Merge remote-tracking branch 'origin/master' into topic/johanna/netcontrol

CHANGES

@@ -1,4 +1,53 @@
 
+2.4-307 | 2016-03-07 13:33:45 -0800
+
+  * Add "disable_analyzer_after_detection" and remove
+    "skip_processing_after_detection". Addresses BIT-1545.
+    (Aaron Eppert & Johanna Amann)
+
+  * Add bad_HTTP_request_with_version weird (William Glodek)
+
+2.4-299 | 2016-03-04 12:51:55 -0800
+
+  * More detailed installation instructions for FreeBSD 9.X. (Johanna Amann)
+
+  * Update CMake OpenSSL checks. (Johanna Amann)
+
+  * "SUBSCRIBE" is a valid SIP. message per RFC 3265. Addresses
+     BIT-1529. (Johanna Amann)
+
+  * Update documentation for connection log's RSTR. Addresses BIT-1535
+    (Johanna Amann)
+
+2.4-284 | 2016-02-17 14:12:15 -0800
+
+  * Fix sometimes failing dump-events test. (Johanna Amann)
+
+2.4-282 | 2016-02-13 10:48:21 -0800
+
+  * Add missing break in in StartTLS case of IRC analyzer. Found by
+    Aaron Eppert. (Johanna Amann)
+
+2.4-280 | 2016-02-13 10:40:16 -0800
+
+  * Fix memory leaks in stats.cc and smb.cc. (Johanna Amann)
+
+2.4-278 | 2016-02-12 18:53:35 -0800
+
+  * Better multi-space separator handline. (Mark Taylor & Johanna Amann)
+
+2.4-276 | 2016-02-10 21:29:33 -0800
+
+  * Allow IRC commands to not have parameters. (Mark Taylor)
+
+2.4-272 | 2016-02-08 14:27:58 -0800
+
+  * fix memory leaks in find_all() and IRC analyzer. (Dirk Leinenbach)
+
+2.4-270 | 2016-02-08 13:00:57 -0800
+
+  * Removed duplicate parameter for IRC "QUIT" event handler. (Mark Taylor)
+
 2.4-267 | 2016-02-01 12:38:32 -0800
 
   * Add testcase for CVE-2015-3194. (Johanna Amann)
@@ -1907,21 +1956,21 @@
 2.3-beta-18 | 2014-06-06 13:11:50 -0700
 
   * Add two more SSL events, one triggered for each handshake message
-    and one triggered for the tls change cipherspec message. (Bernhard
+    and one triggered for the tls change cipherspec message. (Johanna
     Amann)
 
   * Small SSL bug fix. In case SSL::disable_analyzer_after_detection
     was set to false, the ssl_established event would fire after each
-    data packet once the session is established. (Bernhard Amann)
+    data packet once the session is established. (Johanna Amann)
 
 2.3-beta-16 | 2014-06-06 13:05:44 -0700
 
   * Re-activate notice suppression for expiring certificates.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.3-beta-14 | 2014-06-05 14:43:33 -0700
 
-  * Add new TLS extension type numbers from IANA (Bernhard Amann)
+  * Add new TLS extension type numbers from IANA (Johanna Amann)
 
   * Switch to double hashing for Bloomfilters for better performance.
     (Matthias Vallentin)
@@ -1931,7 +1980,7 @@
     (Matthias Vallentin)
 
   * Make buffer for X509 certificate subjects larger. Addresses
-    BIT-1195 (Bernhard Amann)
+    BIT-1195 (Johanna Amann)
 
 2.3-beta-5 | 2014-05-29 15:34:42 -0500
 
@@ -1953,19 +2002,19 @@
 
   * Release 2.3-beta
 
-  * Clean up OpenSSL data structures on exit. (Bernhard Amann)
+  * Clean up OpenSSL data structures on exit. (Johanna Amann)
 
-  * Fixes for OCSP & x509 analysis memory leak issues. (Bernhard Amann)
+  * Fixes for OCSP & x509 analysis memory leak issues. (Johanna Amann)
 
   * Remove remaining references to BROMAGIC (Daniel Thayer)
 
   * Fix typos and formatting in event and BiF documentation (Daniel Thayer)
 
   * Update intel framework plugin for ssl server_name extension API
-    changes. (Bernhard Amann, Justin Azoff)
+    changes. (Johanna Amann, Justin Azoff)
 
   * Fix expression errors in SSL/x509 scripts when unparseable data
-    is in certificate chain. (Bernhard Amann)
+    is in certificate chain. (Johanna Amann)
 
 2.2-478 | 2014-05-19 15:31:33 -0500
 
@@ -1974,7 +2023,7 @@
 
 2.2-477 | 2014-05-19 14:13:00 -0500
 
-  * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Bernhard Amann)
+  * Fix X509::Result record's "result" field to be set internally as type int instead of type count. (Johanna Amann)
 
   * Fix a couple of doc build warnings (Daniel Thayer)
 
@@ -1992,19 +2041,19 @@
 
   * New script policy/protocols/ssl/validate-ocsp.bro that adds OSCP
     validation to ssl.log. The work is done by a new bif
-    x509_ocsp_verify(). (Bernhard Amann)
+    x509_ocsp_verify(). (Johanna Amann)
 
   * STARTTLS support for POP3 and SMTP. The SSL analyzer takes over
     when seen. smtp.log now logs when a connection switches to SSL.
-    (Bernhard Amann)
+    (Johanna Amann)
 
-  * Replace errors when parsing x509 certs with weirds. (Bernhard
+  * Replace errors when parsing x509 certs with weirds. (Johanna
     Amann)
 
-  * Improved Heartbleed attack/scan detection. (Bernhard Amann)
+  * Improved Heartbleed attack/scan detection. (Johanna Amann)
 
   * Let TLS analyzer fail better when no longer in sync with the data
-    stream. (Bernhard Amann)
+    stream. (Johanna Amann)
 
 2.2-444 | 2014-05-16 14:10:32 -0500
 
@@ -2023,7 +2072,7 @@
 
 2.2-427 | 2014-05-15 13:37:23 -0400
 
-  * Fix dynamic SumStats update on clusters (Bernhard Amann)
+  * Fix dynamic SumStats update on clusters (Johanna Amann)
 
 2.2-425 | 2014-05-08 16:34:44 -0700
 
@@ -2075,11 +2124,11 @@
 
   * Add DH support to SSL analyzer.  When using DHE or DH-Anon, sever
     key parameters are now available in scriptland.  Also add script to
-    alert on weak certificate keys or weak dh-params. (Bernhard Amann)
+    alert on weak certificate keys or weak dh-params. (Johanna Amann)
 
-  * Add a few more ciphers Bro did not know at all so far. (Bernhard Amann)
+  * Add a few more ciphers Bro did not know at all so far. (Johanna Amann)
 
-  * Log chosen curve when using ec cipher suite in TLS. (Bernhard Amann)
+  * Log chosen curve when using ec cipher suite in TLS. (Johanna Amann)
 
 2.2-397 | 2014-05-01 20:29:20 -0700
 
@@ -2091,7 +2140,7 @@
     (Jon Siwek)
 
   * Correct a notice for heartbleed. The notice is thrown correctly,
-    just the message conteined wrong values. (Bernhard Amann)
+    just the message conteined wrong values. (Johanna Amann)
 
   * Improve/standardize some malloc/realloc return value checks. (Jon
     Siwek)
@@ -2118,7 +2167,7 @@
 2.2-377 | 2014-04-24 16:57:54 -0700
 
   * A larger set of SSL improvements and extensions. Addresses
-    BIT-1178. (Bernhard Amann)
+    BIT-1178. (Johanna Amann)
 
         - Fixes TLS protocol version detection. It also should
           bail-out correctly on non-tls-connections now
@@ -2179,9 +2228,9 @@
 
 2.2-335 | 2014-04-10 15:04:57 -0700
 
-  * Small logic fix for main SSL script. (Bernhard Amann)
+  * Small logic fix for main SSL script. (Johanna Amann)
 
-  * Update DPD signatures for detecting TLS 1.2. (Bernhard Amann)
+  * Update DPD signatures for detecting TLS 1.2. (Johanna Amann)
 
   * Remove unused data member of SMTP_Analyzer to silence a Coverity
     warning. (Jon Siwek)
@@ -2210,7 +2259,7 @@
 2.2-315 | 2014-04-01 16:50:01 -0700
 
   * Change logging's "#types" description of sets to "set". Addresses
-    BIT-1163 (Bernhard Amann)
+    BIT-1163 (Johanna Amann)
 
 2.2-313 | 2014-04-01 16:40:19 -0700
 
@@ -2225,7 +2274,7 @@
     (Jon Siwek)
 
   * Fix potential memory leak in x509 parser reported by Coverity.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-304 | 2014-03-30 23:05:54 +0200
 
@@ -2296,7 +2345,7 @@
     from the certificates (e.g. elliptic curve information, subject
     alternative names, basic constraints). Certificate validation also
     was improved, should be easier to use and exposes information like
-    the full verified certificate chain. (Bernhard Amann)
+    the full verified certificate chain. (Johanna Amann)
 
     This update changes the format of ssl.log and adds a new x509.log
     with certificate information. Furthermore all x509 events and
@@ -2334,7 +2383,7 @@
 2.2-256 | 2014-03-30 19:57:28 +0200
 
   * For the summary statistics framewirk, change all &create_expire
-    attributes to &read_expire in the cluster part. (Bernhard Amann)
+    attributes to &read_expire in the cluster part. (Johanna Amann)
 
 2.2-254 | 2014-03-30 19:55:22 +0200
 
@@ -2358,7 +2407,7 @@
 2.2-244 | 2014-03-17 08:24:17 -0700
 
   * Fix compile errror on FreeBSD caused by wrong include file order.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-240 | 2014-03-14 10:23:54 -0700
 
@@ -2454,7 +2503,7 @@
 
   * Improve SSL logging so that connections are logged even when the
     ssl_established event is not generated as well as other small SSL
-    fixes. (Bernhard Amann)
+    fixes. (Johanna Amann)
 
 2.2-206 | 2014-03-03 16:52:28 -0800
 
@@ -2471,7 +2520,7 @@
   * Allow iterating over bif functions with result type vector of any.
     This changes the internal type that is used to signal that a
     vector is unspecified from any to void. Addresses BIT-1144
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-197 | 2014-02-28 15:36:58 -0800
 
@@ -2479,37 +2528,37 @@
 
 2.2-194 | 2014-02-28 14:50:53 -0800
 
-  * Remove packet sorter. Addresses BIT-700. (Bernhard Amann)
+  * Remove packet sorter. Addresses BIT-700. (Johanna Amann)
 
 2.2-192 | 2014-02-28 09:46:43 -0800
 
-  * Update Mozilla root bundle. (Bernhard Amann)
+  * Update Mozilla root bundle. (Johanna Amann)
 
 2.2-190 | 2014-02-27 07:34:44 -0800
 
-  * Adjust timings of a few leak tests. (Bernhard Amann)
+  * Adjust timings of a few leak tests. (Johanna Amann)
 
 2.2-187 | 2014-02-25 07:24:42 -0800
 
-  * More Google TLS extensions that are being actively used. (Bernhard
+  * More Google TLS extensions that are being actively used. Johanna(
     Amann)
 
   * Remove unused, and potentially unsafe, function
-    ListVal::IncludedInString. (Bernhard Amann)
+    ListVal::IncludedInString. (Johanna Amann)
 
 2.2-184 | 2014-02-24 07:28:18 -0800
 
   * New TLS constants from
     https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.2-180 | 2014-02-20 17:29:14 -0800
 
   * New SSL alert descriptions from
     https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04.
-    (Bernhard Amann)
+    (Johanna Amann)
 
-  * Update SQLite. (Bernhard Amann)
+  * Update SQLite. (Johanna Amann)
 
 2.2-177 | 2014-02-20 17:27:46 -0800
 
@@ -2540,7 +2589,7 @@
     'modbus_read_fifo_queue_response' event handler. (Jon Siwek)
 
   * Add channel_id TLS extension number. This number is not IANA
-    defined, but we see it being actively used. (Bernhard Amann)
+    defined, but we see it being actively used. (Johanna Amann)
 
   * Test baseline updates for DNS change. (Robin Sommer)
 
@@ -2582,7 +2631,7 @@
 
 2.2-147 | 2014-02-07 08:06:53 -0800
 
-  * Fix x509-extension test sometimes failing. (Bernhard Amann)
+  * Fix x509-extension test sometimes failing. (Johanna Amann)
 
 2.2-144 | 2014-02-06 20:31:18 -0800
 
@@ -2618,7 +2667,7 @@
 
 2.2-128 | 2014-01-30 15:58:47 -0800
 
-  * Add leak test for Exec module. (Bernhard Amann)
+  * Add leak test for Exec module. (Johanna Amann)
 
   * Fix file_over_new_connection event to trigger when entire file is
     missed. (Jon Siwek)
@@ -2636,7 +2685,7 @@
 2.2-120 | 2014-01-28 10:25:23 -0800
 
   * Fix and extend x509_extension() event, which now actually returns
-    the extension. (Bernhard Amann)
+    the extension. (Johanna Amann)
 
     New event signauture:
 
@@ -2751,7 +2800,7 @@
 
   * Several improvements to input framework error handling for more
     robustness and more helpful error messages. Includes tests for
-    many cases. (Bernhard Amann)
+    many cases. (Johanna Amann)
 
 2.2-66 | 2013-12-09 13:54:16 -0800
 
@@ -2777,7 +2826,7 @@
   * Fix memory leak in input framework. If the input framework was
     used to read event streams and those streams contained records
     with more than one field, not all elements of the threading Values
-    were cleaned up. Addresses BIT-1103. (Bernhard Amann)
+    were cleaned up. Addresses BIT-1103. (Johanna Amann)
 
   * Minor Broxygen improvements. Addresses BIT-1098. (Jon Siwek)
 
@@ -2821,7 +2870,7 @@
 2.2-40 | 2013-12-04 12:16:38 -0800
 
   * ssl_client_hello() now receives a vector of ciphers, instead of a
-    set, to preserve their order. (Bernhard Amann)
+    set, to preserve their order. (Johanna Amann)
 
 2.2-38 | 2013-12-04 12:10:54 -0800
 
@@ -2958,13 +3007,13 @@
 2.2-beta-157 | 2013-10-25 11:11:17 -0700
 
   * Extend the documentation of the SQLite reader/writer framework.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Fix inclusion of wrong example file in scripting tutorial.
-    Reported by Michael Auger @LM4K. (Bernhard Amann)
+    Reported by Michael Auger @LM4K. (Johanna Amann)
 
   * Alternative fix for the thrading deadlock issue to avoid potential
-    performance impact. (Bernhard Amann)
+    performance impact. (Johanna Amann)
 
 2.2-beta-152 | 2013-10-24 18:16:49 -0700
 
@@ -2977,7 +3026,7 @@
 2.2-beta-150 | 2013-10-24 16:32:14 -0700
 
   * Change temporary ASCII reader workaround for getline() on
-    Mavericks to permanent fix. (Bernhard Amann)
+    Mavericks to permanent fix. (Johanna Amann)
 
 2.2-beta-148 | 2013-10-24 14:34:35 -0700
 
@@ -2991,7 +3040,7 @@
   * Intel framework notes added to NEWS. (Seth Hall)
 
   * Temporary OSX Mavericks libc++ issue workaround for getline()
-    problem in ASCII reader. (Bernhard Amann)
+    problem in ASCII reader. (Johanna Amann)
 
   * Change test of identify_data BIF to ignore charset as it may vary
     with libmagic version. (Jon Siwek)
@@ -3034,16 +3083,16 @@
 
 2.2-beta-80 | 2013-10-18 13:18:05 -0700
 
-  * SQLite reader/writer documentation. (Bernhard Amann)
+  * SQLite reader/writer documentation. (Johanna Amann)
 
   * Check that the SQLite reader is only used in MANUAL reading mode.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Rename the SQLite writer "dbname" configuration option to
-    "tablename". (Bernhard Amann)
+    "tablename". (Johanna Amann)
 
   * Remove the "dbname" configuration option from the SQLite reader as
-    it wasn't used there. (Bernhard Amann)
+    it wasn't used there. (Johanna Amann)
 
 2.2-beta-73 | 2013-10-14 14:28:25 -0700
 
@@ -3075,9 +3124,9 @@
 
 2.2-beta-55 | 2013-10-10 13:36:38 -0700
 
-  * A couple of new TLS extension numbers. (Bernhard Amann)
+  * A couple of new TLS extension numbers. (Johanna Amann)
 
-  * Suport for three more new TLS ciphers. (Bernhard Amann)
+  * Suport for three more new TLS ciphers. (Johanna Amann)
 
   * Removing ICSI notary from default site config. (Robin Sommer)
 
@@ -3122,7 +3171,7 @@
 
 2.2-beta-18 | 2013-10-02 10:28:17 -0700
 
-  * Add support for further TLS cipher suites. (Bernhard Amann)
+  * Add support for further TLS cipher suites. (Johanna Amann)
 
 2.2-beta-13 | 2013-10-01 11:31:55 -0700
 
@@ -3172,7 +3221,7 @@
 
   * Add links to Intelligence Framework documentation. (Daniel Thayer)
 
-  * Update Mozilla root CA list. (Bernhard Amann, Jon Siwek)
+  * Update Mozilla root CA list. (Johanna Amann, Jon Siwek)
 
   * Update documentation of required packages. (Daniel Thayer)
 
@@ -3183,10 +3232,10 @@
 
 2.1-1357 | 2013-09-18 14:58:52 -0700
 
-  * Update HLL API and its documentation. (Bernhard Amann)
+  * Update HLL API and its documentation. (Johanna Amann)
 
   * Fix case in HLL where hll_error_margin could be undefined.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-1352 | 2013-09-18 14:42:28 -0700
 
@@ -3247,7 +3296,7 @@
 
 
   * Support for probabilistic set cardinality, using the HyperLogLog
-    algorithm. (Bernhard Amann, Soumya Basu)
+    algorithm. (Johanna Amann, Soumya Basu)
 
     Bro now provides the following BiFs:
 
@@ -3286,7 +3335,7 @@
 2.1-1137 | 2013-08-27 13:26:44 -0700
 
   * Add BiF hexstr_to_bytestring() that does exactly the opposite of
-    bytestring_to_hexstr(). (Bernhard Amann)
+    bytestring_to_hexstr(). (Johanna Amann)
 
 2.1-1135 | 2013-08-27 12:16:26 -0700
 
@@ -3358,7 +3407,7 @@
 
 2.1-1078 | 2013-08-19 09:29:30 -0700
 
-  * Moving sqlite code into new external 3rdparty submodule. (Bernhard
+  * Moving sqlite code into new external 3rdparty submodule. Johanna(
     Amann)
 
 2.1-1074 | 2013-08-14 10:29:54 -0700
@@ -3458,12 +3507,12 @@
 
 2.1-1007 | 2013-08-01 15:41:54 -0700
 
-  * More function documentation. (Bernhard Amann)
+  * More function documentation. (Johanna Amann)
 
 2.1-1004 | 2013-08-01 14:37:43 -0700
 
   * Adding a probabilistic data structure for computing "top k"
-    elements. (Bernhard Amann)
+    elements. (Johanna Amann)
 
     The corresponding functions are:
 
@@ -3497,7 +3546,7 @@
 2.1-948 | 2013-07-31 20:08:28 -0700
 
   * Fix segfault caused by merging an empty bloom-filter with a
-    bloom-filter already containing values. (Bernhard Amann)
+    bloom-filter already containing values. (Johanna Amann)
 
 2.1-945 | 2013-07-30 10:05:10 -0700
 
@@ -3637,12 +3686,12 @@
 2.1-814 | 2013-07-15 18:18:20 -0700
 
   * Fixing raw reader crash when accessing nonexistant file, and
-    memory leak when reading from file. Addresses #1038. (Bernhard
+    memory leak when reading from file. Addresses #1038. (Johanna
     Amann)
 
 2.1-811 | 2013-07-14 08:01:54 -0700
 
-  * Bump sqlite to 3.7.17. (Bernhard Amann)
+  * Bump sqlite to 3.7.17. (Johanna Amann)
 
   * Small test fixes. (Seth Hall)
 
@@ -3692,7 +3741,7 @@
 2.1-780 | 2013-07-03 16:46:26 -0700
 
   * Rewrite of the RAW input reader for improved robustness and new
-    features. (Bernhard Amann) This includes:
+    features. (Johanna Amann) This includes:
 
         - Send "end_of_data" event for all kind of streams.
         - Send "process_finished" event with exit code of child
@@ -3821,12 +3870,12 @@
 
 2.1-656 | 2013-05-17 15:58:07 -0700
 
-  * Fix mutex lock problem for writers. (Bernhard Amann)
+  * Fix mutex lock problem for writers. (Johanna Amann)
 
 2.1-654 | 2013-05-17 13:49:52 -0700
 
   * Tweaks to sqlite3 configuration to address threading issues.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-651 | 2013-05-17 13:37:16 -0700
 
@@ -3852,7 +3901,7 @@
 
 2.1-640 | 2013-05-15 17:24:09 -0700
 
-  * Support for cleaning up threads that have terminated. (Bernhard
+  * Support for cleaning up threads that have terminated. (Johanna
     Amann and Robin Sommer). Includes:
 
       - Both logging and input frameworks now clean up threads once
@@ -3869,14 +3918,14 @@
 2.1-626 | 2013-05-15 16:09:31 -0700
 
   * Add "reservoir" sampler for SumStats framework. This maintains
-    a set of N uniquely distributed random samples. (Bernhard Amann)
+    a set of N uniquely distributed random samples. (Johanna Amann)
 
 2.1-619 | 2013-05-15 16:01:42 -0700
 
   * SQLite reader and writer combo. This allows to read/write
     persistent data from on disk SQLite databases. The current
     interface is quite low-level, we'll add higher-level abstractions
-    in the future. (Bernhard Amann)
+    in the future. (Johanna Amann)
 
 2.1-576 | 2013-05-15 14:29:09 -0700
 
@@ -3897,7 +3946,7 @@
 2.1-500 | 2013-05-10 19:22:24 -0700
 
   * Fix to prevent merge-hook of SumStat's unique plugin from damaging
-    source data. (Bernhard Amann)
+    source data. (Johanna Amann)
 
 2.1-498 | 2013-05-03 17:44:08 -0700
 
@@ -3913,7 +3962,7 @@
 2.1-492 | 2013-05-02 12:46:26 -0700
 
   * Work-around for sumstats framework not propagating updates after
-    intermediate check in cluster environments. (Bernhard Amann)
+    intermediate check in cluster environments. (Johanna Amann)
 
   * Always apply tcp_connection_attempt. Before this change it was
     only applied when a connection_attempt() event handler was
@@ -3968,7 +4017,7 @@
 2.1-380 | 2013-03-18 12:18:10 -0700
 
   * Fix gcc compile warnings in base64 encoder and benchmark reader.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-377 | 2013-03-17 17:36:09 -0700
 
@@ -3977,10 +4026,10 @@
 2.1-375 | 2013-03-17 13:14:26 -0700
 
   * Add base64 encoding functionality, including new BiFs
-	encode_base64() and encode_base64_custom(). (Bernhard Amann)
+	encode_base64() and encode_base64_custom(). (Johanna Amann)
 
   * Replace call to external "openssl" in extract-certs-pem.bro with
-	that encode_base64(). (Bernhard Amann)
+	that encode_base64(). (Johanna Amann)
 
   * Adding a test for extract-certs-pem.pem. (Robin Sommer)
 
@@ -4014,7 +4063,7 @@
 
 2.1-357 | 2013-03-08 09:18:35 -0800
 
-  * Fix race-condition in table-event test. (Bernhard Amann)
+  * Fix race-condition in table-event test. (Johanna Amann)
 
   * s/bro-ids.org/bro.org/g. (Robin Sommer)
 
@@ -4031,9 +4080,9 @@
 
 2.1-347 | 2013-03-06 16:48:44 -0800
 
-  * Remove unused parameter from vector assignment method. (Bernhard Amann)
+  * Remove unused parameter from vector assignment method. (Johanna Amann)
 
-  * Remove the byte_len() and length() bifs. (Bernhard Amann)
+  * Remove the byte_len() and length() bifs. (Johanna Amann)
 
 2.1-342 | 2013-03-06 15:42:52 -0800
 
@@ -4085,7 +4134,7 @@
 
 2.1-319 | 2013-02-04 09:45:34 -0800
 
-  * Update input tests to use exit_only_after_terminate. (Bernhard
+  * Update input tests to use exit_only_after_terminate. (Johanna
     Amann)
 
   * New option exit_only_after_terminate to prevent Bro from exiting.
@@ -4117,7 +4166,7 @@
 2.1-302 | 2013-01-23 16:17:29 -0800
 
   * Refactoring ASCII formatting/parsing from loggers/readers into a
-    separate AsciiFormatter class. (Bernhard Amann)
+    separate AsciiFormatter class. (Johanna Amann)
 
   * Fix uninitialized locals in event/hook handlers from having a
     value. Addresses #932. (Jon Siwek)
@@ -4148,7 +4197,7 @@
   * Removing unused class member. (Robin Sommer)
 
   * Add opaque type-ignoring for the accept_unsupported_types input
-    framework option. (Bernhard Amann)
+    framework option. (Johanna Amann)
 
 2.1-271 | 2013-01-08 10:18:57 -0800
 
@@ -4229,7 +4278,7 @@
 2.1-229 | 2012-12-14 14:46:12 -0800
 
   * Fix memory leak in ASCII reader when encoutering errors in input.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Improvements for the "bad checksums" detector to make it detect
     bad TCP checksums. (Seth Hall)
@@ -4300,7 +4349,7 @@
     yet. Addresses #66. (Jon Siwek)
 
   * Fix segfault: Delete correct entry in error case in input
-    framework. (Bernhard Amann)
+    framework. (Johanna Amann)
 
   * Bad record constructor initializers now give an error. Addresses
     #34. (Jon Siwek)
@@ -4558,7 +4607,7 @@
   * Rename the Input Framework's update_finished event to end_of_data.
     It will now not only fire after table-reads have been completed,
     but also after the last event of a whole-file-read (or
-    whole-db-read, etc.). (Bernhard Amann)
+    whole-db-read, etc.). (Johanna Amann)
 
   * Fix for DNS log problem when a DNS response is seen with 0 RRs.
     (Seth Hall)
@@ -4573,7 +4622,7 @@
 2.1-61 | 2012-10-12 09:32:48 -0700
 
   * Fix bug in the input framework: the config table did not work.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.1-58 | 2012-10-08 10:10:09 -0700
 
@@ -4608,7 +4657,7 @@
 
   * Fix for the input framework: BroStrings were constructed without a
     final \0, which makes them unusable by basically all internal
-    functions (like to_count). (Bernhard Amann)
+    functions (like to_count). (Johanna Amann)
 
   * Remove deprecated script functionality (see NEWS for details).
     (Daniel Thayer)
@@ -4660,7 +4709,7 @@
   * Small change to non-blocking DNS initialization. (Jon Siwek)
 
   * Reorder a few statements in scan.l to make 1.5msecs etc work.
-    Adresses #872. (Bernhard Amann)
+    Adresses #872. (Johanna Amann)
 
 2.1-6 | 2012-09-06 23:23:14 -0700
 
@@ -4689,11 +4738,11 @@
   * Fix uninitialized value for 'is_partial' in TCP analyzer. (Jon
     Siwek)
 
-  * Parse 64-bit consts in Bro scripts correctly. (Bernhard Amann)
+  * Parse 64-bit consts in Bro scripts correctly. (Johanna Amann)
 
-  * Output 64-bit counts correctly on 32-bit machines (Bernhard Amann)
+  * Output 64-bit counts correctly on 32-bit machines (Johanna Amann)
 
-  * Input framework fixes, including:  (Bernhard Amann)
+  * Input framework fixes, including:  (Johanna Amann)
 
     - One of the change events got the wrong parameters.
 
@@ -4734,7 +4783,7 @@
 2.1-beta-45 | 2012-08-22 16:11:10 -0700
 
   * Add an option to the input framework that allows the user to chose
-    to not die upon encountering files/functions. (Bernhard Amann)
+    to not die upon encountering files/functions. (Johanna Amann)
 
 2.1-beta-41 | 2012-08-22 16:05:21 -0700
 
@@ -4753,7 +4802,7 @@
 2.1-beta-35 | 2012-08-22 08:44:52 -0700
 
   * Add testcase for input framework reading sets (rather than
-    tables). (Bernhard Amann)
+    tables). (Johanna Amann)
 
 2.1-beta-31 | 2012-08-21 15:46:05 -0700
 
@@ -4812,9 +4861,9 @@
 
 2.1-beta-6 | 2012-08-10 12:22:52 -0700
 
-  * Fix bug in input framework with an edge case. (Bernhard Amann)
+  * Fix bug in input framework with an edge case. (Johanna Amann)
 
-  * Fix small bug in input framework test script. (Bernhard Amann)
+  * Fix small bug in input framework test script. (Johanna Amann)
 
 2.1-beta-3 | 2012-08-03 10:46:49 -0700
 
@@ -4863,13 +4912,13 @@
     writers that don't have a postprocessor. (Seth Hall)
 
   * Update input framework documentation to reflect want_record
-    change. (Bernhard Amann)
+    change. (Johanna Amann)
 
   * Fix crash when encountering an InterpreterException in a predicate
-    in logging or input Framework. (Bernhard Amann)
+    in logging or input Framework. (Johanna Amann)
 
   * Input framework: Make want_record=T the default for events
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Changing the start/end markers in logs to open/close now
     reflecting wall clock. (Robin Sommer)
@@ -4891,10 +4940,10 @@
 
   * Add comprehensive error handling for close() calls. (Jon Siwek)
 
-  * Add more test cases for input framework. (Bernhard Amann)
+  * Add more test cases for input framework. (Johanna Amann)
 
   * Input framework: make error output for non-matching event types
-    much more verbose. (Bernhard Amann)
+    much more verbose. (Johanna Amann)
 
 2.0-877 | 2012-07-25 17:20:34 -0700
 
@@ -4934,12 +4983,12 @@
   * Fix initialization problem in logging class. (Jon Siwek)
 
   * Input framework now accepts escaped ASCII values as input (\x##),
-    and unescapes appropiately. (Bernhard Amann)
+    and unescapes appropiately. (Johanna Amann)
 
   * Make reading ASCII logfiles work when the input separator is
-    different from \t. (Bernhard Amann)
+    different from \t. (Johanna Amann)
 
-  * A number of smaller fixes for input framework. (Bernhard Amann)
+  * A number of smaller fixes for input framework. (Johanna Amann)
 
 2.0-851 | 2012-07-24 15:04:14 -0700
 
@@ -4959,7 +5008,7 @@
   * Reworking parts of the internal threading/logging/input APIs for
     thread-safety. (Robin Sommer)
 
-  * Bugfix for SSL version check. (Bernhard Amann)
+  * Bugfix for SSL version check. (Johanna Amann)
 
   * Changing a HTTP DPD from port 3138 to 3128. Addresses #857. (Robin
     Sommer)
@@ -4979,7 +5028,7 @@
     #763. (Robin Sommer)
 
   * Fix bug, where in dns.log rcode always was set to 0/NOERROR when
-    no reply package was seen. (Bernhard Amann)
+    no reply package was seen. (Johanna Amann)
 
   * Updating to Mozilla's current certificate bundle. (Seth Hall)
 
@@ -4995,7 +5044,7 @@
   * Remove baselines for some leak-detecting unit tests. (Jon Siwek)
 
   * Unblock SIGFPE, SIGILL, SIGSEGV and SIGBUS for threads, so that
-    they now propagate to the main thread. Adresses #848. (Bernhard
+    they now propagate to the main thread. Adresses #848. (Johanna
     Amann)
 
 2.0-761 | 2012-07-12 08:14:38 -0700
@@ -5003,7 +5052,7 @@
   * Some small fixes to further reduce SOCKS false positive logs. (Seth Hall)
 
   * Calls to pthread_mutex_unlock now log the reason for failures.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.0-757 | 2012-07-11 08:30:19 -0700
 
@@ -5034,11 +5083,11 @@
 
 2.0-733 | 2012-07-02 15:31:24 -0700
 
-  * Extending the input reader DoInit() API. (Bernhard Amann). It now
+  * Extending the input reader DoInit() API. (Johanna Amann). It now
     provides a Info struct similar to what we introduced for log
     writers, including a corresponding "config" key/value table.
 
-  * Fix to make writer-info work when debugging is enabled. (Bernhard
+  * Fix to make writer-info work when debugging is enabled. (Johanna
     Amann)
 
 2.0-726 | 2012-07-02 15:19:15 -0700
@@ -5077,7 +5126,7 @@
 
   * Set input frontend type before starting the thread. This means
     that the thread type will be output correctly in the error
-    message. (Bernhard Amann)
+    message. (Johanna Amann)
 
 2.0-719 | 2012-07-02 14:49:03 -0700
 
@@ -5166,7 +5215,7 @@
 
 2.0-622 | 2012-06-15 15:38:43 -0700
 
-  * Input framework updates. (Bernhard Amann)
+  * Input framework updates. (Johanna Amann)
 
     - Disable streaming reads from executed commands. This lead to
       hanging Bros because pclose apparently can wait for eternity if
@@ -5245,7 +5294,7 @@
 
   * A new input framework enables scripts to read in external data
     dynamically on the fly as Bro is processing network traffic.
-    (Bernhard Amann)
+    (Johanna Amann)
 
     Currently, the framework supports reading ASCII input that's
     structured similar as Bro's log files as well as raw blobs of
@@ -5412,7 +5461,7 @@
 2.0-315 | 2012-05-03 11:44:17 -0700
 
   * Add two more TLS extension values that we see in live traffic.
-    (Bernhard Amann)
+    (Johanna Amann)
 
   * Fixed IPv6 link local unicast CIDR and added IPv6 loopback to
     private address space. (Seth Hall)
@@ -5800,7 +5849,7 @@
 
 2.0-41 | 2012-02-03 04:10:53 -0500
 
-  * Updates to the Software framework to simplify the API. (Bernhard
+  * Updates to the Software framework to simplify the API. (Johanna
     Amann)
 
 2.0-40 | 2012-02-03 01:55:27 -0800
@@ -5943,7 +5992,7 @@
 
 2.0-beta-152 | 2012-01-03 14:51:34 -0800
 
-  * Notices now record the transport-layer protocol. (Bernhard Amann)
+  * Notices now record the transport-layer protocol. (Johanna Amann)
 
 2.0-beta-150 | 2012-01-03 14:42:45 -0800
 
@@ -5970,7 +6019,7 @@
     assignments. Addresses #722. (Jon Siwek)
 
   * Make log headers include the type of data stored inside a set or
-    vector ("vector[string]"). (Bernhard Amann)
+    vector ("vector[string]"). (Johanna Amann)
 
 2.0-beta-126 | 2011-12-18 15:18:05 -0800
 
@@ -6107,11 +6156,11 @@
   * Fix order of include directories. (Jon Siwek)
 
   * Catch if logged vectors do not contain only atomic types.
-    (Bernhard Amann)
+    (Johanna Amann)
 
 2.0-beta-47 | 2011-11-16 08:24:33 -0800
 
-  * Catch if logged sets do not contain only atomic types. (Bernhard
+  * Catch if logged sets do not contain only atomic types. (Johanna
     Amann)
 
   * Promote libz and libmagic to required dependencies. (Jon Siwek)

CMakeLists.txt

@@ -88,7 +88,7 @@ endif ()
 
 include_directories(BEFORE
                     ${PCAP_INCLUDE_DIR}
-                    ${OpenSSL_INCLUDE_DIR}
+                    ${OPENSSL_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
                     ${BinPAC_INCLUDE_DIR}
                     ${ZLIB_INCLUDE_DIR}
@@ -141,7 +141,7 @@ endif ()
 set(brodeps
     ${BinPAC_LIBRARY}
     ${PCAP_LIBRARY}
-    ${OpenSSL_LIBRARIES}
+    ${OPENSSL_LIBRARIES}
     ${BIND_LIBRARY}
     ${ZLIB_LIBRARY}
     ${JEMALLOC_LIBRARIES}

NEWS

@@ -51,6 +51,9 @@ New Functionality
 Changed Functionality
 ---------------------
 
+- ``SSH::skip_processing_after_detection`` was removed. The functionality was
+  replaced by ``SSH::disable_analyzer_after_detection``.
+
 - Some script-level identifier have changed their names:
 
       snaplen                  -> Pcap::snaplen

VERSION

@@ -1 +1 @@
-2.4-267
+2.4-307

aux/binpac

@@ -1 +1 @@
-Subproject commit 1a6ec48bf57027f1449a8a6a7a19a19db4a12517
+Subproject commit 8dff7992f64f91a84f436a3c015991e450faa376

aux/bro-aux

@@ -1 +1 @@
-Subproject commit 99ef7a101a06b89a5ae880e7a1493b8b56f8240e
+Subproject commit 866dad93a1b5d84b2a1606ef05c3d919df23e15b

aux/broccoli

@@ -1 +1 @@
-Subproject commit 31d62cc6570d38ce570422c99d04ef86fa825c04
+Subproject commit 2b1390d95b39a8902cf135cb26df68ae0bb79dd3

aux/broctl

@@ -1 +1 @@
-Subproject commit 5f29450196bb6238012d81c72cd0fc324ca9a7c5
+Subproject commit 1081032c63318f9cd42720e9399483e7c8319451

aux/broker

@@ -1 +1 @@
-Subproject commit 3db1884fbb5f0e1f2b669d8d3f549583e3b3cea4
+Subproject commit fe35cde8f07ff7cf6decd2fb761cffc32e763d2d

aux/btest

@@ -1 +1 @@
-Subproject commit 92deefbc5ea8218dc98117fb115af79a5b247c70
+Subproject commit 4bea8fa948be2bc86ff92399137131bc1c029b08

aux/plugins

@@ -1 +1 @@
-Subproject commit d8b13bd6cd6059acf86aa00cfb2877d37f6b9024
+Subproject commit d251af520ccdede694d7b3b7bcbc47df1080508c

cmake

@@ -1 +1 @@
-Subproject commit 3fcb71abc1697c23d16b987340e957639275ec21
+Subproject commit 392e6be9b7e0ac2e7a892853ef185a7a927ea60e

configure

@@ -226,7 +226,7 @@ while [ $# -ne 0 ]; do
             append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   false
             ;;
         --with-openssl=*)
-            append_cache_entry OpenSSL_ROOT_DIR PATH $optarg
+            append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
             ;;
         --with-bind=*)
             append_cache_entry BIND_ROOT_DIR PATH $optarg

doc/install/install.rst

@@ -75,6 +75,21 @@ To install the required dependencies, you can use:
   Note that in older versions of FreeBSD, you might have to use the
   "pkg_add -r" command instead of "pkg install".
 
+  For older versions of FreeBSD (especially FreeBSD 9.x), the system compiler
+  is not new enough to compile Bro. For these systems, you will have to install
+  a newer compiler using pkg; the ``clang34`` package should work.
+
+  You will also have to define several environment variables on these older
+  systems to use the new compiler and headers similar to this before calling
+  configure:
+
+  .. console::
+
+     export CC=clang34
+     export CXX=clang++34
+     export CXXFLAGS="-stdlib=libc++ -I${LOCALBASE}/include/c++/v1 -L${LOCALBASE}/lib"
+     export LDFLAGS="-pthread"
+
 * Mac OS X:
 
   Compiling source code on Macs requires first installing Xcode_ (in older

scripts/base/protocols/conn/main.bro

@@ -47,7 +47,7 @@ export {
 		## S2           Connection established and close attempt by originator seen (but no reply from responder).
 		## S3           Connection established and close attempt by responder seen (but no reply from originator).
 		## RSTO         Connection established, originator aborted (sent a RST).
-		## RSTR         Established, responder aborted.
+		## RSTR         Responder sent a RST.
 		## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
 		## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
 		## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).

scripts/base/protocols/sip/main.bro

@@ -80,7 +80,7 @@ export {
 	## that the SIP analyzer will only accept methods consisting solely
 	## of letters ``[A-Za-z]``.
 	const sip_methods: set[string] = {
-		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS", "NOTIFY"
+		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS", "NOTIFY", "SUBSCRIBE"
 	} &redef;
 
 	## Event that can be handled to access the SIP record as it is sent on
@@ -153,7 +153,7 @@ function flush_pending(c: connection)
 			# We don't use pending elements at index 0.
 			if ( r == 0 )
 				next;
-			
+
 			Log::write(SIP::LOG, c$sip_state$pending[r]);
 			}
 		}

scripts/base/protocols/ssh/main.bro

@@ -46,11 +46,10 @@ export {
 	## authentication success or failure when compression is enabled.
 	const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
 
-	## If true, we tell the event engine to not look at further data
-	## packets after the initial SSH handshake. Helps with performance
-	## (especially with large file transfers) but precludes some
-	## kinds of analyses. Defaults to T.
-	const skip_processing_after_detection = T &redef;
+	## If true, after detection detach the SSH analyzer from the connection
+	## to prevent continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	const disable_analyzer_after_detection = T &redef;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
@@ -70,6 +69,8 @@ redef record Info += {
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
+	## Analzyer ID
+	analyzer_id: count         &optional;
 };
 
 redef record connection += {
@@ -130,11 +131,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 
 	c$ssh$auth_success = T;
 
-	if ( skip_processing_after_detection)
-		{
-		skip_further_processing(c$id);
-		set_record_packets(c$id, F);
-		}
+	if ( disable_analyzer_after_detection )
+		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
 
 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@@ -179,7 +177,7 @@ function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Alg
 	# Usually these are the same, but if they're not, return the details
 	return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c);
 	}
-	
+
 event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities)
 	{
 	if ( !c?$ssh || ( c$ssh?$capabilities && c$ssh$capabilities$is_server == capabilities$is_server ) )
@@ -233,3 +231,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+	{
+		if ( atype == Analyzer::ANALYZER_SSH )
+		{
+		set_session(c);
+		c$ssh$analyzer_id = aid;
+		}
+	}

src/3rdparty

@@ -1 +1 @@
-Subproject commit 6a429e79bbaf0fcc11eff5f639bfb9d1f62be6f2
+Subproject commit f1eaca0e085a8b37ec6a32c7e1b0e9571414a2e3

src/Stats.cc

@@ -362,12 +362,16 @@ SampleLogger::~SampleLogger()
 
 void SampleLogger::FunctionSeen(const Func* func)
 	{
-	load_samples->Assign(new StringVal(func->Name()), 0);
+	Val* idx = new StringVal(func->Name());
+	load_samples->Assign(idx, 0);
+	Unref(idx);
 	}
 
 void SampleLogger::LocationSeen(const Location* loc)
 	{
-	load_samples->Assign(new StringVal(loc->filename), 0);
+	Val* idx = new StringVal(loc->filename);
+	load_samples->Assign(idx, 0);
+	Unref(idx);
 	}
 
 void SampleLogger::SegmentProfile(const char* /* name */,

src/Val.h

@@ -753,10 +753,11 @@ public:
 	TableVal(TableType* t, Attributes* attrs = 0);
 	~TableVal();
 
-	// Returns true if the assignment typechecked, false if not.
-	// Second version takes a HashKey and Unref()'s it when done.
-	// If we're a set, new_val has to be nil.
-	// If we aren't a set, index may be nil in the second version.
+	// Returns true if the assignment typechecked, false if not. The
+	// methods take ownership of new_val, but not of the index. Second
+	// version takes a HashKey and Unref()'s it when done. If we're a
+	// set, new_val has to be nil. If we aren't a set, index may be nil
+	// in the second version.
 	int Assign(Val* index, Val* new_val, Opcode op = OP_ASSIGN);
 	int Assign(Val* index, HashKey* k, Val* new_val, Opcode op = OP_ASSIGN);
 

src/analyzer/protocol/http/HTTP.cc

@@ -1209,7 +1209,15 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	const char* end_of_method = get_HTTP_token(line, end_of_line);
 
 	if ( end_of_method == line )
+		{
+		// something went wrong with get_HTTP_token
+		// perform a weak test to see if the string "HTTP/"
+		// is found at the end of the RequestLine
+		if ( end_of_line - 9 >= line && strncasecmp(end_of_line - 9, " HTTP/", 6) == 0 )
+			goto bad_http_request_with_version;
+
 		goto error;
+	}
 
 	rest = skip_whitespace(end_of_method, end_of_line);
 
@@ -1230,6 +1238,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 
 	return 1;
 
+bad_http_request_with_version:
+	reporter->Weird(Conn(), "bad_HTTP_request_with_version");
+	return 0;
+
 error:
 	reporter->Weird(Conn(), "bad_HTTP_request");
 	return 0;

src/analyzer/protocol/irc/IRC.cc

@@ -32,6 +32,15 @@ void IRC_Analyzer::Done()
 	tcp::TCP_ApplicationAnalyzer::Done();
 	}
 
+inline void IRC_Analyzer::SkipLeadingWhitespace(string& str)
+	{
+	const auto first_char = str.find_first_not_of(" ");
+	if ( first_char == string::npos )
+		str = "";
+	else
+		str = str.substr(first_char);
+	}
+
 void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
@@ -49,20 +58,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		return;
 		}
 
-	if ( length < 2 )
+	string myline = string((const char*) line, length);
+	SkipLeadingWhitespace(myline);
+
+	if ( myline.length() < 3 )
 		{
 		Weird("irc_line_too_short");
 		return;
 		}
 
-	string myline = string((const char*) line);
-
 	// Check for prefix.
 	string prefix = "";
-	if ( line[0] == ':' )
+	if ( myline[0] == ':' )
 		{ // find end of prefix and extract it
-		unsigned int pos = myline.find(' ');
-		if ( pos > (unsigned int) length )
+		auto pos = myline.find(' ');
+		if ( pos == string::npos )
 			{
 			Weird("irc_invalid_line");
 			return;
@@ -70,9 +80,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		prefix = myline.substr(1, pos - 1);
 		myline = myline.substr(pos + 1);  // remove prefix from line
+		SkipLeadingWhitespace(myline);
 		}
 
-
 	if ( orig )
 		ProtocolConfirmation();
 
@@ -80,7 +90,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	string command = "";
 
 	// Check if line is long enough to include status code or command.
-	if ( myline.size() < 4 )
+	// (shortest command with optional params is "WHO")
+	if ( myline.length() < 3 )
 		{
 		Weird("irc_invalid_line");
 		ProtocolViolation("line too short");
@@ -106,28 +117,30 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		}
 	else
 		{ // get command
-
-		// special case that has no arguments
-		if ( myline == "STARTTLS" )
-			return;
-
-		unsigned int pos = myline.find(' ');
-		if ( pos > (unsigned int) length )
-			{
-			Weird("irc_invalid_line");
-			return;
-			}
+		auto pos = myline.find(' ');
+		// Not all commands require parameters
+		if ( pos == string::npos )
+			pos = myline.length();
 
 		command = myline.substr(0, pos);
 		for ( unsigned int i = 0; i < command.size(); ++i )
 			command[i] = toupper(command[i]);
 
+		// Adjust for the no-parameter case
+		if ( pos == myline.length() )
+			pos--;
+
 		myline = myline.substr(pos + 1);
+		SkipLeadingWhitespace(myline);
 		}
 
 	// Extract parameters.
 	string params = myline;
 
+	// special case
+	if ( command == "STARTTLS" )
+		return;
+
 	// Check for Server2Server - connections with ZIP enabled.
 	if ( orig && orig_status == WAIT_FOR_REGISTRATION )
 		{
@@ -148,7 +161,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		//
 		// (### This seems not quite prudent to me - VP)
 		if ( command == "SERVER" && prefix == "")
-		        {
+			{
 			orig_status = REGISTERED;
 			}
 		}
@@ -156,7 +169,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	if ( ! orig && resp_status == WAIT_FOR_REGISTRATION )
 		{
 		if ( command == "PASS" )
-		        {
+			{
 			vector<string> p = SplitWords(params,' ');
 			if ( p.size() > 3 &&
 			     (p[3].find('Z')<=p[3].size() ||
@@ -268,7 +281,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				{
 				if ( parts[i][0] == '@' )
 					parts[i] = parts[i].substr(1);
-				set->Assign(new StringVal(parts[i].c_str()), 0);
+				Val* idx = new StringVal(parts[i].c_str());
+				set->Assign(idx, 0);
+				Unref(idx);
 				}
 			vl->append(set);
 
@@ -572,6 +587,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 670:
 			// StartTLS success reply to StartTLS
 			StartTLS();
+			break;
 
 		// All other server replies.
 		default:
@@ -612,6 +628,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		string target = params.substr(0, pos);
 		string message = params.substr(pos + 1);
+		SkipLeadingWhitespace(message);
 
 		if ( message.size() > 0 && message[0] == ':' )
 			message = message.substr(1);
@@ -686,6 +703,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		string target = params.substr(0, pos);
 		string message = params.substr(pos + 1);
+		SkipLeadingWhitespace(message);
 		if ( message[0] == ':' )
 			message = message.substr(1);
 
@@ -710,6 +728,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 
 		string target = params.substr(0, pos);
 		string message = params.substr(pos + 1);
+		SkipLeadingWhitespace(message);
 		if ( message[0] == ':' )
 			message = message.substr(1);
 
@@ -935,7 +954,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			channels = params.substr(0, pos);
 			if ( params.size() > pos + 1 )
+				{
 				message = params.substr(pos + 1);
+				SkipLeadingWhitespace(message);
+				}
 			if ( message[0] == ':' )
 				message = message.substr(1);
 			}
@@ -982,7 +1004,6 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(new Val(orig, TYPE_BOOL));
-		vl->append(new Val(orig, TYPE_BOOL));
 		vl->append(new StringVal(nickname.c_str()));
 		vl->append(new StringVal(message.c_str()));
 
@@ -1007,7 +1028,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_who_message && command == "WHO" )
 		{
 		vector<string> parts = SplitWords(params, ' ');
-		if ( parts.size() < 1 || parts.size() > 2 )
+		if ( parts.size() > 2 )
 			{
 			Weird("irc_invalid_who_message_format");
 			return;
@@ -1018,13 +1039,16 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			oper = true;
 
 		// Remove ":" from mask.
-		if ( parts[0].size() > 0 && parts[0][0] == ':' )
+		if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
 			parts[0] = parts[0].substr(1);
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
 		vl->append(new Val(orig, TYPE_BOOL));
-		vl->append(new StringVal(parts[0].c_str()));
+		if ( parts.size() > 0 )
+			vl->append(new StringVal(parts[0].c_str()));
+		else
+			vl->append(new StringVal(""));
 		vl->append(new Val(oper, TYPE_BOOL));
 
 		ConnectionEvent(irc_who_message, vl);
@@ -1129,6 +1153,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			{
 			server = params.substr(0, pos);
 			message = params.substr(pos + 1);
+			SkipLeadingWhitespace(message);
 			if ( message[0] == ':' )
 				message = message.substr(1);
 			}

src/analyzer/protocol/irc/IRC.h

@@ -22,7 +22,7 @@ public:
 	/**
 	* \brief Called when connection is closed.
 	*/
-	virtual void Done();
+	void Done() override;
 
 	/**
 	* \brief New input line in network stream.
@@ -31,7 +31,7 @@ public:
 	* \param data pointer to line start
 	* \param orig was this data sent from connection originator?
 	*/
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{
@@ -47,6 +47,8 @@ protected:
 private:
 	void StartTLS();
 
+	inline void SkipLeadingWhitespace(string& str);
+
 	/** \brief counts number of invalid IRC messages */
 	int invalid_msg_count;
 

src/analyzer/protocol/smb/SMB.cc

@@ -336,7 +336,9 @@ int SMB_Session::ParseNegotiate(binpac::SMB::SMB_header const& hdr,
 			{
 			binpac::SMB::SMB_dialect* d = (*msg.dialects())[i];
 			BroString* tmp = ExtractString(d->dialectname());
-			t->Assign(new Val(i, TYPE_COUNT), new StringVal(tmp));
+			Val* idx = new Val(i, TYPE_COUNT);
+			t->Assign(idx, new StringVal(tmp));
+			Unref(idx);
 			}
 
 		val_list* vl = new val_list;

src/strings.bif

@@ -1161,7 +1161,9 @@ function find_all%(str: string, re: pattern%) : string_set
 		int n = re->MatchPrefix(t, e - t);
 		if ( n >= 0 )
 			{
-			a->Assign(new StringVal(n, (const char*) t), 0);
+			Val* idx = new StringVal(n, (const char*) t);
+			a->Assign(idx, 0);
+			Unref(idx);
 			t += n - 1;
 			}
 		}

testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/http.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2016-02-05-13-13-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	orig_fuids	orig_mime_types	resp_fuids	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1452204358.910557	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	1	-	-	-	-	1.1	-	0	14	200	OK	-	-	-	(empty)	-	-	-	-	-	FGec0Miu9FfcsYUT4	text/plain
+#close	2016-02-05-13-13-06

testing/btest/Baseline/scripts.base.protocols.http.http-bad-request-with-version/weird.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2016-03-07-21-06-28
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1452204358.172926	CXWv6p3arKYeMETxOg	192.168.122.130	49157	202.7.177.41	80	bad_HTTP_request_with_version	-	F	bro
+#close	2016-03-07-21-06-28

testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log

@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-01-15-20-54-31
+#open	2016-03-07-21-06-12
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1354328874.237327	CjhGID4nQcgTWjvg4c	128.2.6.136	46563	173.194.75.103	80	missing_HTTP_uri	-	F	bro
@@ -13,9 +13,9 @@
 1354328882.949510	C7XEbhP654jzLoe3a	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328887.094494	CMXxB5GvmoxJFXdTa	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328891.141058	Caby8b1slFea8xwSmb	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.183942	Che1bq3i2rO3KD1Syg	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
 1354328891.226199	C3SfNE4BWaU4aSuwkc	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
-1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.267625	CEle3f3zno26fFZkrh	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request_with_version	-	F	bro
 1354328891.309065	CwSkQu4eWZCH7OONC1	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.355012	CfTOmO0HKorjr8Zp7	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
 1354328895.396634	CzA03V1VcgagLjnO92	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
@@ -33,4 +33,4 @@
 1354328924.518204	CuChlg202P8sUFuXrg	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.734579	CY93mM3aViMiLKuSw3	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
 1354328932.776609	CXgISq6dA2DVPzqp9	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
-#close	2016-01-15-20-54-32
+#close	2016-03-07-21-06-12

testing/btest/Baseline/scripts.base.protocols.irc.events/.stdout

@@ -11,3 +11,10 @@ thenagualII!~affreujoj@THENAGUAL.users.undernet.org -> #easymovies: \x0304,00DVD
  -> ladyvampress: list
  -> #easymovies: @ladyvampress
 gordon1`^!~allu0002@gordon2411.users.undernet.org -> #easymovies: \x0308\x02File Server Online\x02 \x0303Triggers:\xab\x0308\x0308/ctcp gordon1`^ /ctcp gordon1`^ /CTCP gordon1`^ Movies Galore\x0303\xbb Sends:\xab\x03081/30\x0303\xbb Queues:\xab\x03080/30\x0303\xbb Accessed:\xab\x03082556 times\x0303\xbb Online:\xab\x03080/4\x0303\xbb RCPS:\xab\x0308193.8 Kbs by MadDingo\x0303\xbb Served:\xab\x03081.14TB in 1118 files\x0303\xbb Current BW:\xab\x030818.7 Kbs\x0303\xbb AQT:\xab\x0308No Wait\x0303\xbb \x0f\x0303\x97\x0314I\x0303-\x0315n\x0303-\x0315v\x0303-\x0300i\x0303-\x0300s\x0303-\x0315i\x0303-\x0315o\x0303-\x0314n\x0303\x97\x0f
+quit:  ()
+ -> #brotest: test
+quit:  (quitting)
+quit: brotest (Client Quit)
+ -> #BROTEST: test
+quit:  (quitting)
+quit: brotest (Client Quit)

testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log

@@ -0,0 +1,34 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-03-07-21-31-43
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1324071333.493287	CXWv6p3arKYeMETxOg	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	(empty)
+1409516196.337184	CjhGID4nQcgTWjvg4c	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	0.392307	3205	2129	S1	-	-	0	ShADad	12	3837	12	2761	(empty)
+1419870206.101883	CsRx2w45OKnoww6xl4	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	(empty)
+1419870189.485611	CCvvfg3TEfuqmmG4bh	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	5.267866	4601	2805	S1	-	-	0	ShADad	22	5757	18	3749	(empty)
+1419996264.318569	CRJuHdVW0XPVINV8a	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	1.124642	1909	1161	S1	-	-	0	ShADad	16	2753	12	1793	(empty)
+1420588548.721272	CPbrpk1qSsw6ESzHV4	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	(empty)
+1420590124.879760	C6pKV8GSxOnSLghOa	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	(empty)
+1420590308.775525	CIPOse170MGiRM1Qf4	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	(empty)
+1420590322.673363	C7XEbhP654jzLoe3a	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	(empty)
+1420590636.473213	CJ3xTn1c4Zw9TmAE05	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	(empty)
+1420590659.422161	CMXxB5GvmoxJFXdTa	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	(empty)
+1420591379.650462	Caby8b1slFea8xwSmb	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	(empty)
+1420599430.822385	Che1bq3i2rO3KD1Syg	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	(empty)
+1420851448.309629	C3SfNE4BWaU4aSuwkc	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	2.046715	2421	3505	S1	-	-	0	ShADad	18	3369	13	4189	(empty)
+1420860616.400297	CwSkQu4eWZCH7OONC1	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	0.660753	3383	2645	S1	-	-	0	ShADad	18	4327	16	3485	(empty)
+1420860283.029061	CEle3f3zno26fFZkrh	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	7.498828	5479	2327	S1	-	-	0	ShADad	21	6579	18	3271	(empty)
+1420868281.639103	CfTOmO0HKorjr8Zp7	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	(empty)
+1420917487.213378	CzA03V1VcgagLjnO92	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1420917487.213468	CyAhVIzHqb7t7kv28	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1420917487.220407	Cab0vO1xNYSS2hJkle	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	2.807865	3169	1329	S1	-	-	0	ShADad	19	4169	13	2013	(empty)
+1421006072.431795	Cx3C534wEyF3OvvcQe	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	(empty)
+1421006072.001012	Cx2FqO23omNawSNrxj	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	2.408961	3469	1565	S1	-	-	0	ShAdDa	25	4805	16	2421	(empty)
+1421041176.944687	CkDsfG2YIeWJmXWNWj	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	(empty)
+1421041299.738916	CUKS0W3HFYOnBqSE5e	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	0.538385	3517	3197	S1	-	-	0	ShADad	18	4461	16	4037	(empty)
+1421041526.312919	CRrfvP2lalMAYOCLhj	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	0.542213	3517	3197	S1	-	-	0	ShADad	17	4409	16	4037	(empty)
+#close	2016-03-07-21-31-43

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -182,7 +182,6 @@
 1437831799.764576 x509_extension
 1437831799.764576 x509_ext_subject_alternative_name
 1437831799.764576 file_hash
-1437831799.764576 file_hash
 1437831799.764576 file_state_remove
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
@@ -197,7 +196,6 @@
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
 1437831799.764576 file_hash
-1437831799.764576 file_hash
 1437831799.764576 file_state_remove
 1437831799.764576 ssl_handshake_message
 1437831799.764576 ssl_handshake_message

testing/btest/core/leaks/irc.test

@@ -0,0 +1,13 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
+	{
+	print channel, users;
+	}

testing/btest/core/leaks/stats.bro

@@ -0,0 +1,15 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+@load policy/misc/stats.bro
+
+event load_sample(samples: load_sample_info, CPU: interval, dmem: int)
+	{
+	print CPU;
+	}

testing/btest/scripts/base/protocols/http/http-bad-request-with-version.bro

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+

testing/btest/scripts/base/protocols/irc/events.test

@@ -0,0 +1,16 @@
+# Test IRC events
+
+# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/irc-basic.trace %INPUT
+# @TEST-EXEC: bro -r $TRACES/irc-whitespace.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
+	{
+	print fmt("%s -> %s: %s", source, target, message);
+	}
+
+event irc_quit_message(c: connection, is_orig: bool, nick: string, message: string)
+	{
+	print fmt("quit: %s (%s)", nick, message);
+	}

testing/btest/scripts/base/protocols/irc/privmsg.test

@@ -1,10 +0,0 @@
-# Test the privmsg event
-
-# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
-event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
-	{
-	print fmt("%s -> %s: %s", source, target, message);
-	}
-

testing/btest/scripts/base/protocols/ssh/basic.test

@@ -1,4 +1,5 @@
 # This tests some SSH connections and the output log.
 
 # @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT
-# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff conn.log

testing/btest/scripts/policy/misc/dump-events.bro

@@ -1,7 +1,18 @@
-# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro >all-events.log
-# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include_args=F >all-events-no-args.log
-# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro DumpEvents::include=/smtp_/ >smtp-events.log
-# 
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT >all-events.log
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include_args=F >all-events-no-args.log
+# @TEST-EXEC: bro -r $TRACES/smtp.trace policy/misc/dump-events.bro %INPUT DumpEvents::include=/smtp_/ >smtp-events.log
+#
 # @TEST-EXEC: btest-diff all-events.log
 # @TEST-EXEC: btest-diff all-events-no-args.log
 # @TEST-EXEC: btest-diff smtp-events.log
+
+# There is some kind of race condition between the MD5 and SHA1 events, which are added
+# by the SSL parser. Just remove MD5, this is not important for this test.
+
+event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5
+	{
+	if ( ! c?$ssl )
+		return;
+
+	Files::remove_analyzer(f, Files::ANALYZER_MD5);
+	}