.c_str());
 
 		if ( !is_orig && tags == "*" && commands == "ok" )
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( is_orig && ( command == "capability" || commands == "starttls" ) )
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
 			{
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
 			zeek_analyzer()->SetSkip(true);
 			return true;

src/analyzer/protocol/irc/IRC.cc

@@ -89,7 +89,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		}
 
 	if ( orig )
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 
 	int code = 0;
 	string command = "";
@@ -99,7 +99,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	if ( myline.length() < 3 )
 		{
 		Weird("irc_invalid_line");
-		ProtocolViolation("line too short");
+		AnalyzerViolation("line too short");
 		return;
 		}
 
@@ -114,7 +114,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		else
 			{
 			Weird("irc_invalid_reply_number");
-			ProtocolViolation("invalid reply number");
+			AnalyzerViolation("invalid reply number");
 			return;
 			}
 		}
@@ -561,7 +561,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( ++invalid_msg_count > invalid_msg_max_count )
 			{
 			Weird("irc_too_many_invalid");
-			ProtocolViolation("too many long lines");
+			AnalyzerViolation("too many long lines");
 			return;
 			}
 		return;

src/analyzer/protocol/krb/KRB.cc

@@ -83,7 +83,7 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/krb/KRB_TCP.cc

@@ -55,7 +55,7 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/krb/krb-analyzer.pac

@@ -171,7 +171,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_kdc_req_msg(msg: KRB_KDC_REQ): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		auto msg_type = binary_to_int64(${msg.msg_type.data.content});
 
 		if ( msg_type == 10 )
@@ -199,7 +199,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_kdc_rep_msg(msg: KRB_KDC_REP): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		auto msg_type = binary_to_int64(${msg.msg_type.data.content});
 		auto make_arg = [this, msg]() -> zeek::RecordValPtr
 			{
@@ -241,7 +241,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_error_msg(msg: KRB_ERROR_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_error )
 			{
 			auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Error_Msg);
@@ -255,7 +255,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_ap_req_msg(msg: KRB_AP_REQ): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_ap_request )
 			{
 			auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options);
@@ -279,7 +279,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_ap_rep_msg(msg: KRB_AP_REP): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_ap_response )
 			{
 			zeek::BifEvent::enqueue_krb_ap_response(zeek_analyzer(), zeek_analyzer()->Conn());
@@ -289,7 +289,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_safe )
 			{
 			auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::SAFE_Msg);
@@ -347,7 +347,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_priv_msg(msg: KRB_PRIV_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_priv )
 			{
 			zeek::BifEvent::enqueue_krb_priv(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig});
@@ -357,7 +357,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_cred_msg(msg: KRB_CRED_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_cred )
 			{
 			zeek::BifEvent::enqueue_krb_cred(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig},

src/analyzer/protocol/modbus/modbus-analyzer.pac

@@ -106,7 +106,7 @@ refine flow ModbusTCP_Flow += {
 		if ( ! connection()->IsConfirmed() )
 			{
 			connection()->SetConfirmed();
-			connection()->zeek_analyzer()->ProtocolConfirmation();
+			connection()->zeek_analyzer()->AnalyzerConfirmation();
 			}
 
 		return true;
@@ -202,7 +202,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read holding register response byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -246,7 +246,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read input register response byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -283,7 +283,7 @@ refine flow ModbusTCP_Flow += {
 				val = 1;
 			else
 				{
-				connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d",
+				connection()->zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid value for modbus write single coil request %d",
 				                                                    ${message.value}));
 				return false;
 				}
@@ -310,7 +310,7 @@ refine flow ModbusTCP_Flow += {
 				val = 1;
 			else
 				{
-				connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d",
+				connection()->zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid value for modbus write single coil response %d",
 				                                                    ${message.value}));
 				return false;
 				}
@@ -390,7 +390,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus write multiple registers request byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -575,7 +575,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.write_byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read write multiple registers request write byte count %d", ${message.write_byte_count}));
 			return false;
 			}
@@ -607,7 +607,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read write multiple registers response byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -651,7 +651,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read FIFO queue response byte count %d", ${message.byte_count}));
 			return false;
 			}

src/analyzer/protocol/mqtt/MQTT.cc

@@ -45,7 +45,7 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/mqtt/commands/connect.pac

@@ -81,7 +81,7 @@ refine flow MQTT_Flow += {
 			}
 
 		// If a connect message was seen, let's say that confirms it.
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 		return true;
 		%}
 };

src/analyzer/protocol/mqtt/commands/publish.pac

@@ -50,7 +50,7 @@ refine flow MQTT_Flow += {
 			}
 
 		// If a publish message was seen, let's say that confirms it.
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		return true;
 		%}

src/analyzer/protocol/mqtt/mqtt-protocol.pac

@@ -46,7 +46,7 @@ refine connection MQTT_Conn += {
 
 		if ( vals->size() > 4 )
 			{
-			this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes");
+			this->zeek_analyzer()->AnalyzerViolation("malformed MQTT 'remaining length': too many bytes");
 			return 0;
 			}
 
@@ -57,7 +57,7 @@ refine connection MQTT_Conn += {
 			if ( multiplier > 128*128*128 )
 				{
 				// This is definitely a protocol violation
-				this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large");
+				this->zeek_analyzer()->AnalyzerViolation("malformed MQTT 'remaining length': too large");
 				return 0;
 				}
 			}

src/analyzer/protocol/mysql/MySQL.cc

@@ -54,7 +54,7 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/mysql/mysql-analyzer.pac

@@ -20,7 +20,7 @@ refine flow MySQL_Flow += {
 	function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool
 		%{
 		if ( ${msg.version} == 9 || ${msg.version == 10} )
-			connection()->zeek_analyzer()->ProtocolConfirmation();
+			connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( mysql_handshake )
 			{

src/analyzer/protocol/ncp/NCP.cc

@@ -40,7 +40,7 @@ void NCP_Session::Deliver(bool is_orig, int len, const u_char* data)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		analyzer->ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		analyzer->AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/ntlm/NTLM.cc

@@ -42,11 +42,11 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	try
 		{
 		interp->NewData(orig, data, data + len);
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/ntlm/ntlm-analyzer.pac

@@ -71,7 +71,7 @@ refine connection NTLM_Conn += {
 					// According to spec, the TargetInfo MUST be a sequence of
 					// AV_PAIRs and terminated by the null AV_PAIR when the
 					// TargetInfoLen is non-zero, so this is in violation.
-					zeek_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow");
+					zeek_analyzer()->AnalyzerViolation("NTLM AV Pair loop underflow");
 
 				return result;
 				}

src/analyzer/protocol/ntp/NTP.cc

@@ -33,7 +33,7 @@ void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/ntp/ntp-analyzer.pac

@@ -133,7 +133,7 @@ refine flow NTP_Flow += {
 
 	function proc_ntp_message(msg: NTP_PDU): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( ! ntp_message )
 			return false;

src/analyzer/protocol/pop3/POP3.cc

@@ -625,7 +625,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 		{
 		if ( ! waitingForAuthentication )
 			{
-			ProtocolViolation(util::fmt("unknown server command (%s)",
+			AnalyzerViolation(util::fmt("unknown server command (%s)",
 			                            (tokens.size() > 0 ? tokens[0].c_str() : "???")),
 			                  line, length);
 
@@ -664,7 +664,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 				case detail::USER:
 					state = detail::USER;
 					masterState = detail::POP3_AUTHORIZATION;
-					ProtocolConfirmation();
+					AnalyzerConfirmation();
 					break;
 
 				case detail::PASS:
@@ -706,7 +706,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 					}
 
 				case detail::CAPA:
-					ProtocolConfirmation();
+					AnalyzerConfirmation();
 					// Fall-through.
 
 				case detail::UIDL:
@@ -716,7 +716,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 					break;
 
 				case detail::STLS:
-					ProtocolConfirmation();
+					AnalyzerConfirmation();
 					tls = true;
 					StartTLS();
 					return;

src/analyzer/protocol/radius/RADIUS.cc

@@ -32,7 +32,7 @@ void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/radius/radius-analyzer.pac

@@ -2,7 +2,7 @@
 refine flow RADIUS_Flow += {
 	function proc_radius_message(msg: RADIUS_PDU): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( ! radius_message )
 			return false;

src/analyzer/protocol/rdp/RDP.cc

@@ -87,7 +87,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			}
 		catch ( const binpac::Exception& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}

src/analyzer/protocol/rdp/RDPEUDP.cc

@@ -33,7 +33,7 @@ void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/rdp/rdp-analyzer.pac

@@ -48,7 +48,7 @@ refine flow RDP_Flow += {
 
 	function proc_rdp_gcc_server_create_response(gcc_response: GCC_Server_Create_Response): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rdp_gcc_server_create_response )
 			zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->zeek_analyzer(),
@@ -61,7 +61,7 @@ refine flow RDP_Flow += {
 
 	function proc_rdp_client_core_data(ccore: Client_Core_Data): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rdp_client_core_data )
 			{
@@ -181,7 +181,7 @@ refine flow RDP_Flow += {
 
 	function proc_rdp_server_security(ssd: Server_Security_Data): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rdp_server_security )
 			zeek::BifEvent::enqueue_rdp_server_security(connection()->zeek_analyzer(),

src/analyzer/protocol/rdp/rdpeudp-analyzer.pac

@@ -62,7 +62,7 @@ refine connection RDPEUDP_Conn += {
 		if ( rdpeudp_synack )
 			zeek::BifEvent::enqueue_rdpeudp_synack(zeek_analyzer(), zeek_analyzer()->Conn());
 
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		state_ = NEED_ACK;
 		resp_synex_flags_ = uUdpVer;
 

src/analyzer/protocol/rfb/RFB.cc

@@ -60,7 +60,7 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		invalid = true;
 		}
 	}

src/analyzer/protocol/rfb/rfb-analyzer.pac

@@ -9,7 +9,7 @@ refine flow RFB_Flow += {
 				                                     to_stringval(major),
 				                                     to_stringval(minor));
 
-			connection()->zeek_analyzer()->ProtocolConfirmation();
+			connection()->zeek_analyzer()->AnalyzerConfirmation();
 			}
 		else
 			{
@@ -181,7 +181,7 @@ refine connection RFB_Conn += {
 		else
 			{
 			// Shouldn't be a possible.
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype()));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype()));
 			}
 
 		return true;
@@ -235,7 +235,7 @@ refine connection RFB_Conn += {
 			}
 		else
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type}));
 			}
 
 		return true;
@@ -277,7 +277,7 @@ refine connection RFB_Conn += {
 			// Failed
 			server_state = SERVER_AUTH_FAILURE;
 		else
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result}));
 
 		return true;
 		%}

src/analyzer/protocol/sip/SIP.cc

@@ -39,7 +39,7 @@ void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/sip/SIP_TCP.cc

@@ -57,7 +57,7 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/sip/sip-analyzer.pac

@@ -44,7 +44,7 @@ refine flow SIP_Flow += {
 
 	function proc_sip_reply(vers: SIP_Version, code: int, reason: bytestring): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 		if ( sip_reply )
 			{
 			zeek::BifEvent::enqueue_sip_reply(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),

src/analyzer/protocol/smb/SMB.cc

@@ -77,11 +77,11 @@ void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		// Let's assume that if there are no binpac exceptions after
 		// 3 data chunks that this is probably actually SMB.
 		if ( ++chunks == 3 )
-			ProtocolConfirmation();
+			AnalyzerConfirmation();
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		NeedResync();
 		}
 	}

src/analyzer/protocol/smtp/SMTP.cc

@@ -289,7 +289,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 			{
 			reply_code = -1;
 			Unexpected(is_sender, "reply code out of range", length, line);
-			ProtocolViolation(util::fmt("reply code %d out of range", reply_code), line, length);
+			AnalyzerViolation(util::fmt("reply code %d out of range", reply_code), line, length);
 			}
 
 		else
@@ -848,7 +848,7 @@ int SMTP_Analyzer::ParseCmd(int cmd_len, const char* cmd)
 
 void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd, int arg_len, const char* arg)
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( smtp_request )
 		{

src/analyzer/protocol/snmp/SNMP.cc

@@ -37,7 +37,7 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/snmp/snmp-analyzer.pac

@@ -372,7 +372,7 @@ refine connection SNMP_Conn += {
 	function proc_header(rec: Header): bool
 		%{
 		if ( ! ${rec.is_orig} )
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rec->unknown() )
 			return false;
@@ -385,7 +385,7 @@ refine connection SNMP_Conn += {
 		if ( rec->flags()->encoding()->content().length() == 1 )
 			return true;
 
-		zeek_analyzer()->ProtocolViolation("Invalid v3 HeaderData msgFlags");
+		zeek_analyzer()->AnalyzerViolation("Invalid v3 HeaderData msgFlags");
 		return false;
 		%}
 
@@ -396,7 +396,7 @@ refine connection SNMP_Conn += {
 
 		// Unwind now to stop parsing because it's definitely the
 		// wrong protocol and parsing further could be expensive.
-		// Upper layer of analyzer will catch and call ProtocolViolation().
+		// Upper layer of analyzer will catch and call AnalyzerViolation().
 		throw binpac::Exception(zeek::util::fmt("Got ASN.1 tag %d, expect %d",
 		                        rec->tag(), expect));
 		return false;

src/analyzer/protocol/socks/SOCKS.cc

@@ -81,7 +81,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			}
 		catch ( const binpac::Exception& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}

src/analyzer/protocol/socks/socks-analyzer.pac

@@ -61,7 +61,7 @@ refine connection SOCKS_Conn += {
 			                              zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP));
 			}
 
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		static_cast<zeek::analyzer::socks::SOCKS_Analyzer*>(zeek_analyzer())->EndpointDone(false);
 		return true;
 		%}
@@ -70,14 +70,14 @@ refine connection SOCKS_Conn += {
 		%{
 		if ( ${request.reserved} != 0 )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value in reserved field: %d", ${request.reserved}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid value in reserved field: %d", ${request.reserved}));
 			zeek_analyzer()->SetSkip(true);
 			return false;
 			}
 
 		if ( (${request.command} == 0) || (${request.command} > 3) )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("undefined value in command field: %d", ${request.command}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("undefined value in command field: %d", ${request.command}));
 			zeek_analyzer()->SetSkip(true);
 			return false;
 			}
@@ -102,7 +102,7 @@ refine connection SOCKS_Conn += {
 				break;
 
 			default:
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type}));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type}));
 				return false;
 			}
 
@@ -142,7 +142,7 @@ refine connection SOCKS_Conn += {
 				break;
 
 			default:
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type}));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type}));
 				return false;
 			}
 
@@ -154,7 +154,7 @@ refine connection SOCKS_Conn += {
 			                              std::move(sa),
 			                              zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP));
 
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		static_cast<zeek::analyzer::socks::SOCKS_Analyzer*>(zeek_analyzer())->EndpointDone(false);
 		return true;
 		%}
@@ -196,7 +196,7 @@ refine connection SOCKS_Conn += {
 
 	function version_error(version: uint8): bool
 		%{
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported/unknown SOCKS version %d", version));
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unsupported/unknown SOCKS version %d", version));
 		return true;
 		%}
 

src/analyzer/protocol/ssh/SSH.cc

@@ -67,7 +67,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 
 	auto encrypted_len = interp->get_encrypted_bytes_in_current_segment();

src/analyzer/protocol/ssh/ssh-analyzer.pac

@@ -206,7 +206,7 @@ refine flow SSH_Flow += {
 
 	function proc_newkeys(): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 		return true;
 		%}
 

src/analyzer/protocol/ssl/DTLS.cc

@@ -72,7 +72,7 @@ void DTLS_Analyzer::SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, ui
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/ssl/SSL.cc

@@ -73,7 +73,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
@@ -87,7 +87,7 @@ void SSL_Analyzer::SendHandshake(uint16_t raw_tls_version, const u_char* begin,
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/ssl/dtls-analyzer.pac

@@ -55,7 +55,7 @@ refine connection SSL_Conn += {
 
 		if ( length > MAX_DTLS_HANDSHAKE_RECORD )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS record length %" PRId64 " larger than allowed maximum.", length));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS record length %" PRId64 " larger than allowed maximum.", length));
 			return true;
 			}
 
@@ -77,7 +77,7 @@ refine connection SSL_Conn += {
 			{
 			if ( i->first_sequence_seen )
 				{
-				zeek_analyzer()->ProtocolViolation("Saw second and different first message fragment for handshake.");
+				zeek_analyzer()->AnalyzerViolation("Saw second and different first message fragment for handshake.");
 				return true;
 				}
 			// first sequence number was incorrect, let's fix that.
@@ -97,13 +97,13 @@ refine connection SSL_Conn += {
 		// copy data from fragment to buffer
 		if ( ${rec.data}.length() != flength )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake record length does not match packet length"));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS handshake record length does not match packet length"));
 			return true;
 			}
 
 		if ( foffset + flength > length )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake fragment trying to write past end of buffer"));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS handshake fragment trying to write past end of buffer"));
 			return true;
 			}
 
@@ -124,7 +124,7 @@ refine connection SSL_Conn += {
 			uint64 total_length = i->message_last_sequence - i->message_first_sequence;
 			if ( total_length > 30 )
 				{
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS Message fragmented over more than 30 pieces. Cannot reassemble."));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS Message fragmented over more than 30 pieces. Cannot reassemble."));
 				return true;
 				}
 

src/analyzer/protocol/ssl/dtls-protocol.pac

@@ -63,18 +63,18 @@ refine connection SSL_Conn += {
 			// Reset only to 0 once we have seen a client hello.
 			// This means the connection gets a limited amount of valid/invalid
 			// packets before a client hello has to be seen - which seems reasonable.
-			if ( zeek_analyzer()->ProtocolConfirmed() )
+			if ( zeek_analyzer()->AnalyzerConfirmed() )
 				invalid_version_count_ = 0;
 			return true;
 
 		default:
 			invalid_version_count_++;
 
-			if ( zeek_analyzer()->ProtocolConfirmed() )
+			if ( zeek_analyzer()->AnalyzerConfirmed() )
 				{
 				reported_errors_++;
 				if ( reported_errors_ <= zeek::BifConst::SSL::dtls_max_reported_version_errors )
-					zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in DTLS connection. Packet reported version: %d", version));
+					zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in DTLS connection. Packet reported version: %d", version));
 				}
 
 			if ( invalid_version_count_ > zeek::BifConst::SSL::dtls_max_version_errors )

src/analyzer/protocol/ssl/proc-client-hello.pac

@@ -8,11 +8,11 @@
 		%{
 		if ( ! version_ok(version) )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported client SSL version 0x%04x", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unsupported client SSL version 0x%04x", version));
 			zeek_analyzer()->SetSkip(true);
 			}
 		else
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( ssl_client_hello )
 			{

src/analyzer/protocol/ssl/proc-server-hello.pac

@@ -8,7 +8,7 @@
 		%{
 		if ( ! version_ok(version) )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported server SSL version 0x%04x", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unsupported server SSL version 0x%04x", version));
 			zeek_analyzer()->SetSkip(true);
 			}
 

src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac

@@ -37,7 +37,7 @@ refine connection SSL_Conn += {
 		%}
 	function proc_unknown_record(rec: SSLRecord) : bool
 		%{
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown SSL record type (%d) from %s",
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unknown SSL record type (%d) from %s",
 				${rec.content_type},
 				orig_label(${rec.is_orig}).c_str()));
 		return true;
@@ -90,7 +90,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( version != SSLv20 )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL server hello. Version: %d", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in SSL server hello. Version: %d", version));
 			zeek_analyzer()->SetSkip(true);
 			return false;
 			}

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -197,7 +197,7 @@ refine connection SSL_Conn += {
 			if ( version != SSLv30 && version != TLSv10 &&
 			     version != TLSv11 && version != TLSv12 )
 				{
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version late in TLS connection. Packet reported version: %d", version));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version late in TLS connection. Packet reported version: %d", version));
 				zeek_analyzer()->SetSkip(true);
 				return UNKNOWN_VERSION;
 				}
@@ -214,7 +214,7 @@ refine connection SSL_Conn += {
 				if ( version != SSLv20 && version != SSLv30 && version != TLSv10 &&
 				     version != TLSv11 && version != TLSv12 )
 					{
-					zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL client hello. Version: %d", version));
+					zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in SSL client hello. Version: %d", version));
 					zeek_analyzer()->SetSkip(true);
 					return UNKNOWN_VERSION;
 					}
@@ -231,7 +231,7 @@ refine connection SSL_Conn += {
 
 			else // this is not SSL or TLS.
 				{
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3));
 				zeek_analyzer()->SetSkip(true);
 				return UNKNOWN_VERSION;
 				}
@@ -241,7 +241,7 @@ refine connection SSL_Conn += {
 		if ( version != SSLv30 && version != TLSv10 &&
 		     version != TLSv11 && version != TLSv12 )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in TLS connection. Version: %d", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in TLS connection. Version: %d", version));
 			zeek_analyzer()->SetSkip(true);
 			return UNKNOWN_VERSION;
 			}
@@ -252,7 +252,7 @@ refine connection SSL_Conn += {
 			return version;
 			}
 
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0));
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0));
 		zeek_analyzer()->SetSkip(true);
 		return UNKNOWN_VERSION;
 		%}

src/analyzer/protocol/ssl/tls-handshake-analyzer.pac

@@ -54,7 +54,7 @@ refine connection Handshake_Conn += {
 			{
 			// This should be impossible due to the binpac parser
 			// and protocol description
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Impossible extension length: %zu", length));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Impossible extension length: %zu", length));
 			zeek_analyzer()->SetSkip(true);
 			return true;
 			}
@@ -287,7 +287,7 @@ refine connection Handshake_Conn += {
 
 	function proc_unknown_handshake(hs: HandshakeRecord, is_orig: bool) : bool
 		%{
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown handshake message (%d) from %s",
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unknown handshake message (%d) from %s",
 			${hs.msg_type}, orig_label(is_orig).c_str()));
 		return true;
 		%}

src/analyzer/protocol/tcp/TCP.cc

@@ -34,7 +34,7 @@ void TCP_ApplicationAnalyzer::Init()
 		SetTCP(static_cast<packet_analysis::TCP::TCPSessionAdapter*>(Parent()));
 	}
 
-void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason, const char* data, int len)
+void TCP_ApplicationAnalyzer::AnalyzerViolation(const char* reason, const char* data, int len)
 	{
 	auto* tcp = TCP();
 
@@ -43,7 +43,7 @@ void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason, const char*
 		// too unreliable.
 		return;
 
-	Analyzer::ProtocolViolation(reason, data, len);
+	Analyzer::AnalyzerViolation(reason, data, len);
 	}
 
 void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq,

src/analyzer/protocol/tcp/TCP.h

@@ -68,7 +68,7 @@ public:
 
 	// This suppresses violations if the TCP connection wasn't
 	// fully established.
-	void ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0) override;
+	void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0) override;
 
 	// "name" and "val" both now belong to this object, which needs to
 	//  delete them when done with them.

src/analyzer/protocol/teredo/Teredo.cc

@@ -152,7 +152,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( ! te.Parse(data, len) )
 		{
-		ProtocolViolation("Bad Teredo encapsulation", (const char*)data, len);
+		AnalyzerViolation("Bad Teredo encapsulation", (const char*)data, len);
 		return;
 		}
 
@@ -175,7 +175,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 			Weird("Teredo_bubble_with_payload", true);
 		else
 			{
-			ProtocolViolation("Teredo payload length", (const char*)data, len);
+			AnalyzerViolation("Teredo payload length", (const char*)data, len);
 			return;
 			}
 		}
@@ -192,7 +192,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	else
 		{
-		ProtocolViolation("Truncated Teredo or invalid inner IP version", (const char*)data, len);
+		AnalyzerViolation("Truncated Teredo or invalid inner IP version", (const char*)data, len);
 		return;
 		}
 

src/analyzer/protocol/teredo/Teredo.h

@@ -33,7 +33,7 @@ public:
 	 */
 	void Weird(const char* name, bool force = false) const
 		{
-		if ( ProtocolConfirmed() || force )
+		if ( AnalyzerConfirmed() || force )
 			reporter->Weird(Conn(), name, "", GetAnalyzerName());
 		}
 
@@ -44,7 +44,7 @@ public:
 	void Confirm()
 		{
 		if ( ! BifConst::Tunnel::delay_teredo_confirmation || (valid_orig && valid_resp) )
-			ProtocolConfirmation();
+			AnalyzerConfirmation();
 		}
 
 protected:

src/analyzer/protocol/vxlan/VXLAN.cc

@@ -37,13 +37,13 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 	if ( len < vxlan_len )
 		{
-		ProtocolViolation("VXLAN header truncation", (const char*)data, len);
+		AnalyzerViolation("VXLAN header truncation", (const char*)data, len);
 		return;
 		}
 
 	if ( (data[0] & 0x08) == 0 )
 		{
-		ProtocolViolation("VXLAN 'I' flag not set", (const char*)data, len);
+		AnalyzerViolation("VXLAN 'I' flag not set", (const char*)data, len);
 		return;
 		}
 
@@ -77,7 +77,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 	if ( ! packet_mgr->ProcessInnerPacket(&pkt) )
 		{
-		ProtocolViolation("VXLAN invalid inner packet");
+		AnalyzerViolation("VXLAN invalid inner packet");
 		return;
 		}
 
@@ -86,7 +86,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 	if ( ! pkt.ip_hdr )
 		return;
 
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( vxlan_packet )
 		{

src/analyzer/protocol/xmpp/XMPP.cc

@@ -60,7 +60,7 @@ void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 

src/analyzer/protocol/xmpp/xmpp-analyzer.pac

@@ -19,7 +19,7 @@ refine connection XMPP_Conn += {
 
 		if ( is_orig && token == "stream:stream" )
 			// Yup, looks like xmpp...
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( token == "success" || token == "message" || token == "db:result"
 		     || token == "db:verify" || token == "presence" )

src/event.bif

@@ -379,7 +379,8 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 ##    Zeek's default scripts use this event to determine the ``service`` column
 ##    of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
 ##    there (and thus in ``conn.log``).
-event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
+event analyzer_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
+event protocol_confirmation%(c: connection, atype: AllAnalyzers::Tag, aid: count%) &deprecated="Remove in v5.1. Use analyzer_confirmation.";
 
 ## Generated if a DPD signature matched but the DPD buffer is already exhausted
 ## and thus the analyzer could not be attached. While this does not confirm
@@ -424,7 +425,8 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%);
 ##    :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's
 ##    however a script-level decision and not done automatically by the event
 ##    engine.
-event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
+event analyzer_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
+event protocol_violation%(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string%) &deprecated="Remove in v.5.1. Use analyzer_violation.";
 
 ## Generated when a TCP connection terminated, passing on statistics about the
 ## two endpoints. This event is always generated when Zeek flushes the internal

src/packet_analysis/Analyzer.cc

@@ -4,6 +4,7 @@
 
 #include "zeek/DebugLogger.h"
 #include "zeek/Dict.h"
+#include "zeek/Event.h"
 #include "zeek/RunState.h"
 #include "zeek/session/Manager.h"
 #include "zeek/util.h"
@@ -166,4 +167,42 @@ void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const
 	session_mgr->Weird(name, packet, addl, GetAnalyzerName());
 	}
 
+void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag)
+	{
+	if ( session->AnalyzerState(arg_tag) == session::AnalyzerConfirmationState::CONFIRMED )
+		return;
+
+	session->SetAnalyzerState(GetAnalyzerTag(), session::AnalyzerConfirmationState::CONFIRMED);
+
+	if ( ! analyzer_confirmation )
+		return;
+
+	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	event_mgr.Enqueue(analyzer_confirmation, session->GetVal(), tval, val_mgr->Count(0));
+	}
+
+void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data,
+                                 int len)
+	{
+	if ( ! analyzer_violation )
+		return;
+
+	session->SetAnalyzerState(GetAnalyzerTag(), session::AnalyzerConfirmationState::VIOLATED);
+
+	StringValPtr r;
+
+	if ( data && len )
+		{
+		const char* tmp = util::copy_string(reason);
+		r = make_intrusive<StringVal>(util::fmt(
+			"%s [%s%s]", tmp, util::fmt_bytes(data, std::min(40, len)), len > 40 ? "..." : ""));
+		delete[] tmp;
+		}
+	else
+		r = make_intrusive<StringVal>(reason);
+
+	const auto& tval = tag.AsVal();
+	event_mgr.Enqueue(analyzer_violation, session->GetVal(), tval, val_mgr->Count(0), std::move(r));
+	}
+
 	} // namespace zeek::packet_analysis

src/packet_analysis/Analyzer.h

@@ -6,6 +6,7 @@
 #include "zeek/Tag.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/packet_analysis/Manager.h"
+#include "zeek/session/Session.h"
 
 namespace zeek::packet_analysis
 	{
@@ -126,6 +127,52 @@ public:
 	 */
 	virtual bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) { return false; }
 
+	/**
+	 * Signals Zeek's protocol detection that the analyzer has recognized
+	 * the input to indeed conform to the expected protocol. This should
+	 * be called as early as possible during a connection's life-time. It
+	 * may turn into \c analyzer_confirmed event at the script-layer (but
+	 * only once per analyzer for each connection, even if the method is
+	 * called multiple times).
+	 *
+	 * If tag is given, it overrides the analyzer tag passed to the
+	 * scripting layer; the default is the one of the analyzer itself.
+	 */
+	virtual void AnalyzerConfirmation(session::Session* session, zeek::Tag tag = zeek::Tag());
+
+	/**
+	 * Signals Bro's protocol detection that the analyzer has found a
+	 * severe protocol violation that could indicate that it's not
+	 * parsing the expected protocol. This turns into \c
+	 * analyzer_violation events at the script-layer (one such event is
+	 * raised for each call to this method so that the script-layer can
+	 * built up a notion of how prevalent protocol violations are; the
+	 * more, the less likely it's the right protocol).
+	 *
+	 * @param reason A textual description of the error encountered.
+	 *
+	 * @param data An optional pointer to the malformed data.
+	 *
+	 * @param len If \a data is given, the length of it.
+	 */
+	virtual void AnalyzerViolation(const char* reason, session::Session* session,
+	                               const char* data = nullptr, int len = 0);
+
+	/**
+	 * Returns true if ProtocolConfirmation() has been called at least
+	 * once.
+	 */
+	bool AnalyzerConfirmed(session::Session* session) const
+		{
+		return session->AnalyzerState(GetAnalyzerTag()) ==
+		       session::AnalyzerConfirmationState::CONFIRMED;
+		}
+	bool AnalyzerViolated(session::Session* session) const
+		{
+		return session->AnalyzerState(GetAnalyzerTag()) ==
+		       session::AnalyzerConfirmationState::VIOLATED;
+		}
+
 protected:
 	friend class Manager;
 

src/session/Session.cc

@@ -205,4 +205,18 @@ void Session::RemoveConnectionTimer(double t)
 	session_mgr->Remove(this);
 	}
 
+AnalyzerConfirmationState Session::AnalyzerState(const zeek::Tag& tag) const
+	{
+	auto it = analyzer_confirmations.find(tag);
+	if ( it == analyzer_confirmations.end() )
+		return AnalyzerConfirmationState::UNKNOWN;
+
+	return it->second;
+	}
+
+void Session::SetAnalyzerState(const zeek::Tag& tag, AnalyzerConfirmationState value)
+	{
+	analyzer_confirmations.insert_or_assign(tag, value);
+	}
+
 	} // namespace zeek::session

src/session/Session.h

@@ -2,11 +2,13 @@
 
 #pragma once
 
+#include <map>
 #include <memory>
 
 #include "zeek/EventHandler.h"
 #include "zeek/Hash.h"
 #include "zeek/Obj.h"
+#include "zeek/Tag.h"
 #include "zeek/Timer.h"
 #include "zeek/session/Key.h"
 
@@ -31,6 +33,13 @@ class Timer;
 class Session;
 using timer_func = void (Session::*)(double t);
 
+enum class AnalyzerConfirmationState
+	{
+	UNKNOWN,
+	VIOLATED,
+	CONFIRMED
+	};
+
 class Session : public Obj
 	{
 public:
@@ -214,6 +223,9 @@ public:
 	 */
 	virtual std::string TransportIdentifier() const = 0;
 
+	AnalyzerConfirmationState AnalyzerState(const zeek::Tag& tag) const;
+	void SetAnalyzerState(const zeek::Tag& tag, AnalyzerConfirmationState);
+
 protected:
 	friend class detail::Timer;
 
@@ -261,6 +273,8 @@ protected:
 	unsigned int record_packets : 1, record_contents : 1;
 	unsigned int record_current_packet : 1, record_current_content : 1;
 	bool in_session_table;
+
+	std::map<zeek::Tag, AnalyzerConfirmationState> analyzer_confirmations;
 	};
 
 namespace detail

testing/btest/Baseline/plugins.hooks/output

@@ -4333,6 +4333,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[o
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(analyzer_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
@@ -4347,10 +4348,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
+XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
@@ -4360,7 +4361,6 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
@@ -4373,6 +4373,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[o
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(analyzer_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
@@ -4387,10 +4388,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(network_time, <frame>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/))
 XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
+XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
@@ -4400,7 +4401,6 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0)))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
 XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
@@ -4414,6 +4414,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5,
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+XXXXXXXXXX.XXXXXX | HookCallFunction analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)
 XXXXXXXXXX.XXXXXX | HookCallFunction fmt(-%s, HTTP)
@@ -4428,10 +4429,10 @@ XXXXXXXXXX.XXXXXX | HookCallFunction http_message_done([id=[orig_h=141.142.228.5
 XXXXXXXXXX.XXXXXX | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
 XXXXXXXXXX.XXXXXX | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction network_time()
-XXXXXXXXXX.XXXXXX | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction split_string1(bro.org, /^?(:)$?/)
 XXXXXXXXXX.XXXXXX | HookDrainEvents
+XXXXXXXXXX.XXXXXX | HookQueueEvent analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
@@ -4441,7 +4442,6 @@ XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
-XXXXXXXXXX.XXXXXX | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -8,7 +8,7 @@ XXXXXXXXXX.XXXXXX filter_change_tracking
 XXXXXXXXXX.XXXXXX new_connection
 XXXXXXXXXX.XXXXXX dns_message
 XXXXXXXXXX.XXXXXX dns_request
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX dns_end
 XXXXXXXXXX.XXXXXX dns_message
 XXXXXXXXXX.XXXXXX dns_CNAME_reply
@@ -19,7 +19,7 @@ XXXXXXXXXX.XXXXXX connection_established
 XXXXXXXXXX.XXXXXX smtp_reply
 XXXXXXXXXX.XXXXXX smtp_reply
 XXXXXXXXXX.XXXXXX smtp_reply
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX smtp_request
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX smtp_reply
@@ -120,7 +120,7 @@ XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX new_connection
 XXXXXXXXXX.XXXXXX connection_established
 XXXXXXXXXX.XXXXXX smtp_reply
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX smtp_request
 XXXXXXXXXX.XXXXXX smtp_reply
 XXXXXXXXXX.XXXXXX smtp_reply
@@ -173,7 +173,7 @@ XXXXXXXXXX.XXXXXX ssl_extension
 XXXXXXXXXX.XXXXXX ssl_extension
 XXXXXXXXXX.XXXXXX ssl_extension
 XXXXXXXXXX.XXXXXX ssl_extension
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX ssl_client_hello
 XXXXXXXXXX.XXXXXX ssl_handshake_message
 XXXXXXXXXX.XXXXXX ssl_plaintext_data

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log

@@ -22,7 +22,7 @@ XXXXXXXXXX.XXXXXX dns_request
                   [4] qclass: count      = 1
                   [5] original_query: string = mail.patriots.in
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (!DNS::c?$dns_state) \x0a\x09\x09return ;\x0a\x0a\x09if (DNS::c$dns_state?$pending_query) \x0a\x09\x09Log::write(DNS::LOG, to_any_coerceDNS::c$dns_state$pending_query);\x0a\x0a\x09if (DNS::c$dns_state?$pending_queries) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_queries);\x0a\x0a\x09if (DNS::c$dns_state?$pending_replies) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_replies);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
@@ -83,7 +83,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [4] msg: string        = and/or bulk e-mail.
                   [5] cont_resp: bool    = F
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=695.0 msecs 762.872696 usecs, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
@@ -529,7 +529,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [4] msg: string        = uprise ESMTP SubEthaSMTP null
                   [5] cont_resp: bool    = F
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 411.056519 usecs, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 21
@@ -799,7 +799,7 @@ XXXXXXXXXX.XXXXXX ssl_extension
                   [2] code: count        = 13172
                   [3] val: string        = 
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SSL
                   [2] aid: count         = 35

testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log

@@ -36,7 +36,7 @@ XXXXXXXXXX.XXXXXX dns_request
                   [4] qclass: count      = 1
                   [5] original_query: string = mail.patriots.in
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (!DNS::c?$dns_state) \x0a\x09\x09return ;\x0a\x0a\x09if (DNS::c$dns_state?$pending_query) \x0a\x09\x09Log::write(DNS::LOG, to_any_coerceDNS::c$dns_state$pending_query);\x0a\x0a\x09if (DNS::c$dns_state?$pending_queries) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_queries);\x0a\x0a\x09if (DNS::c$dns_state?$pending_replies) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_replies);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
@@ -297,7 +297,7 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [5] len: count         = 9
                   [6] payload: string    = EHLO GP\x0d\x0a
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=695.0 msecs 762.872696 usecs, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
@@ -6720,7 +6720,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [1] is_orig: bool      = T
                   [2] options: vector of TCP::Option = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034638, echo_timestamp=84165]]
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 411.056519 usecs, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 21
@@ -8666,7 +8666,7 @@ XXXXXXXXXX.XXXXXX ssl_extension
                   [2] code: count        = 13172
                   [3] val: string        = 
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SSL
                   [2] aid: count         = 35

testing/btest/bifs/disable_analyzer-early.zeek

@@ -5,7 +5,7 @@
 
 global msg_count: table[conn_id] of count &default=0;
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
+event analyzer_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
 	{
 	if ( atype != Analyzer::ANALYZER_HTTP )
 		return;
@@ -30,5 +30,3 @@ event zeek_done()
 	{
 	print "total http messages", msg_count;
 	}
-
-

testing/btest/bifs/disable_analyzer.zeek

@@ -5,7 +5,7 @@
 
 global msg_count: table[conn_id] of count &default=0;
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
 	{
 	if ( atype != Analyzer::ANALYZER_HTTP )
 		return;
@@ -30,5 +30,3 @@ event zeek_done()
 	{
 	print "total http messages", msg_count;
 	}
-
-

testing/btest/core/tunnels/gtp/non_recursive.test

@@ -5,7 +5,7 @@
 # So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152,
 # it is just a UDP packet, but not another GTP tunnel.
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string)
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string)
     {
     print "protocol_violation", c$id, reason;
     }