Merge remote-tracking branch 'origin/master' into topic/johanna/tls13-details

.gitignore

@@ -1,3 +1,7 @@
 build
 tmp
 *.gcov
+
+# Configuration and build directories for CLion
+.idea
+cmake-build-debug

CHANGES

@@ -1,4 +1,80 @@
 
+2.6-389 | 2019-06-06 20:02:19 -0700
+
+  * Update plugin unit tests to use --zeek-dist (Jon Siwek, Corelight)
+
+2.6-388 | 2019-06-06 19:48:55 -0700
+
+  * Change default value of peer_description "zeek" (Jon Siwek, Corelight)
+
+2.6-387 | 2019-06-06 18:51:09 -0700
+
+  * Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
+
+2.6-386 | 2019-06-06 17:17:55 -0700
+
+  * Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)
+
+2.6-384 | 2019-06-06 16:49:14 -0700
+
+  * Add new RDP event: rdp_client_security_data (Jeff Atkinson)
+
+2.6-379 | 2019-06-06 11:56:58 -0700
+
+  * Improve sqlite logging unit tests (Jon Siwek, Corelight)
+
+2.6-378 | 2019-06-05 16:23:04 -0700
+
+  * Rename BRO_DEPRECATED macro to ZEEK_DEPRECATED (Jon Siwek, Corelight)
+
+2.6-377 | 2019-06-05 16:15:58 -0700
+
+  * Deprecate functions with "bro" in them. (Jon Siwek, Corelight)
+
+    * "bro_is_terminating" is now "zeek_is_terminating"
+
+    * "bro_version" is now "zeek_version"
+
+    The old functions still exist for now, but are deprecated.
+
+2.6-376 | 2019-06-05 13:29:57 -0700
+
+  * GH-379: move catch-and-release and unified2 scripts to policy/ (Jon Siwek, Corelight)
+
+    These are no longer loaded by default due to the performance impact they
+    cause simply by being loaded (they have event handlers for commonly
+    generated events) and they aren't generally useful enough to justify it.
+
+2.6-375 | 2019-06-04 19:28:06 -0700
+
+  * Simplify threading::Value destructor (Jon Siwek, Corelight)
+
+  * Add pattern support to input framework. (Zeke Medley, Corelight)
+
+2.6-369 | 2019-06-04 17:53:10 -0700
+
+  * GH-155: Improve coercion of expression lists to vector types (Tim Wojtulewicz, Corelight)
+
+  * GH-159: Allow coercion of numeric record field values to other types (Tim Wojtulewicz, Corelight)
+
+  * Allow passing a location to BroObj::Warning and BroObj::Error. (Tim Wojtulewicz, Corelight)
+
+    This allows callers (such as check_and_promote) to pass an expression
+    location to be logged if the location doesn't exist in the value being
+    promoted.
+
+  * Add CLion directories to gitignore (Tim Wojtulewicz, Corelight)
+
+  * Move #define outside of max_type for clarity (Tim Wojtulewicz, Corelight)
+
+2.6-361 | 2019-06-04 10:30:21 -0700
+
+  * GH-293: Protect copy() against reference cycles. (Robin Sommer, Corelight)
+
+    Reference cycles shouldn't occur but there's nothing really preventing
+    people from creating them, so may just as well be safe and deal with
+    them when cloning values.
+
 2.6-359 | 2019-05-31 13:37:17 -0700
 
   * Remove old documentation reference to rotate_interval (Jon Siwek, Corelight)

NEWS

@@ -79,9 +79,16 @@ New Functionality
 - The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
   also allowed when specifying patterns used in signature files.
 
-- Add a new "client_channels" field to rdp.log based on data parsed from
+- New RDP functionality.
+
+  - New events:
+    - rdp_client_network_data
+    - rdp_client_security_data
+    - rdp_native_encrypted_data
+
+  - Add a new "client_channels" field to rdp.log based on data parsed from
     the Client Network Data (TS_UD_CS_NET) packet.  The channel list is also
-  available in a new event, "rdp_client_network_data".
+    available in the new ``rdp_client_network_data`` event.
 
 Changed Functionality
 ---------------------
@@ -216,6 +223,33 @@ Changed Functionality
   in scripts has also been updated to replace Sphinx cross-referencing roles
   and directives like ":bro:see:" with ":zeek:zee:".
 
+- The catch-and-release and unified2 scripts are no longer loaded by
+  default.  Because there was a performance impact simply from loading
+  them and it's unlikely a majority of user make use of their features,
+  they've been moved from the scripts/base/ directory into
+  scripts/policy/ and must be manually loaded to use their
+  functionality.  The "drop" action for the notice framework is likewise
+  moved since it was implemented via catch-and-release.  As a result,
+  the default notice.log no longer contains a "dropped" field.
+
+  If you previously used the catch-and-release functionality add this:
+
+      @load policy/frameworks/netcontrol/catch-and-release
+
+  If you previously used Notice::ACTION_DROP add:
+
+      @load policy/frameworks/notice/actions/drop
+
+  If you previously used the Unified2 file analysis support add:
+
+      @load policy/files/unified2
+
+- The default value of ``peer_description`` has changed from "bro"
+  to "zeek".  This won't effect most users, except for the fact that
+  this value may appear in several log files, so any external plugins
+  that have written unit tests that compare baselines of such log
+  files may need to be updated.
+
 Removed Functionality
 ---------------------
 
@@ -340,6 +374,9 @@ Deprecated Functionality
   such that existing code will not break, but will emit a deprecation
   warning.
 
+- The ``bro_is_terminating`` and ``bro_version`` function are deprecated and
+  replaced by functions named ``zeek_is_terminating`` and ``zeek_version``.
+
 - The ``rotate_file``, ``rotate_file_by_name`` and ``calc_next_rotate`` functions
   were marked as deprecated. These functions were used with the old pre-2.0 logging
   framework and are no longer used. They also were marked as deprecated in their

VERSION

@@ -1 +1 @@
-2.6-359
+2.6-389

aux/zeek-aux

@@ -1 +1 @@
-Subproject commit e5b766fa0cc4e07a8a8275cab271170558f6bd2b
+Subproject commit bac443d6cebca567d3d0da52a25ff4e0bcdd1edd

doc

@@ -1 +1 @@
-Subproject commit 7f64a90d86fc53506f93fb4c327fdb8c4e3aab0a
+Subproject commit 7b81005333a5416e1da6a4c83df678e75dccd6be

scripts/base/frameworks/netcontrol/__load__.zeek

@@ -3,7 +3,6 @@
 @load ./plugins
 @load ./drop
 @load ./shunt
-@load ./catch-and-release
 
 # The cluster framework must be loaded first.
 @load base/frameworks/cluster

scripts/base/frameworks/netcontrol/drop.zeek

@@ -1,9 +1,9 @@
 ##! Implementation of the drop functionality for NetControl.
 
-module NetControl;
-
 @load ./main
 
+module NetControl;
+
 export {
 	redef enum Log::ID += { DROP };
 

scripts/base/frameworks/netcontrol/main.zeek

@@ -10,11 +10,11 @@
 ##! provides convenience functions for a set of common operations. The
 ##! low-level API provides full flexibility.
 
-module NetControl;
-
 @load ./plugin
 @load ./types
 
+module NetControl;
+
 export {
 	## The framework's logging stream identifier.
 	redef enum Log::ID += { LOG };
@@ -889,7 +889,7 @@ function remove_rule_impl(id: string, reason: string) : bool
 function rule_expire_impl(r: Rule, p: PluginState) &priority=-5
 	{
 	# do not emit timeout events on shutdown
-	if ( bro_is_terminating() )
+	if ( zeek_is_terminating() )
 		return;
 
 	if ( r$id !in rules )

scripts/base/frameworks/netcontrol/non-cluster.zeek

@@ -1,7 +1,8 @@
-module NetControl;
 
 @load ./main
 
+module NetControl;
+
 function activate(p: PluginState, priority: int)
 	{
 	activate_impl(p, priority);

scripts/base/frameworks/netcontrol/plugin.zeek

@@ -1,9 +1,9 @@
 ##! This file defines the plugin interface for NetControl.
 
-module NetControl;
-
 @load ./types
 
+module NetControl;
+
 export {
 	## This record keeps the per instance state of a plugin.
 	##

scripts/base/frameworks/netcontrol/plugins/acld.zeek

@@ -1,11 +1,11 @@
 ##! Acld plugin for the netcontrol framework.
 
-module NetControl;
-
 @load ../main
 @load ../plugin
 @load base/frameworks/broker
 
+module NetControl;
+
 export {
 	type AclRule : record {
 		command: string;

scripts/base/frameworks/netcontrol/plugins/broker.zeek

@@ -2,12 +2,12 @@
 ##! used in NetControl on to Broker to allow for easy handling, e.g., of
 ##! command-line scripts.
 
-module NetControl;
-
 @load ../main
 @load ../plugin
 @load base/frameworks/broker
 
+module NetControl;
+
 export {
 	## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
 	type BrokerConfig: record {

scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek

@@ -3,10 +3,10 @@
 ##! and can only add/remove filters for addresses, this is quite
 ##! limited in scope at the moment. 
 
-module NetControl;
-
 @load ../plugin
 
+module NetControl;
+
 export {
 	## Instantiates the packetfilter plugin.
 	global create_packetfilter: function() : PluginState;

scripts/base/frameworks/notice/__load__.zeek

@@ -3,7 +3,6 @@
 
 # There should be no overhead imposed by loading notice actions so we
 # load them all.
-@load ./actions/drop
 @load ./actions/email_admin
 @load ./actions/page
 @load ./actions/add-geodata

scripts/base/frameworks/notice/main.zeek

@@ -405,7 +405,7 @@ function email_headers(subject_desc: string, dest: string): string
 		"From: ", mail_from, "\n",
 		"Subject: ", mail_subject_prefix, " ", subject_desc, "\n",
 		"To: ", dest, "\n",
-		"User-Agent: Bro-IDS/", bro_version(), "\n");
+		"User-Agent: Bro-IDS/", zeek_version(), "\n");
 	if ( reply_to != "" )
 		header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n");
 	return header_text;

scripts/base/frameworks/openflow/consts.zeek

@@ -11,7 +11,7 @@ const COOKIE_BID_SIZE = 16777216;
 # start at bit 40 (1 << 40)
 const COOKIE_BID_START = 1099511627776;
 # Zeek specific cookie ID shall have the 42 bit set (1 << 42)
-const BRO_COOKIE_ID = 4;
+const ZEEK_COOKIE_ID = 4;
 # 8 bits group identifier
 const COOKIE_GID_SIZE = 256;
 # start at bit 32 (1 << 32)

scripts/base/frameworks/openflow/main.zeek

@@ -198,7 +198,7 @@ function match_conn(id: conn_id, reverse: bool &default=F): ofp_match
 # 42 bit of the cookie set.
 function generate_cookie(cookie: count &default=0): count
 	{
-	local c = BRO_COOKIE_ID * COOKIE_BID_START;
+	local c = ZEEK_COOKIE_ID * COOKIE_BID_START;
 
 	if ( cookie >= COOKIE_UID_SIZE )
 		Reporter::warning(fmt("The given cookie uid '%d' is > 32bit and will be discarded", cookie));
@@ -211,7 +211,7 @@ function generate_cookie(cookie: count &default=0): count
 # local function to check if a given flow_mod cookie is forged from this framework.
 function is_valid_cookie(cookie: count): bool
 	{
-	if ( cookie / COOKIE_BID_START == BRO_COOKIE_ID )
+	if ( cookie / COOKIE_BID_START == ZEEK_COOKIE_ID )
 		return T;
 
 	Reporter::warning(fmt("The given Openflow cookie '%d' is not valid", cookie));
@@ -231,7 +231,7 @@ function get_cookie_gid(cookie: count): count
 	{
 	if( is_valid_cookie(cookie) )
 		return (
-			(cookie	- (COOKIE_BID_START * BRO_COOKIE_ID) -
+			(cookie	- (COOKIE_BID_START * ZEEK_COOKIE_ID) -
 			(cookie - ((cookie / COOKIE_GID_START) * COOKIE_GID_START))) /
 			COOKIE_GID_START
 		);

scripts/base/frameworks/openflow/types.zeek

@@ -89,7 +89,7 @@ export {
 		## Opaque controller-issued identifier.
 		# This is optional in the specification - but let's force
 		# it so we always can identify our flows...
-		cookie: count; # &default=BRO_COOKIE_ID * COOKIE_BID_START;
+		cookie: count; # &default=ZEEK_COOKIE_ID * COOKIE_BID_START;
 		# Flow actions
 		## Table to put the flow in. OFPTT_ALL can be used for delete,
 		## to delete flows from all matching tables.

scripts/base/frameworks/sumstats/non-cluster.zeek

@@ -35,7 +35,7 @@ event SumStats::finish_epoch(ss: SumStat)
 			{
 			local data = result_store[ss$name];
 			local now = network_time();
-			if ( bro_is_terminating() )
+			if ( zeek_is_terminating() )
 				{
 				for ( key, val in data )
 					ss$epoch_result(now, key, val);

scripts/base/init-bare.zeek

@@ -4282,6 +4282,22 @@ export {
 		dig_product_id:         string &optional;
 	};
 
+	## The TS_UD_CS_SEC data block contains security-related information used
+	## to advertise client cryptographic support.
+	type RDP::ClientSecurityData: record {
+		## Cryptographic encryption methods supported by the client and used in
+		## conjunction with Standard RDP Security.  Known flags:
+		##
+		## - 0x00000001: support for 40-bit session encryption keys
+		## - 0x00000002: support for 128-bit session encryption keys
+		## - 0x00000008: support for 56-bit session encryption keys
+		## - 0x00000010: support for FIPS compliant encryption and MAC methods
+		encryption_methods:	count;
+		## Only used in French locale and designates the encryption method.  If
+		## non-zero, then encryption_methods should be set to 0.
+		ext_encryption_methods:	count;
+	};
+
 	## Name and flags for a single channel requested by the client.
 	type RDP::ClientChannelDef: record {
 		## A unique name for the channel
@@ -4749,7 +4765,7 @@ const packet_filter_default = F &redef;
 const sig_max_group_size = 50 &redef;
 
 ## Description transmitted to remote communication peers for identification.
-const peer_description = "bro" &redef;
+const peer_description = "zeek" &redef;
 
 ## The number of IO chunks allowed to be buffered between the child
 ## and parent process of remote communication before Zeek starts dropping

scripts/base/init-default.zeek

@@ -74,7 +74,6 @@
 @load base/files/pe
 @load base/files/hash
 @load base/files/extract
-@load base/files/unified2
 @load base/files/x509
 
 @load base/misc/find-checksum-offloading

scripts/base/misc/version.zeek

@@ -78,10 +78,10 @@ export {
 	## The format of the number is ABBCC with A being the major version,
 	## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
 	## As an example, Zeek 2.4.1 results in the number 20401
-	const number = Version::parse(bro_version())$version_number;
+	const number = Version::parse(zeek_version())$version_number;
 
 	## `VersionDescription` record pertaining to the currently running version of Zeek.
-	const info = Version::parse(bro_version());
+	const info = Version::parse(zeek_version());
 }
 
 function at_least(version_string: string): bool

scripts/base/protocols/dhcp/main.zeek

@@ -141,7 +141,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
 	# Also, if Zeek is shutting down.
 	if ( (now - info$last_message_ts) > 5sec ||
 	     (now - info$ts) > max_txid_watch_time ||
-	     bro_is_terminating() )
+	     zeek_is_terminating() )
 		{
 		Log::write(LOG, info);
 

scripts/policy/frameworks/netcontrol/catch-and-release.zeek

@@ -1,10 +1,9 @@
 ##! Implementation of catch-and-release functionality for NetControl.
 
-module NetControl;
+@load base/frameworks/netcontrol
-
 @load base/frameworks/cluster
-@load ./main
+
-@load ./drop
+module NetControl;
 
 export {
 

scripts/policy/frameworks/notice/actions/drop.zeek

@@ -1,8 +1,9 @@
 ##! This script extends the built in notice code to implement the IP address
 ##! dropping functionality.
 
-@load ../main
+@load base/frameworks/notice/main
 @load base/frameworks/netcontrol
+@load policy/frameworks/netcontrol/catch-and-release
 
 module Notice;
 

scripts/policy/misc/stats.zeek

@@ -99,7 +99,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	local fs = get_file_analysis_stats();
 	local ds = get_dns_stats();
 
-	if ( bro_is_terminating() )
+	if ( zeek_is_terminating() )
 		# No more stats will be written or scheduled when Zeek is
 		# shutting down.
 		return;

scripts/policy/misc/trim-trace-file.zeek

@@ -17,7 +17,7 @@ export {
 
 event TrimTraceFile::go(first_trim: bool)
 	{
-	if ( bro_is_terminating() || trace_output_file == "" )
+	if ( zeek_is_terminating() || trace_output_file == "" )
 		return;
 	
 	if ( ! first_trim )

scripts/test-all-policy.zeek

@@ -31,12 +31,16 @@
 @load frameworks/intel/seen/ssl.zeek
 @load frameworks/intel/seen/where-locations.zeek
 @load frameworks/intel/seen/x509.zeek
+@load frameworks/netcontrol/catch-and-release.zeek
 @load frameworks/files/detect-MHR.zeek
 @load frameworks/files/entropy-test-all-files.zeek
 #@load frameworks/files/extract-all-files.zeek
 @load frameworks/files/hash-all-files.zeek
 @load frameworks/notice/__load__.zeek
+@load frameworks/notice/actions/drop.zeek
 @load frameworks/notice/extend-email/hostnames.zeek
+@load files/unified2/__load__.zeek
+@load files/unified2/main.zeek
 @load files/x509/log-ocsp.zeek
 @load frameworks/packet-filter/shunt.zeek
 @load frameworks/software/version-changes.zeek

src/Expr.cc

@@ -2591,7 +2591,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
 
 		if ( op2->Tag() == EXPR_LIST )
 			{
-			op2 = new VectorConstructorExpr(op2->AsListExpr());
+			op2 = new VectorConstructorExpr(op2->AsListExpr(), op1->Type());
 			return true;
 			}
 		}
@@ -4136,15 +4136,41 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
 
 			if ( ! same_type(sup_t_i, sub_t_i) )
 				{
-				if ( sup_t_i->Tag() != TYPE_RECORD ||
+				auto is_arithmetic_promotable = [](BroType* sup, BroType* sub) -> bool
-				     sub_t_i->Tag() != TYPE_RECORD ||
-				     ! record_promotion_compatible(sup_t_i->AsRecordType(),
-				                                   sub_t_i->AsRecordType()) )
 					{
-					char buf[512];
+					auto sup_tag = sup->Tag();
-					safe_snprintf(buf, sizeof(buf),
+					auto sub_tag = sub->Tag();
+
+					if ( ! BothArithmetic(sup_tag, sub_tag) )
+						return false;
+
+					if ( sub_tag == TYPE_DOUBLE && IsIntegral(sup_tag) )
+						return false;
+
+					if ( sub_tag == TYPE_INT && sup_tag == TYPE_COUNT )
+						return false;
+
+					return true;
+					};
+
+				auto is_record_promotable = [](BroType* sup, BroType* sub) -> bool
+					{
+					if ( sup->Tag() != TYPE_RECORD )
+						return false;
+
+					if ( sub->Tag() != TYPE_RECORD )
+						return false;
+
+					return record_promotion_compatible(sup->AsRecordType(),
+					                                   sub->AsRecordType());
+					};
+
+				if ( ! is_arithmetic_promotable(sup_t_i, sub_t_i) &&
+				     ! is_record_promotable(sup_t_i, sub_t_i) )
+					{
+					string error_msg = fmt(
 						"type clash for field \"%s\"", sub_r->FieldName(i));
-					Error(buf, sub_t_i);
+					Error(error_msg.c_str(), sub_t_i);
 					SetError();
 					break;
 					}
@@ -4162,11 +4188,9 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
 				{
 				if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
 					{
-					char buf[512];
+					string error_msg = fmt(
-					safe_snprintf(buf, sizeof(buf),
+						"non-optional field \"%s\" missing", t_r->FieldName(i));
-					              "non-optional field \"%s\" missing",
+					Error(error_msg.c_str());
-					              t_r->FieldName(i));
-					Error(buf);
 					SetError();
 					break;
 					}
@@ -4254,6 +4278,20 @@ Val* RecordCoerceExpr::Fold(Val* v) const
 					rhs = new_val;
 					}
 				}
+			else if ( BothArithmetic(rhs_type->Tag(), field_type->Tag()) &&
+			          ! same_type(rhs_type, field_type) )
+				{
+				if ( Val* new_val = check_and_promote(rhs, field_type, false, op->GetLocationInfo()) )
+					{
+					// Don't call unref here on rhs because check_and_promote already called it.
+					rhs = new_val;
+					}
+				else
+					{
+					Unref(val);
+					RuntimeError("Failed type conversion");
+					}
+				}
 
 			val->Assign(i, rhs);
 			}

src/Obj.cc

@@ -100,21 +100,21 @@ BroObj::~BroObj()
 	delete location;
 	}
 
-void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only) const
+void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
 	{
 	ODesc d;
-	DoMsg(&d, msg, obj2, pinpoint_only);
+	DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
 	reporter->Warning("%s", d.Description());
 	reporter->PopLocation();
 	}
 
-void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only) const
+void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
 	{
 	if ( suppress_errors )
 		return;
 
 	ODesc d;
-	DoMsg(&d, msg, obj2, pinpoint_only);
+	DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
 	reporter->Error("%s", d.Description());
 	reporter->PopLocation();
 	}
@@ -200,7 +200,7 @@ void BroObj::UpdateLocationEndInfo(const Location& end)
 	}
 
 void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
-			int pinpoint_only) const
+			int pinpoint_only, const Location* expr_location) const
 	{
 	d->SetShort();
 
@@ -211,6 +211,8 @@ void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
 	if ( obj2 && obj2->GetLocationInfo() != &no_location &&
 		 *obj2->GetLocationInfo() != *GetLocationInfo() )
 		loc2 = obj2->GetLocationInfo();
+	else if ( expr_location )
+		loc2 = expr_location;
 
 	reporter->PushLocation(GetLocationInfo(), loc2);
 	}

src/Obj.h

@@ -118,9 +118,9 @@ public:
 	// included in the message, though if pinpoint_only is non-zero,
 	// then obj2 is only used to pinpoint the location.
 	void Warn(const char* msg, const BroObj* obj2 = 0,
-			int pinpoint_only = 0) const;
+			int pinpoint_only = 0, const Location* expr_location = 0) const;
 	void Error(const char* msg, const BroObj* obj2 = 0,
-			int pinpoint_only = 0) const;
+			int pinpoint_only = 0, const Location* expr_location = 0) const;
 
 	// Report internal errors.
 	void BadTag(const char* msg, const char* t1 = 0,
@@ -178,7 +178,7 @@ private:
 	friend class SuppressErrors;
 
 	void DoMsg(ODesc* d, const char s1[], const BroObj* obj2 = 0,
-			int pinpoint_only = 0) const;
+			int pinpoint_only = 0, const Location* expr_location = 0) const;
 	void PinPoint(ODesc* d, const BroObj* obj2 = 0,
 			int pinpoint_only = 0) const;
 

src/OpaqueVal.cc

@@ -97,7 +97,7 @@ Val* MD5Val::DoClone(CloneState* state)
 		EVP_MD_CTX_copy_ex(out->ctx, ctx);
 		}
 
-	return out;
+	return state->NewClone(this, out);
 	}
 
 void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH])
@@ -241,7 +241,7 @@ Val* SHA1Val::DoClone(CloneState* state)
 		EVP_MD_CTX_copy_ex(out->ctx, ctx);
 		}
 
-	return out;
+	return state->NewClone(this, out);
 	}
 
 void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH])
@@ -376,7 +376,7 @@ Val* SHA256Val::DoClone(CloneState* state)
 		EVP_MD_CTX_copy_ex(out->ctx, ctx);
 		}
 
-	return out;
+	return state->NewClone(this, out);
 	}
 
 void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH])
@@ -517,7 +517,7 @@ Val* EntropyVal::DoClone(CloneState* state)
 	uinfo.cache = false;
 	Val* clone = Unserialize(&uinfo, type);
 	free(data);
-	return clone;
+	return state->NewClone(this, clone);
 	}
 
 bool EntropyVal::Feed(const void* data, size_t size)
@@ -639,10 +639,10 @@ Val* BloomFilterVal::DoClone(CloneState* state)
 		{
 		auto bf = new BloomFilterVal(bloom_filter->Clone());
 		bf->Typify(type);
-		return bf;
+		return state->NewClone(this, bf);
 		}
 
-	return new BloomFilterVal();
+	return state->NewClone(this, new BloomFilterVal());
 	}
 
 bool BloomFilterVal::Typify(BroType* arg_type)
@@ -801,7 +801,8 @@ CardinalityVal::~CardinalityVal()
 
 Val* CardinalityVal::DoClone(CloneState* state)
 	{
-	return new CardinalityVal(new probabilistic::CardinalityCounter(*c));
+	return state->NewClone(this,
+			       new CardinalityVal(new probabilistic::CardinalityCounter(*c)));
 	}
 
 IMPLEMENT_SERIAL(CardinalityVal, SER_CARDINALITY_VAL);

src/Type.cc

@@ -2123,6 +2123,10 @@ int is_assignable(BroType* t)
 	return 0;
 	}
 
+#define CHECK_TYPE(t) \
+	if ( t1 == t || t2 == t ) \
+		return t;
+
 TypeTag max_type(TypeTag t1, TypeTag t2)
 	{
 	if ( t1 == TYPE_INTERVAL || t1 == TYPE_TIME )
@@ -2132,10 +2136,6 @@ TypeTag max_type(TypeTag t1, TypeTag t2)
 
 	if ( BothArithmetic(t1, t2) )
 		{
-#define CHECK_TYPE(t) \
-	if ( t1 == t || t2 == t ) \
-		return t;
-
 		CHECK_TYPE(TYPE_DOUBLE);
 		CHECK_TYPE(TYPE_INT);
 		CHECK_TYPE(TYPE_COUNT);

src/Val.cc

@@ -86,8 +86,6 @@ Val* Val::Clone(CloneState* state)
 
 	auto c = DoClone(state);
 	assert(c);
-
-	state->clones.insert(std::make_pair(this, c));
 	return c;
 	}
 
@@ -566,6 +564,35 @@ void Val::ValDescribeReST(ODesc* d) const
 	}
 	}
 
+
+bool Val::WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val)
+	{
+	if ( !to_type || !from_type )
+		return true;
+	else if ( same_type(to_type, from_type) )
+		return false;
+
+	if ( to_type->InternalType() == TYPE_INTERNAL_DOUBLE )
+		return false;
+	else if ( to_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		{
+		if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
+			return (val->InternalDouble() < 0.0 || val->InternalDouble() > static_cast<double>(UINT64_MAX));
+		else if ( from_type->InternalType() == TYPE_INTERNAL_INT )
+			return (val->InternalInt() < 0);
+		}
+	else if ( to_type->InternalType() == TYPE_INTERNAL_INT )
+		{
+		if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
+			return (val->InternalDouble() < static_cast<double>(INT64_MIN) ||
+			        val->InternalDouble() > static_cast<double>(INT64_MAX));
+		else if ( from_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+			return (val->InternalUnsigned() > INT64_MAX);
+		}
+
+	return false;
+	}
+
 MutableVal::~MutableVal()
 	{
 	for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
@@ -1155,8 +1182,12 @@ unsigned int StringVal::MemoryAllocation() const
 
 Val* StringVal::DoClone(CloneState* state)
 	{
-	return new StringVal(new BroString((u_char*) val.string_val->Bytes(),
+	// We could likely treat this type as immutable and return a reference
-	                                   val.string_val->Len(), 1));
+	// instead of creating a new copy, but we first need to be careful and
+	// audit whether anything internal actually does mutate it.
+	return state->NewClone(this, new StringVal(
+	        new BroString((u_char*) val.string_val->Bytes(),
+	                      val.string_val->Len(), 1)));
 	}
 
 IMPLEMENT_SERIAL(StringVal, SER_STRING_VAL);
@@ -1223,10 +1254,13 @@ unsigned int PatternVal::MemoryAllocation() const
 
 Val* PatternVal::DoClone(CloneState* state)
 	{
+	// We could likely treat this type as immutable and return a reference
+	// instead of creating a new copy, but we first need to be careful and
+	// audit whether anything internal actually does mutate it.
 	auto re = new RE_Matcher(val.re_val->PatternText(),
 	                         val.re_val->AnywherePatternText());
 	re->Compile();
-	return new PatternVal(re);
+	return state->NewClone(this, new PatternVal(re));
 	}
 
 IMPLEMENT_SERIAL(PatternVal, SER_PATTERN_VAL);
@@ -1331,6 +1365,7 @@ Val* ListVal::DoClone(CloneState* state)
 	{
 	auto lv = new ListVal(tag);
 	lv->vals.resize(vals.length());
+	state->NewClone(this, lv);
 
 	loop_over_list(vals, i)
 		lv->Append(vals[i]->Clone(state));
@@ -2541,6 +2576,7 @@ void TableVal::ReadOperation(Val* index, TableEntryVal* v)
 Val* TableVal::DoClone(CloneState* state)
 	{
 	auto tv = new TableVal(table_type);
+	state->NewClone(this, tv);
 
 	const PDict(TableEntryVal)* tbl = AsTable();
 	IterCookie* cookie = tbl->InitForIteration();
@@ -3158,6 +3194,7 @@ Val* RecordVal::DoClone(CloneState* state)
 	// we don't touch it.
 	auto rv = new RecordVal(Type()->AsRecordType(), false);
 	rv->origin = nullptr;
+	state->NewClone(this, rv);
 
 	loop_over_list(*val.val_list_val, i)
 		{
@@ -3454,6 +3491,7 @@ Val* VectorVal::DoClone(CloneState* state)
 	{
 	auto vv = new VectorVal(vector_type);
 	vv->val.vector_val->reserve(val.vector_val->size());
+	state->NewClone(this, vv);
 
 	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
 		{
@@ -3556,7 +3594,7 @@ bool OpaqueVal::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
-Val* check_and_promote(Val* v, const BroType* t, int is_init)
+Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location)
 	{
 	if ( ! v )
 		return 0;
@@ -3580,7 +3618,7 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 		if ( same_type(t, vt, is_init) )
 			return v;
 
-		t->Error("type clash", v);
+		t->Error("type clash", v, 0, expr_location);
 		Unref(v);
 		return 0;
 		}
@@ -3589,9 +3627,9 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	     (! IsArithmetic(v_tag) || t_tag != TYPE_TIME || ! v->IsZero()) )
 		{
 		if ( t_tag == TYPE_LIST || v_tag == TYPE_LIST )
-			t->Error("list mixed with scalar", v);
+			t->Error("list mixed with scalar", v, 0, expr_location);
 		else
-			t->Error("arithmetic mixed with non-arithmetic", v);
+			t->Error("arithmetic mixed with non-arithmetic", v, 0, expr_location);
 		Unref(v);
 		return 0;
 		}
@@ -3599,12 +3637,12 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	if ( v_tag == t_tag )
 		return v;
 
-	if ( t_tag != TYPE_TIME )
+	if ( t_tag != TYPE_TIME && ! BothArithmetic(t_tag, v_tag) )
 		{
 		TypeTag mt = max_type(t_tag, v_tag);
 		if ( mt != t_tag )
 			{
-			t->Error("over-promotion of arithmetic value", v);
+			t->Error("over-promotion of arithmetic value", v, 0, expr_location);
 			Unref(v);
 			return 0;
 			}
@@ -3621,7 +3659,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	Val* promoted_v;
 	switch ( it ) {
 	case TYPE_INTERNAL_INT:
-		if ( t_tag == TYPE_INT )
+		if ( ( vit == TYPE_INTERNAL_UNSIGNED || vit == TYPE_INTERNAL_DOUBLE ) && Val::WouldOverflow(vt, t, v) )
+			{
+			t->Error("overflow promoting from unsigned/double to signed arithmetic value", v, 0, expr_location);
+			Unref(v);
+			return 0;
+			}
+		else if ( t_tag == TYPE_INT )
 			promoted_v = val_mgr->GetInt(v->CoerceToInt());
 		else if ( t_tag == TYPE_BOOL )
 			promoted_v = val_mgr->GetBool(v->CoerceToInt());
@@ -3635,7 +3679,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 		break;
 
 	case TYPE_INTERNAL_UNSIGNED:
-		if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
+		if ( ( vit == TYPE_INTERNAL_DOUBLE || vit == TYPE_INTERNAL_INT) && Val::WouldOverflow(vt, t, v) )
+			{
+			t->Error("overflow promoting from signed/double to unsigned arithmetic value", v, 0, expr_location);
+			Unref(v);
+			return 0;
+			}
+		else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
 			promoted_v = val_mgr->GetCount(v->CoerceToUnsigned());
 		else // port
 			{

src/Val.h

@@ -87,7 +87,7 @@ typedef union {
 
 class Val : public BroObj {
 public:
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(bool b, TypeTag t)
 		{
 		val.int_val = b;
@@ -97,7 +97,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(int32 i, TypeTag t)
 		{
 		val.int_val = bro_int_t(i);
@@ -107,7 +107,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(uint32 u, TypeTag t)
 		{
 		val.uint_val = bro_uint_t(u);
@@ -117,7 +117,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(int64 i, TypeTag t)
 		{
 		val.int_val = i;
@@ -127,7 +127,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(uint64 u, TypeTag t)
 		{
 		val.uint_val = u;
@@ -367,6 +367,8 @@ public:
 		}
 #endif
 
+	static bool WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val);
+
 protected:
 
 	friend class EnumType;
@@ -424,7 +426,16 @@ protected:
 
 	// For internal use by the Val::Clone() methods.
 	struct CloneState {
-	    std::unordered_map<const Val*, Val*> clones;
+		// Caches a cloned value for later reuse during the same
+		// cloning operation. For recursive types, call this *before*
+		// descending down.
+		Val* NewClone(Val *src, Val* dst)
+			{
+			clones.insert(std::make_pair(src, dst));
+			return dst;
+			}
+
+		std::unordered_map<Val*, Val*> clones;
 	};
 
 	Val* Clone(CloneState* state);
@@ -443,15 +454,15 @@ protected:
 class PortManager {
 public:
 	// Port number given in host order.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	PortVal* Get(uint32 port_num, TransportProto port_type) const;
 
 	// Host-order port number already masked with port space protocol mask.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	PortVal* Get(uint32 port_num) const;
 
 	// Returns a masked port number
-	BRO_DEPRECATED("use PortVal::Mask() instead")
+	ZEEK_DEPRECATED("use PortVal::Mask() instead")
 	uint32 Mask(uint32 port_num, TransportProto port_type) const;
 };
 
@@ -608,11 +619,11 @@ protected:
 class PortVal : public Val {
 public:
 	// Port number given in host order.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	PortVal(uint32 p, TransportProto port_type);
 
 	// Host-order port number already masked with port space protocol mask.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	explicit PortVal(uint32 p);
 
 	Val* SizeVal() const override	{ return val_mgr->GetInt(val.uint_val); }
@@ -1109,7 +1120,7 @@ protected:
 class EnumVal : public Val {
 public:
 
-	BRO_DEPRECATED("use t->GetVal(i) instead")
+	ZEEK_DEPRECATED("use t->GetVal(i) instead")
 	EnumVal(int i, EnumType* t) : Val(t)
 		{
 		val.int_val = i;
@@ -1219,7 +1230,7 @@ protected:
 // Unref()'ing the original.  If not a match, generates an error message
 // and returns nil, also Unref()'ing v.  If is_init is true, then
 // the checking is done in the context of an initialization.
-extern Val* check_and_promote(Val* v, const BroType* t, int is_init);
+extern Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location = nullptr);
 
 // Given a pointer to where a Val's core (i.e., its BRO value) resides,
 // returns a corresponding newly-created or Ref()'d Val.  ptr must already

src/analyzer/protocol/arp/events.bif

@@ -40,7 +40,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
 
-## Generated for ARP packets that Bro cannot interpret. Examples are packets
+## Generated for ARP packets that Zeek cannot interpret. Examples are packets
 ## with non-standard hardware address formats or hardware addresses that do not
 ## match the originator of the packet.
 ##
@@ -56,8 +56,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 ##
 ## .. zeek:see:: arp_reply arp_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

src/analyzer/protocol/dns/events.bif

@@ -1,7 +1,7 @@
 ## Generated for all DNS messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -26,7 +26,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 ## is raised once for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -55,7 +55,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ## the reply; there's no stateful correlation with the query.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -81,7 +81,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ## Generated for each entry in the Question section of a DNS reply.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -109,7 +109,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -134,7 +134,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -159,7 +159,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -184,7 +184,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -209,7 +209,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -234,7 +234,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -259,7 +259,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -284,7 +284,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -307,7 +307,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -330,7 +330,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -357,7 +357,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -401,7 +401,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -433,7 +433,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
 
 ## Generated on DNS reply resource records when the type of record is not one
-## that Bro knows how to parse and generate another more specific event.
+## that Zeek knows how to parse and generate another more specific event.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
 ##    transport-layer session being analyzed.
@@ -451,7 +451,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -474,7 +474,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -565,7 +565,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 ## all resource records have been passed on.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -590,6 +590,6 @@ event dns_full_request%(%);
 
 ## msg: The raw DNS payload.
 ##
-## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
+## .. note:: This event is deprecated and superseded by Zeek's dynamic protocol
 ##    detection framework.
 event non_dns_request%(c: connection, msg: string%);

src/analyzer/protocol/finger/events.bif

@@ -13,9 +13,9 @@
 ##
 ## .. zeek:see:: finger_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event finger_request%(c: connection, full: bool, username: string, hostname: string%);
 
@@ -30,9 +30,9 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str
 ##
 ## .. zeek:see:: finger_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event finger_reply%(c: connection, reply_line: string%);
 

src/analyzer/protocol/gnutella/events.bif

@@ -7,9 +7,9 @@
 ##    gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
 ##
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 
@@ -21,9 +21,9 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 ## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 				ttl: count, hops: count, msg_len: count,
@@ -38,9 +38,9 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_not_establish  gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_partial_binary_msg%(c: connection, orig: bool,
 					msg: string, len: count%);
@@ -53,9 +53,9 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool,
 ## .. zeek:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_establish%(c: connection%);
 
@@ -67,9 +67,9 @@ event gnutella_establish%(c: connection%);
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_not_establish%(c: connection%);
 
@@ -81,8 +81,8 @@ event gnutella_not_establish%(c: connection%);
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_http_notify%(c: connection%);

src/analyzer/protocol/http/events.bif

@@ -1,5 +1,5 @@
 
-## Generated for HTTP requests. Bro supports persistent and pipelined HTTP
+## Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a request's initial line has
 ## been parsed, and before any :zeek:id:`http_header` events are raised.
@@ -22,7 +22,7 @@
 ##    truncate_http_URI http_connection_upgrade
 event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
 
-## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
+## Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a reply's initial line has
 ## been parsed, and before any :zeek:id:`http_header` events are raised.
@@ -43,7 +43,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ##    http_stats http_connection_upgrade
 event http_reply%(c: connection, version: string, code: count, reason: string%);
 
-## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
+## Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues.
 ##
@@ -67,7 +67,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 
 ## Generated for HTTP headers, passing on all headers of an HTTP message at
-## once. Bro supports persistent and pipelined HTTP sessions and raises
+## once. Zeek supports persistent and pipelined HTTP sessions and raises
 ## corresponding events as it parses client/server dialogues.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -92,7 +92,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 ## Generated when starting to parse an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
 ## potentially more than once if the body contains further nested MIME
-## entities. Bro raises this event just before it starts parsing each entity's
+## entities. Zeek raises this event just before it starts parsing each entity's
 ## content.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -111,7 +111,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
 ## Generated when finishing parsing an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
 ## potentially more than once if the body contains further nested MIME
-## entities. Bro raises this event at the point when it has finished parsing an
+## entities. Zeek raises this event at the point when it has finished parsing an
 ## entity's content.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -181,7 +181,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
 ##    entities.
 event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%);
 
-## Generated once at the end of parsing an HTTP message. Bro supports persistent
+## Generated once at the end of parsing an HTTP message. Zeek supports persistent
 ## and pipelined HTTP sessions and raises corresponding events as it parses
 ## client/server dialogues. A "message" is one top-level HTTP entity, such as a
 ## complete request or reply. Each message can have further nested sub-entities

src/analyzer/protocol/icmp/events.bif

@@ -1,5 +1,5 @@
 ## Generated for all ICMP messages that are not handled separately with
-## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
+## dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
 ## directly with dedicated events. This event acts as a fallback for those it
 ## doesn't.
 ##
@@ -70,7 +70,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
 event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
 
 ## Generated for all ICMPv6 error messages that are not handled
-## separately with dedicated events. Bro's ICMP analyzer handles a number
+## separately with dedicated events. Zeek's ICMP analyzer handles a number
 ## of ICMP error messages directly with dedicated events. This event acts
 ## as a fallback for those it doesn't.
 ##
@@ -107,7 +107,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Unreachable* messages should include the original IP
-##          header from the packet that triggered them, and Bro parses that
+##          header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *unreachable*
 ##          includes only a partial IP header for some reason, no
 ##          fields of *context* will be filled out.
@@ -131,7 +131,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Too big* messages should include the original IP header
-##          from the packet that triggered them, and Bro parses that into
+##          from the packet that triggered them, and Zeek parses that into
 ##          the *context* structure. Note that if the *too big* includes only
 ##          a partial IP header for some reason, no fields of *context* will
 ##          be filled out.
@@ -155,7 +155,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Unreachable* messages should include the original IP
-##          header from the packet that triggered them, and Bro parses that
+##          header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *exceeded* includes
 ##          only a partial IP header for some reason, no fields of *context*
 ##          will be filled out.
@@ -179,7 +179,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Parameter problem* messages should include the original
-##          IP header from the packet that triggered them, and Bro parses that
+##          IP header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *parameter problem*
 ##          includes only a partial IP header for some reason, no fields
 ##          of *context* will be filled out.

src/analyzer/protocol/ident/events.bif

@@ -11,9 +11,9 @@
 ##
 ## .. zeek:see:: ident_error ident_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_request%(c: connection, lport: port, rport: port%);
 
@@ -34,9 +34,9 @@ event ident_request%(c: connection, lport: port, rport: port%);
 ##
 ## .. zeek:see:: ident_error  ident_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
 
@@ -55,9 +55,9 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys
 ##
 ## .. zeek:see:: ident_reply ident_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_error%(c: connection, lport: port, rport: port, line: string%);
 

src/analyzer/protocol/login/events.bif

@@ -21,9 +21,9 @@
 ## .. note:: For historical reasons, these events are separate from the
 ##    ``login_`` events. Ideally, they would all be handled uniquely.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
 
@@ -48,9 +48,9 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line
 ## .. note:: For historical reasons, these events are separate from the
 ##    ``login_`` events. Ideally, they would all be handled uniquely.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
 
@@ -79,12 +79,12 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying login attempts. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeeks's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
@@ -114,12 +114,12 @@ event login_failure%(c: connection, user: string, client_user: string, password:
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying login attempts. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
@@ -134,9 +134,9 @@ event login_success%(c: connection, user: string, client_user: string, password:
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_output_line login_prompt login_success login_terminal    rsh_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_input_line%(c: connection, line: string%);
@@ -151,14 +151,14 @@ event login_input_line%(c: connection, line: string%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line  login_prompt login_success login_terminal rsh_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_output_line%(c: connection, line: string%);
 
-## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's
+## Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
 ## *login* analyzer uses a number of heuristics to extract authentication
 ## information, it may become confused. If it can no longer correctly track
 ## the authentication dialog, it raises this event.
@@ -178,9 +178,9 @@ event login_output_line%(c: connection, line: string%);
 ##    login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
 ##    login_timeouts set_login_state
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused%(c: connection, msg: string, line: string%);
@@ -199,9 +199,9 @@ event login_confused%(c: connection, msg: string, line: string%);
 ##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts
 ##    login_success_msgs login_timeouts set_login_state
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused_text%(c: connection, line: string%);
@@ -216,9 +216,9 @@ event login_confused_text%(c: connection, line: string%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line login_prompt login_success
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_terminal%(c: connection, terminal: string%);
@@ -233,9 +233,9 @@ event login_terminal%(c: connection, terminal: string%);
 ## .. zeek:see:: login_confused login_confused_text  login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_display%(c: connection, display: string%);
@@ -258,9 +258,9 @@ event login_display%(c: connection, display: string%);
 ##    while :zeek:id:`login_success` heuristically determines success by watching
 ##    session data.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_accepted%(name: string, c: connection%);
@@ -283,9 +283,9 @@ event authentication_accepted%(name: string, c: connection%);
 ##    while :zeek:id:`login_success` heuristically determines failure by watching
 ##    session data.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_rejected%(name: string, c: connection%);
@@ -304,12 +304,12 @@ event authentication_rejected%(name: string, c: connection%);
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying activity. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_skipped%(c: connection%);
@@ -328,9 +328,9 @@ event authentication_skipped%(c: connection%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line  login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_prompt%(c: connection, prompt: string%);
@@ -380,9 +380,9 @@ event inconsistent_option%(c: connection%);
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option%(c: connection%);
@@ -399,9 +399,9 @@ event bad_option%(c: connection%);
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option_termination%(c: connection%);

src/analyzer/protocol/mime/events.bif

@@ -1,9 +1,9 @@
 ## Generated when starting to parse an email MIME entity. MIME is a
 ## protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. Bro raises this event when it
+## corresponding metadata, for transmission. Zeek raises this event when it
 ## begins parsing a MIME entity extracted from an email protocol.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -13,16 +13,16 @@
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_begin_entity
 ##
-## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_begin_entity` instead.
 event mime_begin_entity%(c: connection%);
 
 ## Generated when finishing parsing an email MIME entity.  MIME is a
 ## protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. Bro raises this event when it
+## corresponding metadata, for transmission. Zeek raises this event when it
 ## finished parsing a MIME entity extracted from an email protocol.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -32,7 +32,7 @@ event mime_begin_entity%(c: connection%);
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_end_entity
 ##
-## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_end_entity` instead.
 event mime_end_entity%(c: connection%);
 
@@ -40,7 +40,7 @@ event mime_end_entity%(c: connection%);
 ## entities.  MIME is a protocol-independent data format for encoding text and
 ## files, along with corresponding metadata, for transmission.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -52,7 +52,7 @@ event mime_end_entity%(c: connection%);
 ##    mime_end_entity mime_entity_data mime_event  mime_segment_data
 ##    http_header  http_all_headers
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_header` instead.
 event mime_one_header%(c: connection, h: mime_header_rec%);
 
@@ -60,7 +60,7 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
 ## headers at once.  MIME is a protocol-independent data format for encoding
 ## text and files, along with corresponding metadata, for transmission.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -74,21 +74,21 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##    http_header  http_all_headers
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_header` instead.
 event mime_all_headers%(c: connection, hlist: mime_header_list%);
 
 ## Generated for chunks of decoded MIME data from email MIME entities.  MIME
 ## is a protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. As Bro parses the data of an
+## corresponding metadata, for transmission. As Zeek parses the data of an
 ## entity, it raises a sequence of these events, each coming as soon as a new
 ## chunk of data is available. In contrast, there is also
 ## :zeek:id:`mime_entity_data`, which passes all of an entities data at once
 ## in a single block. While the latter is more convenient to handle,
-## ``mime_segment_data`` is more efficient as Bro does not need to buffer
+## ``mime_segment_data`` is more efficient as Zeek does not need to buffer
 ## the data. Thus, if possible, this event should be preferred.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -102,7 +102,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%);
 ##    mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
 ##    mime_segment_length mime_segment_overlap_length
 ##
-## .. note:: Bro also extracts MIME data from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME data from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_entity_data` (sic!) instead.
 event mime_segment_data%(c: connection, length: count, data: string%);
 
@@ -111,10 +111,10 @@ event mime_segment_data%(c: connection, length: count, data: string%);
 ## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
 ## which passes on a sequence of data chunks as they come in. While
 ## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
-## more efficient as Bro does not need to buffer the data. Thus, if possible,
+## more efficient as Zeek does not need to buffer the data. Thus, if possible,
 ## the latter should be preferred.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -127,7 +127,7 @@ event mime_segment_data%(c: connection, length: count, data: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity  mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_entity_data%(c: connection, length: count, data: string%);
 
@@ -137,7 +137,7 @@ event mime_entity_data%(c: connection, length: count, data: string%);
 ## of the potentially significant buffering necessary, using this event can be
 ## expensive.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -150,13 +150,13 @@ event mime_entity_data%(c: connection, length: count, data: string%);
 ## .. zeek:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_all_data%(c: connection, length: count, data: string%);
 
 ## Generated for errors found when decoding email MIME entities.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -170,15 +170,15 @@ event mime_all_data%(c: connection, length: count, data: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity mime_entity_data  mime_one_header mime_segment_data http_event
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_event` instead.
 event mime_event%(c: connection, event_type: string, detail: string%);
 
 ## Generated for decoded MIME entities extracted from email messages, passing on
-## their MD5 checksums. Bro computes the MD5 over the complete decoded data of
+## their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
 ## each MIME entity.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -191,7 +191,7 @@ event mime_event%(c: connection, event_type: string, detail: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_content_hash%(c: connection, content_len: count, hash_value: string%);
 

src/analyzer/protocol/ncp/events.bif

@@ -13,9 +13,9 @@
 ##
 ## .. zeek:see:: ncp_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
 
@@ -38,9 +38,9 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count%
 ##
 ## .. zeek:see:: ncp_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);
 

src/analyzer/protocol/netbios/events.bif

@@ -1,10 +1,10 @@
-## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer
+## Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
 ## processes the NetBIOS session service running on TCP port 139, and (despite
 ## its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -21,22 +21,22 @@
 ##    netbios_session_ret_arg_resp  decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
 
-## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS
+## Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
 ## analyzer processes the NetBIOS session service running on TCP port 139, and
 ## (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -49,22 +49,22 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_request%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *positive session response*. Bro's
+## Generated for NetBIOS messages of type *positive session response*. Zeek's
 ## NetBIOS analyzer processes the NetBIOS session service running on TCP port
 ## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -77,22 +77,22 @@ event netbios_session_request%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_accepted%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *negative session response*. Bro's
+## Generated for NetBIOS messages of type *negative session response*. Zeek's
 ## NetBIOS analyzer processes the NetBIOS session service running on TCP port
 ## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -105,12 +105,12 @@ event netbios_session_accepted%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_rejected%(c: connection, msg: string%);
 
@@ -122,7 +122,7 @@ event netbios_session_rejected%(c: connection, msg: string%);
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -137,25 +137,25 @@ event netbios_session_rejected%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
 ## .. todo:: This is an oddly named event. In fact, it's probably an odd event
 ##    to have to begin with.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
 
-## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
+## Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
 ## analyzer processes the NetBIOS session service running on TCP port 139, and
 ## (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -168,24 +168,24 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
 ##    netbios_session_request decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
 ## .. todo:: This is an oddly named event.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_ret_arg_resp%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
+## Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
 ## processes the NetBIOS session service running on TCP port 139, and (despite
 ## its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -198,12 +198,12 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_keepalive%(c: connection, msg: string%);
 

src/analyzer/protocol/ntp/events.bif

@@ -1,4 +1,4 @@
-## Generated for all NTP messages. Different from many other of Bro's events,
+## Generated for all NTP messages. Different from many other of Zeek's events,
 ## this one is generated for both client-side and server-side messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
@@ -8,14 +8,14 @@
 ##
 ## msg: The parsed NTP message.
 ##
-## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
+## excess: The raw bytes of any optional parts of the NTP packet. Zeek does not
 ##         further parse any optional fields.
 ##
 ## .. zeek:see:: ntp_session_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
 

src/analyzer/protocol/pop3/events.bif

@@ -15,9 +15,9 @@
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_request%(c: connection, is_orig: bool,
 			command: string, arg: string%);
@@ -42,9 +42,9 @@ event pop3_request%(c: connection, is_orig: bool,
 ##
 ## .. todo:: This event is receiving odd parameters, should unify.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 
@@ -65,9 +65,9 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 ## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_data%(c: connection, is_orig: bool, data: string%);
 
@@ -88,9 +88,9 @@ event pop3_data%(c: connection, is_orig: bool, data: string%);
 ##
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_unexpected%(c: connection, is_orig: bool,
 			msg: string, detail: string%);
@@ -108,9 +108,9 @@ event pop3_unexpected%(c: connection, is_orig: bool,
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_request pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_starttls%(c: connection%);
 
@@ -131,9 +131,9 @@ event pop3_starttls%(c: connection%);
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_login_success%(c: connection, is_orig: bool,
 				user: string, password: string%);
@@ -155,9 +155,9 @@ event pop3_login_success%(c: connection, is_orig: bool,
 ## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_login_failure%(c: connection, is_orig: bool,
 				user: string, password: string%);

src/analyzer/protocol/rdp/RDP.cc

@@ -72,6 +72,13 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 
 			ForwardStream(len, data, orig);
 			}
+		else
+			{
+			if ( rdp_native_encrypted_data )
+				BifEvent::generate_rdp_native_encrypted_data(
+				        interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
+				        orig, len);
+			}
 		}
 	else // if not encrypted
 		{

src/analyzer/protocol/rdp/events.bif

@@ -1,3 +1,12 @@
+## Generated for each packet after RDP native encryption begins
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## orig: True if the packet was sent by the originator of the connection.
+##
+## len: The length of the encrypted data.
+event rdp_native_encrypted_data%(c: connection, orig: bool, len: count%);
+
 ## Generated for X.224 client requests.
 ##
 ## c: The connection record for the underlying transport-layer session/flow.
@@ -26,6 +35,13 @@ event rdp_negotiation_failure%(c: connection, failure_code: count%);
 ## data: The data contained in the client core data structure.
 event rdp_client_core_data%(c: connection, data: RDP::ClientCoreData%);
 
+## Generated for client security data packets.
+##
+## c: The connection record for the underlying transport-layer session/flow.
+##
+## data: The data contained in the client security data structure.
+event rdp_client_security_data%(c: connection, data: RDP::ClientSecurityData%);
+
 ## Generated for Client Network Data (TS_UD_CS_NET) packets
 ##
 ## c: The connection record for the underlying transport-layer session/flow.

src/analyzer/protocol/rdp/rdp-analyzer.pac

@@ -101,6 +101,21 @@ refine flow RDP_Flow += {
 		return true;
 		%}
 
+	function proc_rdp_client_security_data(csec: Client_Security_Data): bool
+		%{
+		if ( ! rdp_client_security_data )
+			return false;
+
+		RecordVal* csd = new RecordVal(BifType::Record::RDP::ClientSecurityData);
+		csd->Assign(0, val_mgr->GetCount(${csec.encryption_methods}));
+		csd->Assign(1, val_mgr->GetCount(${csec.ext_encryption_methods}));
+
+		BifEvent::generate_rdp_client_security_data(connection()->bro_analyzer(),
+		                                            connection()->bro_analyzer()->Conn(),
+		                                            csd);
+		return true;
+		%}
+
 	function proc_rdp_client_network_data(cnetwork: Client_Network_Data): bool
 		%{
 		if ( ! rdp_client_network_data )
@@ -203,6 +218,10 @@ refine typeattr Client_Core_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_core_data(this);
 };
 
+refine typeattr Client_Security_Data += &let {
+        proc: bool = $context.flow.proc_rdp_client_security_data(this);
+};
+
 refine typeattr Client_Network_Data += &let {
 	proc: bool = $context.flow.proc_rdp_client_network_data(this);
 };

src/analyzer/protocol/rdp/rdp-protocol.pac

@@ -52,7 +52,7 @@ type Data_Block = record {
 	header: Data_Header;
 	block: case header.type of {
 		0xc001  -> client_core:       Client_Core_Data;
-		#0xc002  -> client_security:   Client_Security_Data;
+		0xc002  -> client_security:   Client_Security_Data;
 		0xc003  -> client_network:    Client_Network_Data;
 		#0xc004  -> client_cluster:    Client_Cluster_Data;
 		#0xc005  -> client_monitor:    Client_Monitor_Data;
@@ -220,6 +220,11 @@ type Client_Core_Data = record {
 	SUPPORT_HEARTBEAT_PDU:      bool = early_capability_flags & 0x0400;
 } &byteorder=littleendian;
 
+type Client_Security_Data = record {
+	encryption_methods:	uint32;
+	ext_encryption_methods:	uint32;
+} &byteorder=littleendian;
+
 type Client_Network_Data = record {
 	channel_count: uint32;
 	channel_def_array: Client_Channel_Def[channel_count];

src/analyzer/protocol/rdp/types.bif

@@ -4,5 +4,7 @@ module RDP;
 type EarlyCapabilityFlags: record;
 type ClientCoreData: record;
 
+type ClientSecurityData: record;
+
 type ClientChannelList: vector;
 type ClientChannelDef: record;

src/analyzer/protocol/rpc/events.bif

@@ -15,9 +15,9 @@
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 
@@ -43,9 +43,9 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
 
@@ -71,9 +71,9 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t%);
 
@@ -99,9 +99,9 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%);
 
@@ -127,9 +127,9 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##    NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%);
 
@@ -155,9 +155,9 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
 
@@ -183,9 +183,9 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -211,9 +211,9 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    nfs_proc_symlink rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t%);
 
@@ -240,9 +240,9 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r
 ##    rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
 ##    NFS3::return_data_max
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%);
 
@@ -268,9 +268,9 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -296,9 +296,9 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -324,9 +324,9 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ##    nfs_proc_readlink  nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
@@ -352,9 +352,9 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_readlink nfs_proc_remove  nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
@@ -380,9 +380,9 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
 ##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
 
@@ -408,13 +408,13 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%);
 
-## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3
+## Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
 ## analyzer does not implement.
 ##
 ## NFS is a service running on top of RPC. See `Wikipedia
@@ -425,15 +425,15 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## proc: The procedure called that Bro does not implement.
+## proc: The procedure called that Zeek does not implement.
 ##
 ## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
 ##    nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%);
 
@@ -449,9 +449,9 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 
@@ -468,9 +468,9 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_null%(r: connection%);
 
@@ -493,9 +493,9 @@ event pm_request_null%(r: connection%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 
@@ -518,9 +518,9 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 
@@ -541,9 +541,9 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 
@@ -563,9 +563,9 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_dump%(r: connection, m: pm_mappings%);
 
@@ -587,9 +587,9 @@ event pm_request_dump%(r: connection, m: pm_mappings%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 
@@ -610,9 +610,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_null%(r: connection, status: rpc_status%);
 
@@ -635,9 +635,9 @@ event pm_attempt_null%(r: connection, status: rpc_status%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 
@@ -660,9 +660,9 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 
@@ -684,9 +684,9 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 ##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
 
@@ -707,9 +707,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request
 ##    pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_dump%(r: connection, status: rpc_status%);
 
@@ -732,9 +732,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%);
 ##    pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
 
@@ -757,9 +757,9 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ
 ##    pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_bad_port%(r: connection, bad_p: count%);
 
@@ -792,9 +792,9 @@ event pm_bad_port%(r: connection, bad_p: count%);
 ## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
@@ -819,9 +819,9 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status:
 ## .. zeek:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
@@ -843,9 +843,9 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
 ## .. zeek:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
@@ -862,9 +862,9 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 
@@ -885,9 +885,9 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t%);
 
@@ -905,9 +905,9 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
 
@@ -925,27 +925,27 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
 
-## Generated for MOUNT3 request/reply dialogues of a type that Bro's MOUNTv3
+## Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
 ## analyzer does not implement.
 ##
 ## c: The RPC connection.
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## proc: The procedure called that Bro does not implement.
+## proc: The procedure called that Zeek does not implement.
 ##
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t%);
 
@@ -959,8 +959,8 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_reply_status%(n: connection, info: MOUNT3::info_t%);

src/analyzer/protocol/smb/smb1_events.bif

@@ -2,7 +2,7 @@
 ## messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
-## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
 ## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
 ## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
 ## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

src/analyzer/protocol/smb/smb2_events.bif

@@ -2,7 +2,7 @@
 ## version 2 messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
-## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
 ## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
 ## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
 ## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

src/analyzer/protocol/smtp/events.bif

@@ -20,7 +20,7 @@
 ##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
 ##    smtp_data smtp_reply
 ##
-## .. note:: Bro does not support the newer ETRN extension yet.
+## .. note:: Zeek does not support the newer ETRN extension yet.
 event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%);
 
 ## Generated for server-side SMTP commands.
@@ -51,7 +51,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%)
 ##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
 ##    smtp_data  smtp_request
 ##
-## .. note:: Bro doesn't support the newer ETRN extension yet.
+## .. note:: Zeek doesn't support the newer ETRN extension yet.
 event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%);
 
 ## Generated for DATA transmitted on SMTP sessions. This event is raised for

src/analyzer/protocol/ssl/events.bif

@@ -1,5 +1,5 @@
 ## Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
+## start with an unencrypted handshake, and Zeek extracts as much information out
 ## of that as it can. This event provides access to the initial information
 ## sent by the client.
 ##
@@ -38,7 +38,7 @@
 event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
+## start with an unencrypted handshake, and Zeek extracts as much information out
 ## of that as it can. This event provides access to the initial information
 ## sent by the client.
 ##
@@ -82,11 +82,11 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
 event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
-## sessions start with an unencrypted handshake, and Bro extracts as much
+## sessions start with an unencrypted handshake, and Zeek extracts as much
 ## information out of that as it can. This event provides access to any
 ## extensions either side sends as part of an extended *hello* message.
 ##
-## Note that Bro offers more specialized events for a few extensions.
+## Note that Zeek offers more specialized events for a few extensions.
 ##
 ## c: The connection.
 ##
@@ -437,7 +437,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
 event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
-## an unencrypted handshake, and Bro extracts as much information out of that
+## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
 ## handshake and its endpoints consider it as fully established. Typically,
 ## everything from now on will be encrypted.
@@ -452,7 +452,7 @@ event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes:
 event ssl_established%(c: connection%);
 
 ## Generated for SSL/TLS alert records. SSL/TLS sessions start with an
-## unencrypted handshake, and Bro extracts as much information out of that as
+## unencrypted handshake, and Zeek extracts as much information out of that as
 ## it can. If during that handshake, an endpoint encounters a fatal error, it
 ## sends an *alert* record, that in turn triggers this event. After an *alert*,
 ## any endpoint may close the connection immediately.
@@ -476,7 +476,7 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 
 ## Generated for SSL/TLS handshake messages that are a part of the
 ## stateless-server session resumption mechanism. SSL/TLS sessions start with
-## an unencrypted handshake, and Bro extracts as much information out of that
+## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event is raised when an SSL/TLS server passes a session
 ## ticket to the client that can later be used for resuming the session. The
 ## mechanism is described in :rfc:`4507`.
@@ -520,7 +520,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ## Generated for SSL/TLS messages that are sent before full session encryption
 ## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
 ## here this event will be raised for early packets that are already using
-## pre-encryption.  # This event is also used by Bro internally to determine if
+## pre-encryption.  # This event is also used by Zeek internally to determine if
 ## the connection has been completely setup. This is necessary as TLS 1.3 does
 ## not have CCS anymore.
 ##

src/analyzer/protocol/syslog/events.bif

@@ -12,6 +12,6 @@
 ##
 ## msg: The message logged.
 ##
-## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP
+## .. note:: Zeek currently parses only UDP syslog traffic. Support for TCP
 ##    syslog will be added soon.
 event syslog_message%(c: connection, facility: count, severity: count, msg: string%);

src/analyzer/protocol/tcp/events.bif

@@ -1,6 +1,6 @@
 
 ## Generated when reassembly starts for a TCP connection. This event is raised
-## at the moment when Bro's TCP analyzer enables stream reassembly for a
+## at the moment when Zeek's TCP analyzer enables stream reassembly for a
 ## connection.
 ##
 ## c: The connection.
@@ -47,8 +47,8 @@ event connection_attempt%(c: connection%);
 ##    new_connection new_connection_contents partial_connection
 event connection_established%(c: connection%);
 
-## Generated for a new active TCP connection if Bro did not see the initial
+## Generated for a new active TCP connection if Zeek did not see the initial
-## handshake. This event is raised when Bro has observed traffic from each
+## handshake. This event is raised when Zeek has observed traffic from each
 ## endpoint, but the activity did not begin with the usual connection
 ## establishment.
 ##
@@ -65,7 +65,7 @@ event partial_connection%(c: connection%);
 
 ## Generated when a previously inactive endpoint attempts to close a TCP
 ## connection via a normal FIN handshake or an abort RST sequence. When the
-## endpoint sent one of these packets, Bro waits
+## endpoint sent one of these packets, Zeek waits
 ## :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give
 ## the other endpoint a chance to close the connection normally.
 ##
@@ -94,7 +94,7 @@ event connection_finished%(c: connection%);
 
 ## Generated when one endpoint of a TCP connection attempted to gracefully close
 ## the connection, but the other endpoint is in the TCP_INACTIVE state. This can
-## happen due to split routing, in which Bro only sees one side of a connection.
+## happen due to split routing, in which Zeek only sees one side of a connection.
 ##
 ## c: The connection.
 ##
@@ -123,7 +123,7 @@ event connection_half_finished%(c: connection%);
 ##
 ##    If the responder does not respond at all, :zeek:id:`connection_attempt` is
 ##    raised instead. If the responder initially accepts the connection but
-##    aborts it later, Bro first generates :zeek:id:`connection_established`
+##    aborts it later, Zeek first generates :zeek:id:`connection_established`
 ##    and then :zeek:id:`connection_reset`.
 event connection_rejected%(c: connection%);
 
@@ -142,7 +142,7 @@ event connection_rejected%(c: connection%);
 ##    partial_connection
 event connection_reset%(c: connection%);
 
-## Generated for each still-open TCP connection when Bro terminates.
+## Generated for each still-open TCP connection when Zeek terminates.
 ##
 ## c: The connection.
 ##
@@ -154,7 +154,7 @@ event connection_reset%(c: connection%);
 ##    new_connection new_connection_contents partial_connection zeek_done
 event connection_pending%(c: connection%);
 
-## Generated for a SYN packet. Bro raises this event for every SYN packet seen
+## Generated for a SYN packet. Zeek raises this event for every SYN packet seen
 ## by its TCP analyzer.
 ##
 ## c: The connection.
@@ -283,11 +283,25 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
 ##    application-layer protocol analyzers internally. Subsequent invocations of
 ##    this event for the same connection receive non-overlapping in-order chunks
 ##    of its TCP payload stream. It is however undefined what size each chunk
-##    has; while Bro passes the data on as soon as possible, specifics depend on
+##    has; while Zeek passes the data on as soon as possible, specifics depend on
 ##    network-level effects such as latency, acknowledgements, reordering, etc.
 event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
 
-## TODO.
+## Generated for each detected TCP segment retransmission.
+##
+## c: The connection the packet is part of.
+##
+## is_orig: True if the packet was sent by the connection's originator.
+##
+## seq: The segment's relative TCP sequence number.
+##
+## len: The length of the TCP segment, as specified in the packet header.
+##
+## data_in_flight: The number of bytes corresponding to the difference between
+##                 the last sequence number and last acknowledgement number
+##                 we've seen for a given endpoint.
+##
+## window: the TCP window size.
 event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
 
 ## Generated if a TCP flow crosses a checksum-error threshold, per

src/analyzer/protocol/tcp/functions.bif

@@ -77,7 +77,7 @@ function get_resp_seq%(cid: conn_id%): count
 ##              responder (often the server).
 ##            - ``CONTENTS_BOTH``: Record the data sent in both directions.
 ##              Results in the two directions being intermixed in the file,
-##              in the order the data was seen by Bro.
+##              in the order the data was seen by Zeek.
 ##
 ## f: The file handle of the file to write the contents to.
 ##

src/bro.bif

@@ -4,7 +4,7 @@
 ##! filtering, interprocess communication and controlling protocol analyzer
 ##! behavior.
 ##!
-##! You'll find most of Bro's built-in functions that aren't protocol-specific
+##! You'll find most of Zeek's built-in functions that aren't protocol-specific
 ##! in this file.
 
 %%{ // C segment
@@ -304,7 +304,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n)
 ## Returns the current wall-clock time.
 ##
 ## In general, you should use :zeek:id:`network_time` instead
-## unless you are using Bro for non-networking uses (such as general
+## unless you are using Zeek for non-networking uses (such as general
 ## scripting; not particularly recommended), because otherwise your script
 ## may behave very differently on live traffic versus played-back traffic
 ## from a save file.
@@ -364,7 +364,7 @@ function setenv%(var: string, val: string%): bool
 	return val_mgr->GetBool(1);
 	%}
 
-## Shuts down the Bro process immediately.
+## Shuts down the Zeek process immediately.
 ##
 ## code: The exit code to return with.
 ##
@@ -375,12 +375,12 @@ function exit%(code: int%): any
 	return 0;
 	%}
 
-## Gracefully shut down Bro by terminating outstanding processing.
+## Gracefully shut down Zeek by terminating outstanding processing.
 ##
-## Returns: True after successful termination and false when Bro is still in
+## Returns: True after successful termination and false when Zeek is still in
 ##          the process of shutting down.
 ##
-## .. zeek:see:: exit bro_is_terminating
+## .. zeek:see:: exit zeek_is_terminating
 function terminate%(%): bool
 	%{
 	if ( terminating )
@@ -600,7 +600,7 @@ function sha256_hash%(...%): string
 	%}
 
 ## Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC
-## secret key is generated from available entropy when Bro starts up, or it can
+## secret key is generated from available entropy when Zeek starts up, or it can
 ## be specified for repeatability using the ``-K`` command line flag.
 ##
 ## Returns: The HMAC-MD5 hash value of the concatenated arguments.
@@ -893,7 +893,7 @@ function syslog%(s: string%): any
 	return 0;
 	%}
 
-## Determines the MIME type of a piece of data using Bro's file magic
+## Determines the MIME type of a piece of data using Zeek's file magic
 ## signatures.
 ##
 ## data: The data to find the MIME type for.
@@ -918,7 +918,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 	return new StringVal(strongest_match);
 	%}
 
-## Determines the MIME type of a piece of data using Bro's file magic
+## Determines the MIME type of a piece of data using Zeek's file magic
 ## signatures.
 ##
 ## data: The data for which to find matching MIME types.
@@ -1705,7 +1705,7 @@ function log10%(d: double%): double
 # ===========================================================================
 
 ## Determines whether a connection has been received externally. For example,
-## Broccoli or the Time Machine can send packets to Bro via a mechanism that is
+## Broccoli or the Time Machine can send packets to Zeek via a mechanism that is
 ## one step lower than sending events. This function checks whether the packets
 ## of a connection stem from one of these external *packet sources*.
 ##
@@ -1726,24 +1726,33 @@ function current_analyzer%(%) : count
 	return val_mgr->GetCount(mgr.CurrentAnalyzer());
 	%}
 
-## Returns Bro's process ID.
+## Returns Zeek's process ID.
 ##
-## Returns: Bro's process ID.
+## Returns: Zeek's process ID.
 function getpid%(%) : count
 	%{
 	return val_mgr->GetCount(getpid());
 	%}
 
 %%{
-extern const char* bro_version();
+extern const char* zeek_version();
 %%}
 
-## Returns the Bro version string.
+## Returns the Zeek version string.  This function is deprecated, use
+## :zeek:see:`zeek_version` instead.
 ##
-## Returns: Bro's version, e.g., 2.0-beta-47-debug.
+## Returns: Zeek's version, e.g., 2.0-beta-47-debug.
-function bro_version%(%): string
+function bro_version%(%): string &deprecated
 	%{
-	return new StringVal(bro_version());
+	return new StringVal(zeek_version());
+	%}
+
+## Returns the Zeek version string.
+##
+## Returns: Zeek's version, e.g., 2.0-beta-47-debug.
+function zeek_version%(%): string
+	%{
+	return new StringVal(zeek_version());
 	%}
 
 ## Converts a record type name to a vector of strings, where each element is
@@ -1771,7 +1780,7 @@ function record_type_to_vector%(rt: string%): string_vec
 	return result;
 	%}
 
-## Returns the type name of an arbitrary Bro variable.
+## Returns the type name of an arbitrary Zeek variable.
 ##
 ## t: An arbitrary object.
 ##
@@ -1787,9 +1796,9 @@ function type_name%(t: any%): string
 	return new StringVal(s);
 	%}
 
-## Checks whether Bro reads traffic from one or more network interfaces (as
+## Checks whether Zeek reads traffic from one or more network interfaces (as
 ## opposed to from a network trace in a file). Note that this function returns
-## true even after Bro has stopped reading network traffic, for example due to
+## true even after Zeek has stopped reading network traffic, for example due to
 ## receiving a termination signal.
 ##
 ## Returns: True if reading traffic from a network interface.
@@ -1800,7 +1809,7 @@ function reading_live_traffic%(%): bool
 	return val_mgr->GetBool(reading_live);
 	%}
 
-## Checks whether Bro reads traffic from a trace file (as opposed to from a
+## Checks whether Zeek reads traffic from a trace file (as opposed to from a
 ## network interface).
 ##
 ## Returns: True if reading traffic from a network trace.
@@ -2068,19 +2077,30 @@ function dump_rule_stats%(f: file%): bool
 	return val_mgr->GetBool(1);
 	%}
 
-## Checks if Bro is terminating.
+## Checks if Zeek is terminating.  This function is deprecated, use
+## :zeek:see:`zeek_is_terminating` instead.
 ##
-## Returns: True if Bro is in the process of shutting down.
+## Returns: True if Zeek is in the process of shutting down.
 ##
 ## .. zeek:see:: terminate
-function bro_is_terminating%(%): bool
+function bro_is_terminating%(%): bool &deprecated
 	%{
 	return val_mgr->GetBool(terminating);
 	%}
 
-## Returns the hostname of the machine Bro runs on.
+## Checks if Zeek is terminating.
 ##
-## Returns: The hostname of the machine Bro runs on.
+## Returns: True if Zeek is in the process of shutting down.
+##
+## .. zeek:see:: terminate
+function zeek_is_terminating%(%): bool
+	%{
+	return val_mgr->GetBool(terminating);
+	%}
+
+## Returns the hostname of the machine Zeek runs on.
+##
+## Returns: The hostname of the machine Zeek runs on.
 function gethostname%(%) : string
 	%{
 	char buffer[MAXHOSTNAMELEN];
@@ -3891,7 +3911,7 @@ static bool mmdb_try_open_asn ()
 %%}
 
 ## Initializes MMDB for later use of lookup_location.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## f: The filename of the MaxMind City or Country DB.
 ##
@@ -3908,7 +3928,7 @@ function mmdb_open_location_db%(f: string%) : bool
 	%}
 
 ## Initializes MMDB for later use of lookup_asn.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## f: The filename of the MaxMind ASN DB.
 ##
@@ -3925,7 +3945,7 @@ function mmdb_open_asn_db%(f: string%) : bool
 	%}
 
 ## Performs a geo-lookup of an IP address.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -4010,7 +4030,7 @@ function lookup_location%(a: addr%) : geo_location
 	%}
 
 ## Performs an ASN lookup of an IP address.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -4228,8 +4248,8 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 	return val_mgr->GetBool(1);
 	%}
 
-## Informs Bro that it should skip any further processing of the contents of
+## Informs Zeek that it should skip any further processing of the contents of
-## a given connection. In particular, Bro will refrain from reassembling the
+## a given connection. In particular, Zeek will refrain from reassembling the
 ## TCP byte stream and from generating events relating to any analyzers that
 ## have been processing the connection.
 ##
@@ -4240,7 +4260,7 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 ##
 ## .. note::
 ##
-##     Bro will still generate connection-oriented events such as
+##     Zeek will still generate connection-oriented events such as
 ##     :zeek:id:`connection_finished`.
 function skip_further_processing%(cid: conn_id%): bool
 	%{
@@ -4267,7 +4287,7 @@ function skip_further_processing%(cid: conn_id%): bool
 ##
 ## .. note::
 ##
-##     This is independent of whether Bro processes the packets of this
+##     This is independent of whether Zeek processes the packets of this
 ##     connection, which is controlled separately by
 ##     :zeek:id:`skip_further_processing`.
 ##
@@ -4651,7 +4671,7 @@ function file_size%(f: string%) : double
 
 ## Disables sending :zeek:id:`print_hook` events to remote peers for a given
 ## file. In a
-## distributed setup, communicating Bro instances generate the event
+## distributed setup, communicating Zeek instances generate the event
 ## :zeek:id:`print_hook` for each print statement and send it to the remote
 ## side. When disabled for a particular file, these events will not be
 ## propagated to other peers.
@@ -4938,7 +4958,7 @@ function is_remote_event%(%) : bool
 	return val_mgr->GetBool(mgr.CurrentSource() != SOURCE_LOCAL);
 	%}
 
-## Stops Bro's packet processing. This function is used to synchronize
+## Stops Zeek's packet processing. This function is used to synchronize
 ## distributed trace processing with communication enabled
 ## (*pseudo-realtime* mode).
 ##
@@ -4949,7 +4969,7 @@ function suspend_processing%(%) : any
 	return 0;
 	%}
 
-## Resumes Bro's packet processing.
+## Resumes Zeek's packet processing.
 ##
 ## .. zeek:see:: suspend_processing
 function continue_processing%(%) : any

src/broker/data.bif

@@ -8,7 +8,7 @@
 module Broker;
 
 ## Enumerates the possible types that :zeek:see:`Broker::Data` may be in
-## terms of Bro data types.
+## terms of Zeek data types.
 enum DataType %{
 	NONE,
 	BOOL,

src/const.bif

@@ -1,4 +1,4 @@
-##! Declaration of various scripting-layer constants that the Bro core uses
+##! Declaration of various scripting-layer constants that the Zeek core uses
 ##! internally.  Documentation and default values for the scripting-layer
 ##! variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
 

src/event.bif

@@ -1,4 +1,4 @@
-##! The protocol-independent events that the C/C++ core of Bro can generate.
+##! The protocol-independent events that the C/C++ core of Zeek can generate.
 ##!
 ##! This is mostly events not related to a specific transport- or
 ##! application-layer protocol, but also includes a few that may be generated
@@ -68,7 +68,7 @@ event zeek_done%(%);
 event bro_done%(%) &deprecated;
 
 ## Generated for every new connection. This event is raised with the first
-## packet of a previously unknown connection. Bro uses a flow-based definition
+## packet of a previously unknown connection. Zeek uses a flow-based definition
 ## of "connection" here that includes not only TCP sessions but also UDP and
 ## ICMP flows.
 ##
@@ -94,7 +94,7 @@ event new_connection%(c: connection%);
 ## *tunnel* field is NOT automatically/internally assigned to the new
 ## encapsulation value of *e* after this event is raised.  If the desired
 ## behavior is to track the latest tunnel encapsulation per-connection,
-## then a handler of this event should assign *e* to ``c$tunnel`` (which Bro's
+## then a handler of this event should assign *e* to ``c$tunnel`` (which Zeek's
 ## default scripts are doing).
 ##
 ## c: The connection whose tunnel/encapsulation changed.
@@ -128,7 +128,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%);
 event connection_timeout%(c: connection%);
 
 ## Generated when a connection's internal state is about to be removed from
-## memory. Bro generates this event reliably once for every connection when it
+## memory. Zeek generates this event reliably once for every connection when it
 ## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
@@ -145,7 +145,7 @@ event connection_timeout%(c: connection%);
 ##    tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
 event connection_state_remove%(c: connection%);
 
-## Generated when a connection 4-tuple is reused. This event is raised when Bro
+## Generated when a connection 4-tuple is reused. This event is raised when Zeek
 ## sees a new TCP session or UDP flow using a 4-tuple matching that of an
 ## earlier connection it still considers active.
 ##
@@ -188,7 +188,7 @@ event connection_status_update%(c: connection%);
 event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%);
 
 ## Generated for a new connection received from the communication subsystem.
-## Remote peers can inject packets into Bro's packet loop, for example via
+## Remote peers can inject packets into Zeek's packet loop, for example via
 ## Broccoli.  The communication system
 ## raises this event with the first packet of a connection coming in this way.
 ##
@@ -198,7 +198,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co
 event connection_external%(c: connection, tag: string%);
 
 ## Generated when a UDP session for a supported protocol has finished. Some of
-## Bro's application-layer UDP analyzers flag the end of a session by raising
+## Zeek's application-layer UDP analyzers flag the end of a session by raising
 ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
 ## Teredo, and GTPv1 support this.
 ##
@@ -208,7 +208,7 @@ event connection_external%(c: connection, tag: string%);
 event udp_session_done%(u: connection%);
 
 ## Generated when a connection is seen that is marked as being expected.
-## The function :zeek:id:`Analyzer::schedule_analyzer` tells Bro to expect a
+## The function :zeek:id:`Analyzer::schedule_analyzer` tells Zeek to expect a
 ## particular connection to come up, and which analyzer to associate with it.
 ## Once the first packet of such a connection is indeed seen, this event is
 ## raised.
@@ -231,7 +231,7 @@ event udp_session_done%(u: connection%);
 ##    ``ANALYZER_*`` constants right now.
 event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
 
-## Generated for every packet Bro sees that have a valid link-layer header. This
+## Generated for every packet Zeek sees that have a valid link-layer header. This
 ## is a very very low-level and expensive event that should be avoided when at all
 ## possible. It's usually infeasible to handle when processing even medium volumes
 ## of traffic in real-time. That said, if you work from a trace and want to do some
@@ -242,7 +242,7 @@ event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
 ## .. zeek:see:: new_packet packet_contents
 event raw_packet%(p: raw_pkt_hdr%);
 
-## Generated for all packets that make it into Bro's connection processing. In
+## Generated for all packets that make it into Zeek's connection processing. In
 ## contrast to :zeek:id:`raw_packet` this filters out some more packets that don't
 ## pass certain sanity checks.
 ##
@@ -298,8 +298,8 @@ event mobile_ipv6_message%(p: pkt_hdr%);
 ## .. zeek:see:: new_packet tcp_packet
 event packet_contents%(c: connection, contents: string%);
 
-## Generated when Bro detects a TCP retransmission inconsistency. When
+## Generated when Zeek detects a TCP retransmission inconsistency. When
-## reassembling a TCP stream, Bro buffers all payload until it sees the
+## reassembling a TCP stream, Zeek buffers all payload until it sees the
 ## responder acking it. If during that time, the sender resends a chunk of
 ## payload but with different content than originally, this event will be
 ## raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero,
@@ -320,10 +320,10 @@ event packet_contents%(c: connection, contents: string%);
 ## .. zeek:see:: tcp_rexmit tcp_contents
 event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
 
-## Generated when Bro detects a gap in a reassembled TCP payload stream. This
+## Generated when Zeek detects a gap in a reassembled TCP payload stream. This
-## event is raised when Bro, while reassembling a payload stream, determines
+## event is raised when Zeek, while reassembling a payload stream, determines
 ## that a chunk of payload is missing (e.g., because the responder has already
-## acknowledged it, even though Bro didn't see it).
+## acknowledged it, even though Zeek didn't see it).
 ##
 ## c: The connection.
 ##
@@ -343,7 +343,7 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: st
 event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 
 ## Generated when a protocol analyzer confirms that a connection is indeed
-## using that protocol. Bro's dynamic protocol detection heuristically activates
+## using that protocol. Zeek's dynamic protocol detection heuristically activates
 ## analyzers as soon as it believes a connection *could* be using a particular
 ## protocol. It is then left to the corresponding analyzer to verify whether
 ## that is indeed the case; if so, this event will be generated.
@@ -364,13 +364,13 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 ##
 ## .. note::
 ##
-##    Bro's default scripts use this event to determine the ``service`` column
+##    Zeek's default scripts use this event to determine the ``service`` column
 ##    of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
 ##    there (and thus in ``conn.log``).
 event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
 
 ## Generated when a protocol analyzer determines that a connection it is parsing
-## is not conforming to the protocol it expects. Bro's dynamic protocol
+## is not conforming to the protocol it expects. Zeek's dynamic protocol
 ## detection heuristically activates analyzers as soon as it believes a
 ## connection *could* be using a particular protocol. It is then left to the
 ## corresponding analyzer to verify whether that is indeed the case; if not,
@@ -394,14 +394,14 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
 ##
 ## .. note::
 ##
-##    Bro's default scripts use this event to disable an analyzer via
+##    Zeek's default scripts use this event to disable an analyzer via
 ##    :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's
 ##    however a script-level decision and not done automatically by the event
 ##    engine.
 event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
 
 ## Generated when a TCP connection terminated, passing on statistics about the
-## two endpoints. This event is always generated when Bro flushes the internal
+## two endpoints. This event is always generated when Zeek flushes the internal
 ## connection state, independent of how a connection terminates.
 ##
 ## c: The connection.
@@ -414,12 +414,12 @@ event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reaso
 event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 
 ## Generated for unexpected activity related to a specific connection.  When
-## Bro's packet analysis encounters activity that does not conform to a
+## Zeek's packet analysis encounters activity that does not conform to a
 ## protocol's specification, it raises one of the ``*_weird`` events to report
 ## that. This event is raised if the activity is tied directly to a specific
 ## connection.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -436,13 +436,13 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 event conn_weird%(name: string, c: connection, addl: string%);
 
 ## Generated for unexpected activity related to a pair of hosts, but independent
-## of a specific connection.  When Bro's packet analysis encounters activity
+## of a specific connection.  When Zeek's packet analysis encounters activity
 ## that does not conform to a protocol's specification, it raises one of
 ## the ``*_weird`` events to report that. This event is raised if the activity
 ## is related to a pair of hosts, yet not to a specific connection between
 ## them.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -459,12 +459,12 @@ event conn_weird%(name: string, c: connection, addl: string%);
 event flow_weird%(name: string, src: addr, dst: addr%);
 
 ## Generated for unexpected activity that is not tied to a specific connection
-## or pair of hosts. When Bro's packet analysis encounters activity that
+## or pair of hosts. When Zeek's packet analysis encounters activity that
 ## does not conform to a protocol's specification, it raises one of the
 ## ``*_weird`` events to report that. This event is raised if the activity is
 ## not tied directly to a specific connection or pair of hosts.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -477,11 +477,11 @@ event flow_weird%(name: string, src: addr, dst: addr%);
 event net_weird%(name: string%);
 
 ## Generated for unexpected activity that is tied to a file.
-## When Bro's packet analysis encounters activity that
+## When Zeek's packet analysis encounters activity that
 ## does not conform to a protocol's specification, it raises one of the
 ## ``*_weird`` events to report that.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -497,11 +497,11 @@ event net_weird%(name: string%);
 ##    endpoint's implementation interprets an RFC quite liberally.
 event file_weird%(name: string, f: fa_file, addl: string%);
 
-## Generated regularly for the purpose of profiling Bro's processing. This event
+## Generated regularly for the purpose of profiling Zeek's processing. This event
 ## is raised for every :zeek:id:`load_sample_freq` packet. For these packets,
-## Bro records script-level functions executed during their processing as well
+## Zeek records script-level functions executed during their processing as well
 ## as further internal locations. By sampling the processing in this form, one
-## can understand where Bro spends its time.
+## can understand where Zeek spends its time.
 ##
 ## samples: A set with functions and locations seen during the processing of
 ##          the sampled packet.
@@ -511,13 +511,13 @@ event file_weird%(name: string, f: fa_file, addl: string%);
 ## dmem: The difference in memory usage caused by processing the sampled packet.
 event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
 
-## Generated when a signature matches. Bro's signature engine provides
+## Generated when a signature matches. Zeek's signature engine provides
 ## high-performance pattern matching separately from the normal script
 ## processing. If a signature with an ``event`` action matches, this event is
 ## raised.
 ##
 ## See the :doc:`user manual </frameworks/signatures>` for more information
-## about Bro's signature engine.
+## about Zeek's signature engine.
 ##
 ## state: Context about the match, including which signatures triggered the
 ##        event and the connection for which the match was found.
@@ -525,7 +525,7 @@ event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
 ## msg: The message passed to the ``event`` signature action.
 ##
 ## data: The last chunk of input that triggered the match. Note that the
-##       specifics here are not well-defined as Bro does not buffer any input.
+##       specifics here are not well-defined as Zeek does not buffer any input.
 ##       If a match is split across packet boundaries, only the last chunk
 ##       triggering the match will be passed on to the event.
 event signature_match%(state: signature_state, msg: string, data: string%);
@@ -572,7 +572,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
 ## different analyzers. For example, the HTTP analyzer reports user-agent and
 ## server software by raising this event. Different from
 ## :zeek:id:`software_version_found`  and :zeek:id:`software_parse_error`, this
-## event is always raised, independent of whether Bro can parse the version
+## event is always raised, independent of whether Zeek can parse the version
 ## string.
 ##
 ## c: The connection.
@@ -584,7 +584,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
 ## .. zeek:see:: software_parse_error software_version_found OS_version_found
 event software_unparsed_version_found%(c: connection, host: addr, str: string%);
 
-## Generated when an operating system has been fingerprinted. Bro uses `p0f
+## Generated when an operating system has been fingerprinted. Zeek uses `p0f
 ## <http://lcamtuf.coredump.cx/p0f.shtml>`__ to fingerprint endpoints passively,
 ## and it raises this event for each system identified. The p0f fingerprints are
 ## defined by :zeek:id:`passive_fingerprint_file`.
@@ -600,7 +600,7 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%);
 ##    generate_OS_version_event
 event OS_version_found%(c: connection, host: addr, OS: OS_version%);
 
-## Generated each time Bro's internal profiling log is updated. The file is
+## Generated each time Zeek's internal profiling log is updated. The file is
 ## defined by :zeek:id:`profiling_file`, and its update frequency by
 ## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`.
 ##
@@ -612,7 +612,7 @@ event OS_version_found%(c: connection, host: addr, OS: OS_version%);
 ## .. zeek:see::  profiling_interval expensive_profiling_multiple
 event profiling_update%(f: file, expensive: bool%);
 
-## Raised for informational messages reported via Bro's reporter framework. Such
+## Raised for informational messages reported via Zeek's reporter framework. Such
 ## messages may be generated internally by the event engine and also by other
 ## scripts calling :zeek:id:`Reporter::info`.
 ##
@@ -626,12 +626,12 @@ event profiling_update%(f: file, expensive: bool%);
 ## .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_info%(t: time, msg: string, location: string%) &error_handler;
 
-## Raised for warnings reported via Bro's reporter framework. Such messages may
+## Raised for warnings reported via Zeek's reporter framework. Such messages may
 ## be generated internally by the event engine and also by other scripts calling
 ## :zeek:id:`Reporter::warning`.
 ##
@@ -645,12 +645,12 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler;
 ## .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
 
-## Raised for errors reported via Bro's reporter framework. Such messages may
+## Raised for errors reported via Zeek's reporter framework. Such messages may
 ## be generated internally by the event engine and also by other scripts calling
 ## :zeek:id:`Reporter::error`.
 ##
@@ -664,7 +664,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
 ## .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_error%(t: time, msg: string, location: string%) &error_handler;
@@ -680,7 +680,7 @@ event zeek_script_loaded%(path: string, level: count%);
 ## Deprecated synonym for :zeek:see:`zeek_script_loaded`.
 event bro_script_loaded%(path: string, level: count%) &deprecated;
 
-## Generated each time Bro's script interpreter opens a file. This event is
+## Generated each time Zeek's script interpreter opens a file. This event is
 ## triggered only for files opened via :zeek:id:`open`, and in particular not for
 ## normal log files as created by log writers.
 ##
@@ -796,7 +796,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
 event file_state_remove%(f: fa_file%);
 
 ## Generated when an internal DNS lookup produces the same result as last time.
-## Bro keeps an internal DNS cache for host names and IP addresses it has
+## Zeek keeps an internal DNS cache for host names and IP addresses it has
 ## already resolved. This event is generated when a subsequent lookup returns
 ## the same result as stored in the cache.
 ##
@@ -807,7 +807,7 @@ event file_state_remove%(f: fa_file%);
 event dns_mapping_valid%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup got no answer even though it had
-## succeeded in the past. Bro keeps an internal DNS cache for host names and IP
+## succeeded in the past. Zeek keeps an internal DNS cache for host names and IP
 ## addresses it has already resolved. This event is generated when a
 ## subsequent lookup does not produce an answer even though we have
 ## already stored a result in the cache.
@@ -819,7 +819,7 @@ event dns_mapping_valid%(dm: dns_mapping%);
 event dns_mapping_unverified%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup succeeded but an earlier attempt
-## did not. Bro keeps an internal DNS cache for host names and IP
+## did not. Zeek keeps an internal DNS cache for host names and IP
 ## addresses it has already resolved. This event is generated when a subsequent
 ## lookup produces an answer for a query that was marked as failed in the cache.
 ##
@@ -830,7 +830,7 @@ event dns_mapping_unverified%(dm: dns_mapping%);
 event dns_mapping_new_name%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup returned zero answers even though it
-## had succeeded in the past. Bro keeps an internal DNS cache for host names
+## had succeeded in the past. Zeek keeps an internal DNS cache for host names
 ## and IP addresses it has already resolved. This event is generated when
 ## on a subsequent lookup we receive an answer that is empty even
 ## though we have already stored a result in the cache.
@@ -842,7 +842,7 @@ event dns_mapping_new_name%(dm: dns_mapping%);
 event dns_mapping_lost_name%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup produced a different result than in
-## the past.  Bro keeps an internal DNS cache for host names and IP addresses
+## the past.  Zeek keeps an internal DNS cache for host names and IP addresses
 ## it has already resolved. This event is generated when a subsequent lookup
 ## returns a different answer than we have stored in the cache.
 ##
@@ -858,7 +858,7 @@ event dns_mapping_lost_name%(dm: dns_mapping%);
 ##    dns_mapping_valid
 event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
 
-## A meta event generated for events that Bro raises. This will report all
+## A meta event generated for events that Zeek raises. This will report all
 ## events for which at least one handler is defined.
 ##
 ## Note that handling this meta event is expensive and should be limited to

src/file_analysis/analyzer/x509/X509.cc

@@ -483,7 +483,7 @@ Val* X509Val::DoClone(CloneState* state)
 	if ( certificate )
 		copy->certificate = X509_dup(certificate);
 
-	return copy;
+	return state->NewClone(this, copy);
 	}
 
 ::X509* X509Val::GetCertificate() const

src/input/Manager.cc

@@ -224,7 +224,7 @@ ReaderBackend* Manager::CreateBackend(ReaderFrontend* frontend, EnumVal* tag)
 	return backend;
 	}
 
-// Create a new input reader object to be used at whomevers leisure lateron.
+// Create a new input reader object to be used at whomevers leisure later on.
 bool Manager::CreateStream(Stream* info, RecordVal* description)
 	{
 	RecordType* rtype = description->Type()->AsRecordType();
@@ -232,7 +232,7 @@ bool Manager::CreateStream(Stream* info, RecordVal* description)
 		|| same_type(rtype, BifType::Record::Input::EventDescription, 0)
 		|| same_type(rtype, BifType::Record::Input::AnalysisDescription, 0) ) )
 		{
-		reporter->Error("Streamdescription argument not of right type for new input stream");
+		reporter->Error("Stream description argument not of right type for new input stream");
 		return false;
 		}
 
@@ -824,6 +824,7 @@ bool Manager::IsCompatibleType(BroType* t, bool atomic_only)
 	case TYPE_INTERVAL:
 	case TYPE_ENUM:
 	case TYPE_STRING:
+	case TYPE_PATTERN:
 		return true;
 
 	case TYPE_RECORD:
@@ -2074,6 +2075,12 @@ int Manager::GetValueLength(const Value* val) const
 		}
 		break;
 
+	case TYPE_PATTERN:
+		{
+		length += strlen(val->val.pattern_text_val) + 1;
+		break;
+		}
+
 	case TYPE_TABLE:
 		{
 		for ( int i = 0; i < val->val.set_val.size; i++ )
@@ -2193,6 +2200,14 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val) const
 		return length;
 		}
 
+	case TYPE_PATTERN:
+		{
+		// include null-terminator
+		int length = strlen(val->val.pattern_text_val) + 1;
+		memcpy(data + startpos, val->val.pattern_text_val, length);
+		return length;
+		}
+
 	case TYPE_TABLE:
 		{
 		int length = 0;
@@ -2350,6 +2365,13 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		return subnetval;
 		}
 
+	case TYPE_PATTERN:
+		{
+		RE_Matcher* re = new RE_Matcher(val->val.pattern_text_val);
+		re->Compile();
+		return new PatternVal(re);
+		}
+
 	case TYPE_TABLE:
 		{
 		// all entries have to have the same type...
@@ -2492,6 +2514,13 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, bool& have_error) co
 		return subnetval;
 		}
 
+	case TYPE_PATTERN:
+		{
+		RE_Matcher* re = new RE_Matcher(val->val.pattern_text_val);
+		re->Compile();
+		return new PatternVal(re);
+		}
+
 	case TYPE_TABLE:
 		{
 		TypeList* set_index;

src/main.cc

@@ -127,7 +127,7 @@ OpaqueType* ocsp_resp_opaque_type = 0;
 int bro_argc;
 char** bro_argv;
 
-const char* bro_version()
+const char* zeek_version()
 	{
 #ifdef DEBUG
 	static char* debug_version = 0;
@@ -152,7 +152,7 @@ bool bro_dns_fake()
 
 void usage(int code = 1)
 	{
-	fprintf(stderr, "bro version %s\n", bro_version());
+	fprintf(stderr, "zeek version %s\n", zeek_version());
 	fprintf(stderr, "usage: %s [options] [file ...]\n", prog);
 	fprintf(stderr, "    <file>                         | policy file, or read stdin\n");
 	fprintf(stderr, "    -a|--parse-only                | exit immediately after parsing scripts\n");
@@ -569,7 +569,7 @@ int main(int argc, char** argv)
 			break;
 
 		case 'v':
-			fprintf(stdout, "%s version %s\n", prog, bro_version());
+			fprintf(stdout, "%s version %s\n", prog, zeek_version());
 			exit(0);
 			break;
 

src/plugin/Plugin.h

@@ -69,7 +69,7 @@ extern const char* hook_name(HookType h);
 struct VersionNumber {
 	int major; //< Major version number.
 	int minor; //< Minor version number.
-	int patch; //< Patch version number (available since Bro 2.7).
+	int patch; //< Patch version number (available since Zeek 3.0).
 
 	/**
 	 *  Constructor.

src/probabilistic/Topk.cc

@@ -187,7 +187,7 @@ Val* TopkVal::DoClone(CloneState* state)
 	{
 	auto clone = new TopkVal(size);
 	clone->Merge(this);
-	return clone;
+	return state->NewClone(this, clone);
 	}
 
 bool TopkVal::DoSerialize(SerialInfo* info) const

src/probabilistic/bloom-filter.bif

@@ -23,7 +23,7 @@ module GLOBAL;
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -60,7 +60,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -104,7 +104,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -206,7 +206,7 @@ function bloomfilter_clear%(bf: opaque of bloomfilter%): any
 
 ## Merges two Bloom filters.
 ##
-## .. note:: Currently Bloom filters created by different Bro instances cannot
+## .. note:: Currently Bloom filters created by different Zeek instances cannot
 ##    be merged. In the future, this will be supported as long as both filters
 ##    are created with the same name.
 ##

src/stats.bif

@@ -20,7 +20,7 @@ RecordType* ReporterStats;
 %%}
 
 ## Returns packet capture statistics. Statistics include the number of
-## packets *(i)* received by Bro, *(ii)* dropped, and *(iii)* seen on the
+## packets *(i)* received by Zeek, *(ii)* dropped, and *(iii)* seen on the
 ## link (not always available).
 ##
 ## Returns: A record of packet statistics.
@@ -70,7 +70,7 @@ function get_net_stats%(%): NetStats
 	return r;
 	%}
 
-## Returns Bro traffic statistics.
+## Returns Zeek traffic statistics.
 ##
 ## Returns: A record with connection and packet statistics.
 ##
@@ -121,7 +121,7 @@ function get_conn_stats%(%): ConnStats
 	return r;
 	%}
 
-## Returns Bro process statistics.
+## Returns Zeek process statistics.
 ##
 ## Returns: A record with process statistics.
 ##

src/strings.bif

@@ -160,7 +160,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
 ## arg_s: The string to edit.
 ##
 ## arg_edit_char: A string of exactly one character that represents the
-##                "backspace character". If it is longer than one character Bro
+##                "backspace character". If it is longer than one character Zeek
 ##                generates a run-time error and uses the first character in
 ##                the string.
 ##

src/threading/SerialTypes.cc

@@ -87,11 +87,16 @@ string Field::TypeName() const
 
 Value::~Value()
 	{
-	if ( (type == TYPE_ENUM || type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC)
+	if ( ! present )
-	     && present )
+		return;
+
+	if ( type == TYPE_ENUM || type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC )
 		delete [] val.string_val.data;
 
-	if ( type == TYPE_TABLE && present )
+	else if ( type == TYPE_PATTERN )
+		delete [] val.pattern_text_val;
+
+	else if ( type == TYPE_TABLE )
 		{
 		for ( int i = 0; i < val.set_val.size; i++ )
 			delete val.set_val.vals[i];
@@ -99,7 +104,7 @@ Value::~Value()
 		delete [] val.set_val.vals;
 		}
 
-	if ( type == TYPE_VECTOR && present )
+	else if ( type == TYPE_VECTOR )
 		{
 		for ( int i = 0; i < val.vector_val.size; i++ )
 			delete val.vector_val.vals[i];
@@ -414,4 +419,3 @@ bool Value::Write(SerializationFormat* fmt) const
 
 	return false;
 	}
-

src/threading/SerialTypes.h

@@ -126,6 +126,7 @@ struct Value {
 		vec_t vector_val;
 		addr_t addr_val;
 		subnet_t subnet_val;
+		const char* pattern_text_val;
 
 		struct {
 			char* data;

src/threading/formatters/Ascii.cc

@@ -325,6 +325,29 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		break;
 		}
 
+	case TYPE_PATTERN:
+		{
+		string candidate = get_unescaped_string(s);
+		// A string is a candidate pattern iff it begins and ends with
+		// a '/'. Rather or not the rest of the string is legal will
+		// be determined later when it is given to the RE engine.
+		if ( candidate.size() >= 2 )
+			{
+			if ( candidate.front() == candidate.back() &&
+			     candidate.back() == '/' )
+				{
+				// Remove the '/'s
+				candidate.erase(0, 1);
+				candidate.erase(candidate.size() - 1);
+				val->val.pattern_text_val = copy_string(candidate.c_str());
+				break;
+				}
+			}
+
+		GetThread()->Error(GetThread()->Fmt("String '%s' contained no parseable pattern.", candidate.c_str()));
+		goto parse_error;
+		}
+
 	case TYPE_TABLE:
 	case TYPE_VECTOR:
 		// First - common initialization

src/types.bif

@@ -1,4 +1,4 @@
-##! Declaration of various types that the Bro core uses internally.
+##! Declaration of various types that the Zeek core uses internally.
 
 enum rpc_status %{
 	RPC_SUCCESS,

src/util.h

@@ -4,12 +4,12 @@
 #define util_h
 
 #ifdef __GNUC__
-    #define BRO_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
+    #define ZEEK_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
 #elif defined(_MSC_VER)
-    #define BRO_DEPRECATED(msg) __declspec(deprecated(msg)) func
+    #define ZEEK_DEPRECATED(msg) __declspec(deprecated(msg)) func
 #else
-	#pragma message("Warning: BRO_DEPRECATED macro not implemented")
+	#pragma message("Warning: ZEEK_DEPRECATED macro not implemented")
-	#define BRO_DEPRECATED(msg)
+	#define ZEEK_DEPRECATED(msg)
 #endif
 
 // Expose C99 functionality from inttypes.h, which would otherwise not be

src/zeekygen/zeekygen.bif

@@ -31,7 +31,7 @@ function get_identifier_comments%(name: string%): string
 	%}
 
 ## Retrieve the Zeekygen-style summary comments (``##!``) associated with
-## a Bro script.
+## a Zeek script.
 ##
 ## name: the name of a Zeek script.  It must be a relative path to where
 ##       it is located within a particular component of ZEEKPATH and use
@@ -50,7 +50,7 @@ function get_script_comments%(name: string%): string
 	return comments_to_val(d->GetComments());
 	%}
 
-## Retrieve the contents of a Bro script package's README file.
+## Retrieve the contents of a Zeek script package's README file.
 ##
 ## name: the name of a Zeek script package.  It must be a relative path
 ##       to where it is located within a particular component of ZEEKPATH.

testing/btest/Baseline/bifs.decode_base64_conn/weird.log

@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-36
+#open	2019-06-07-01-59-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1254722767.875996	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
+1254722767.875996	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
-1437831787.861602	CmES5u32sYpV7JYN	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
+1437831787.861602	CmES5u32sYpV7JYN	192.168.133.100	49648	192.168.133.102	25	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
-1437831799.610433	C3eiCBGOLw3VtHfOj	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	bro
+1437831799.610433	C3eiCBGOLw3VtHfOj	192.168.133.100	49655	17.167.150.73	443	base64_illegal_encoding	incomplete base64 group, padding with 12 bits of 0	F	zeek
-#close	2016-07-13-16-12-36
+#close	2019-06-07-01-59-08

testing/btest/Baseline/core.checksums/bad.out

@@ -3,101 +3,101 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-42
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784981.078396	-	-	-	-	-	bad_IP_checksum	-	F	bro
+1332784981.078396	-	-	-	-	-	bad_IP_checksum	-	F	zeek
-#close	2016-07-13-16-12-42
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-42
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784885.686428	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	bro
+1332784885.686428	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	80	bad_TCP_checksum	-	F	zeek
-#close	2016-07-13-16-12-42
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-43
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332784933.501023	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	bro
+1332784933.501023	CHhAvVGS1DHFjwGM9	127.0.0.1	30000	127.0.0.1	13000	bad_UDP_checksum	-	F	zeek
-#close	2016-07-13-16-12-43
+#close	2019-06-07-02-20-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-43
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075363.536871	CHhAvVGS1DHFjwGM9	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	bro
+1334075363.536871	CHhAvVGS1DHFjwGM9	192.168.1.100	8	192.168.1.101	0	bad_ICMP_checksum	-	F	zeek
-#close	2016-07-13-16-12-43
+#close	2019-06-07-02-20-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-44
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785210.013051	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
+1332785210.013051	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-1332785210.013051	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	bro
+1332785210.013051	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	80	bad_TCP_checksum	-	F	zeek
-#close	2016-07-13-16-12-44
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-44
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332782580.798420	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
+1332782580.798420	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-1332782580.798420	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	bro
+1332782580.798420	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:78:1:32::2	13000	bad_UDP_checksum	-	F	zeek
-#close	2016-07-13-16-12-44
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-45
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075111.800086	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
+1334075111.800086	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-1334075111.800086	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	bro
+1334075111.800086	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:78:1:32::1	129	bad_ICMP_checksum	-	F	zeek
-#close	2016-07-13-16-12-45
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-45
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785250.469132	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	bro
+1332785250.469132	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	80	bad_TCP_checksum	-	F	zeek
-#close	2016-07-13-16-12-45
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-46
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332781342.923813	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	bro
+1332781342.923813	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	30000	2001:4f8:4:7:2e0:81ff:fe52:9a6b	13000	bad_UDP_checksum	-	F	zeek
-#close	2016-07-13-16-12-46
+#close	2019-06-07-02-20-07
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-46
+#open	2019-06-07-02-20-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
+1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek
-#close	2016-07-13-16-12-47
+#close	2019-06-07-02-20-07

testing/btest/Baseline/core.checksums/good.out

@@ -3,68 +3,68 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-46
+#open	2019-06-07-02-20-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	bro
+1334074939.467194	CHhAvVGS1DHFjwGM9	2001:4f8:4:7:2e0:81ff:fe52:ffff	128	2001:4f8:4:7:2e0:81ff:fe52:9a6b	129	bad_ICMP_checksum	-	F	zeek
-#close	2016-07-13-16-12-47
+#close	2019-06-07-02-20-07
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-49
+#open	2019-06-07-02-20-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332785125.596793	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
+1332785125.596793	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-#close	2016-07-13-16-12-49
+#close	2019-06-07-02-20-08
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-49
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1332782508.592037	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	bro
+1332782508.592037	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::2	0	routing0_hdr	-	F	zeek
-#close	2016-07-13-16-12-49
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2016-07-13-16-12-50
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2016-07-13-16-12-50
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2016-07-13-16-12-50
+#close	2019-06-07-02-20-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-12-50
+#open	2019-06-07-02-20-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	bro
+1334075027.053380	-	2001:4f8:4:7:2e0:81ff:fe52:ffff	0	2001:78:1:32::1	0	routing0_hdr	-	F	zeek
-#close	2016-07-13-16-12-50
+#close	2019-06-07-02-20-09

testing/btest/Baseline/core.disable-mobile-ipv6/weird.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2012-04-05-21-56-51
+#open	2019-06-07-01-59-20
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1333663011.602839	-	-	-	-	-	unknown_protocol	-	F	bro
+1333663011.602839	-	-	-	-	-	unknown_protocol	-	F	zeek
-#close	2012-04-05-21-56-51
+#close	2019-06-07-01-59-20

testing/btest/Baseline/core.ip-broken-header/weird.log

@@ -3,463 +3,463 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-20-30
+#open	2019-06-07-01-59-22
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557630.000000	-	255.255.0.0	0	255.255.255.223	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	255.255.0.0	0	255.255.255.223	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	255.255.0.0	0	255.255.255.237	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	255.255.0.0	0	255.255.255.237	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	-	-	-	-	ip_hdr_len_zero	-	F	bro
+1500557631.000000	-	-	-	-	-	ip_hdr_len_zero	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557631.000000	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	0.0.0.255	0	11.0.255.0	0	invalid_IP_header_size_in_tunnel	-	F	bro
+1500557632.000000	-	0.0.0.255	0	11.0.255.0	0	invalid_IP_header_size_in_tunnel	-	F	zeek
-1500557632.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557632.000000	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	bro
+1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557633.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	bro
+1500557634.000000	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	zeek
-1500557634.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-1500557634.000000	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-#close	2017-10-19-17-20-30
+#close	2019-06-07-01-59-22

testing/btest/Baseline/core.negative-time/weird.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-05-23-20-20-21
+#open	2019-06-07-01-59-25
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1425182592.408334	-	-	-	-	-	negative_packet_timestamp	-	F	bro
+1425182592.408334	-	-	-	-	-	negative_packet_timestamp	-	F	zeek
-#close	2016-05-23-20-20-21
+#close	2019-06-07-01-59-25

testing/btest/Baseline/core.pcap.read-trace-with-filter/packet_filter.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2016-07-13-16-12-56
+#open	2019-06-07-01-59-28
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1468426376.541368	bro	port 50000	T	T
+1559872768.563861	zeek	port 50000	T	T
-#close	2016-07-13-16-12-56
+#close	2019-06-07-01-59-28

testing/btest/Baseline/core.print-bpf-filters/conn.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2019-03-12-03-25-14
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
-#close	2019-03-12-03-25-14
+#close	2019-06-07-02-20-04

testing/btest/Baseline/core.print-bpf-filters/output

@@ -3,28 +3,28 @@
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2019-03-12-03-25-12
+#open	2019-06-07-02-20-03
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1552361112.763592	bro	ip or not ip	T	T
+1559874003.309984	zeek	ip or not ip	T	T
-#close	2019-03-12-03-25-12
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2019-03-12-03-25-13
+#open	2019-06-07-02-20-03
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1552361113.442916	bro	port 42	T	T
+1559874003.872388	zeek	port 42	T	T
-#close	2019-03-12-03-25-13
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	packet_filter
-#open	2019-03-12-03-25-14
+#open	2019-06-07-02-20-04
 #fields	ts	node	filter	init	success
 #types	time	string	string	bool	bool
-1552361114.111534	bro	(vlan) and (ip or not ip)	T	T
+1559874004.312190	zeek	(vlan) and (ip or not ip)	T	T
-#close	2019-03-12-03-25-14
+#close	2019-06-07-02-20-04

testing/btest/Baseline/core.truncation/output

@@ -3,78 +3,78 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-27
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334160095.895421	-	-	-	-	-	truncated_IP	-	F	bro
+1334160095.895421	-	-	-	-	-	truncated_IP	-	F	zeek
-#close	2017-10-19-17-18-28
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-29
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334156241.519125	-	-	-	-	-	truncated_IP	-	F	bro
+1334156241.519125	-	-	-	-	-	truncated_IP	-	F	zeek
-#close	2017-10-19-17-18-30
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-32
+#open	2019-06-07-02-20-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1334094648.590126	-	-	-	-	-	truncated_IP	-	F	bro
+1334094648.590126	-	-	-	-	-	truncated_IP	-	F	zeek
-#close	2017-10-19-17-18-32
+#close	2019-06-07-02-20-04
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-36
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1338328954.078361	-	-	-	-	-	internally_truncated_header	-	F	bro
+1338328954.078361	-	-	-	-	-	internally_truncated_header	-	F	zeek
-#close	2017-10-19-17-18-36
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-37
+#open	2019-06-07-02-20-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-0.000000	-	-	-	-	-	truncated_link_header	-	F	bro
+0.000000	-	-	-	-	-	truncated_link_header	-	F	zeek
-#close	2017-10-19-17-18-38
+#close	2019-06-07-02-20-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-39
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	bro
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	zeek
-#close	2017-10-19-17-18-40
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-41
+#open	2019-06-07-02-20-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	bro
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	zeek
-#close	2017-10-19-17-18-42
+#close	2019-06-07-02-20-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-18-43
+#open	2019-06-07-02-20-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	bro
+1500557630.000000	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	zeek
-#close	2017-10-19-17-18-44
+#close	2019-06-07-02-20-07

testing/btest/Baseline/core.tunnels.ip-in-ip-version/output

@@ -3,18 +3,18 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-26-34
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	bro
+1500557630.000000	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	zeek
-#close	2017-10-19-17-26-35
+#close	2019-06-07-02-20-03
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2017-10-19-17-26-36
+#open	2019-06-07-02-20-03
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	zeek
-#close	2017-10-19-17-26-37
+#close	2019-06-07-02-20-03

testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/weird.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-13-14
+#open	2019-06-07-01-59-35
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	Teredo_bubble_with_payload	-	F	bro
+1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	Teredo_bubble_with_payload	-	F	zeek
-1340127577.346849	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	Teredo_bubble_with_payload	-	F	bro
+1340127577.346849	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	Teredo_bubble_with_payload	-	F	zeek
-#close	2016-07-13-16-13-14
+#close	2019-06-07-01-59-35

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2019-04-16-17-02-20
+#open	2019-06-05-18-41-18
 #fields	name
 #types	string
 scripts/base/init-bare.zeek
@@ -206,31 +206,6 @@ scripts/base/init-default.zeek
             scripts/base/frameworks/control/main.zeek
         scripts/base/frameworks/cluster/pools.zeek
     scripts/base/frameworks/notice/weird.zeek
-    scripts/base/frameworks/notice/actions/drop.zeek
-      scripts/base/frameworks/netcontrol/__load__.zeek
-        scripts/base/frameworks/netcontrol/types.zeek
-        scripts/base/frameworks/netcontrol/main.zeek
-          scripts/base/frameworks/netcontrol/plugin.zeek
-        scripts/base/frameworks/netcontrol/plugins/__load__.zeek
-          scripts/base/frameworks/netcontrol/plugins/debug.zeek
-          scripts/base/frameworks/netcontrol/plugins/openflow.zeek
-            scripts/base/frameworks/openflow/__load__.zeek
-              scripts/base/frameworks/openflow/consts.zeek
-              scripts/base/frameworks/openflow/types.zeek
-              scripts/base/frameworks/openflow/main.zeek
-              scripts/base/frameworks/openflow/plugins/__load__.zeek
-                scripts/base/frameworks/openflow/plugins/ryu.zeek
-                  scripts/base/utils/json.zeek
-                scripts/base/frameworks/openflow/plugins/log.zeek
-                scripts/base/frameworks/openflow/plugins/broker.zeek
-              scripts/base/frameworks/openflow/non-cluster.zeek
-          scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
-          scripts/base/frameworks/netcontrol/plugins/broker.zeek
-          scripts/base/frameworks/netcontrol/plugins/acld.zeek
-        scripts/base/frameworks/netcontrol/drop.zeek
-        scripts/base/frameworks/netcontrol/shunt.zeek
-        scripts/base/frameworks/netcontrol/catch-and-release.zeek
-        scripts/base/frameworks/netcontrol/non-cluster.zeek
     scripts/base/frameworks/notice/actions/email_admin.zeek
     scripts/base/frameworks/notice/actions/page.zeek
     scripts/base/frameworks/notice/actions/add-geodata.zeek
@@ -269,6 +244,29 @@ scripts/base/init-default.zeek
     scripts/base/frameworks/sumstats/non-cluster.zeek
   scripts/base/frameworks/tunnels/__load__.zeek
     scripts/base/frameworks/tunnels/main.zeek
+  scripts/base/frameworks/openflow/__load__.zeek
+    scripts/base/frameworks/openflow/consts.zeek
+    scripts/base/frameworks/openflow/types.zeek
+    scripts/base/frameworks/openflow/main.zeek
+    scripts/base/frameworks/openflow/plugins/__load__.zeek
+      scripts/base/frameworks/openflow/plugins/ryu.zeek
+        scripts/base/utils/json.zeek
+      scripts/base/frameworks/openflow/plugins/log.zeek
+      scripts/base/frameworks/openflow/plugins/broker.zeek
+    scripts/base/frameworks/openflow/non-cluster.zeek
+  scripts/base/frameworks/netcontrol/__load__.zeek
+    scripts/base/frameworks/netcontrol/types.zeek
+    scripts/base/frameworks/netcontrol/main.zeek
+      scripts/base/frameworks/netcontrol/plugin.zeek
+    scripts/base/frameworks/netcontrol/plugins/__load__.zeek
+      scripts/base/frameworks/netcontrol/plugins/debug.zeek
+      scripts/base/frameworks/netcontrol/plugins/openflow.zeek
+      scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
+      scripts/base/frameworks/netcontrol/plugins/broker.zeek
+      scripts/base/frameworks/netcontrol/plugins/acld.zeek
+    scripts/base/frameworks/netcontrol/drop.zeek
+    scripts/base/frameworks/netcontrol/shunt.zeek
+    scripts/base/frameworks/netcontrol/non-cluster.zeek
   scripts/base/protocols/conn/__load__.zeek
     scripts/base/protocols/conn/main.zeek
     scripts/base/protocols/conn/contents.zeek
@@ -368,10 +366,8 @@ scripts/base/init-default.zeek
     scripts/base/files/pe/main.zeek
   scripts/base/files/extract/__load__.zeek
     scripts/base/files/extract/main.zeek
-  scripts/base/files/unified2/__load__.zeek
-    scripts/base/files/unified2/main.zeek
   scripts/base/misc/find-checksum-offloading.zeek
   scripts/base/misc/find-filtered-trace.zeek
   scripts/base/misc/version.zeek
 scripts/policy/misc/loaded-scripts.zeek
-#close	2019-04-16-17-02-20
+#close	2019-06-05-18-41-19

testing/btest/Baseline/language.copy-cycle/out

@@ -0,0 +1,3 @@
+F (expected: F)
+T (expected: T)
+T (expected: T)

testing/btest/Baseline/language.expire_subnet/output

@@ -15,11 +15,11 @@ Accessed table nums: two; three
 Accessed table nets: two; zero, three
 Time: 7.0 secs 518.0 msecs 828.0 usecs
 
-Expired Subnet: 192.168.4.0/24 --> four at 8.0 secs 835.0 msecs 30.0 usecs
-Expired Subnet: 192.168.1.0/24 --> one at 8.0 secs 835.0 msecs 30.0 usecs
 Expired Num: 4 --> four at 8.0 secs 835.0 msecs 30.0 usecs
 Expired Num: 1 --> one at 8.0 secs 835.0 msecs 30.0 usecs
 Expired Num: 0 --> zero at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Subnet: 192.168.4.0/24 --> four at 8.0 secs 835.0 msecs 30.0 usecs
+Expired Subnet: 192.168.1.0/24 --> one at 8.0 secs 835.0 msecs 30.0 usecs
 Expired Subnet: 192.168.0.0/16 --> zero at 15.0 secs 150.0 msecs 681.0 usecs
 Expired Subnet: 192.168.3.0/24 --> three at 15.0 secs 150.0 msecs 681.0 usecs
 Expired Subnet: 192.168.2.0/24 --> two at 15.0 secs 150.0 msecs 681.0 usecs

testing/btest/Baseline/language.type-coerce-numerics/double_convert_failure1.out

@@ -0,0 +1 @@
+error in ./double_convert_failure1.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=5.0] to myrecord) and double)

testing/btest/Baseline/language.type-coerce-numerics/double_convert_failure2.out

@@ -0,0 +1 @@
+error in ./double_convert_failure2.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=-5.0] to myrecord) and double)