GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev.

This also installs symlinks from "zeek" and "bro-config" to a wrapper script that prints a deprecation warning. The btests pass, but this is still WIP. broctl renaming is still missing. #239
2025-10-10 02:28:21 +00:00 · 2019-04-23 14:25:56 +02:00 · 2019-04-23 14:25:56 +02:00 · 789cb376fd
commit 789cb376fd
parent 375b151a4b
1119 changed files with 1686 additions and 1647 deletions
--- a/testing/btest/scripts/base/protocols/arp/bad.test
+++ b/testing/btest/scripts/base/protocols/arp/bad.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/arp-leak.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/arp-leak.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/arp/basic.test
+++ b/testing/btest/scripts/base/protocols/arp/basic.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/arp-who-has.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/arp-who-has.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/arp/radiotap.test
+++ b/testing/btest/scripts/base/protocols/arp/radiotap.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/arp-who-has-radiotap.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/arp-who-has-radiotap.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/arp/wlanmon.test
+++ b/testing/btest/scripts/base/protocols/arp/wlanmon.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
--- a/testing/btest/scripts/base/protocols/conn/contents-default-extract.test
+++ b/testing/btest/scripts/base/protocols/conn/contents-default-extract.test
@ -1,3 +1,3 @@
-# @TEST-EXEC: bro -f "tcp port 21" -r $TRACES/ftp/ipv6.trace "Conn::default_extract=T"
+# @TEST-EXEC: zeek -f "tcp port 21" -r $TRACES/ftp/ipv6.trace "Conn::default_extract=T"
 # @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_orig.dat
 # @TEST-EXEC: btest-diff contents_[2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185-[2001:470:4867:99::21]:21_resp.dat
--- a/testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek
+++ b/testing/btest/scripts/base/protocols/conn/new_connection_contents.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event new_connection_contents(c: connection)
--- a/testing/btest/scripts/base/protocols/conn/polling.test
+++ b/testing/btest/scripts/base/protocols/conn/polling.test
@ -1,6 +1,6 @@
-# @TEST-EXEC: bro -b -r $TRACES/http/100-continue.trace %INPUT >out1
+# @TEST-EXEC: zeek -b -r $TRACES/http/100-continue.trace %INPUT >out1
 # @TEST-EXEC: btest-diff out1
-# @TEST-EXEC: bro -b -r $TRACES/http/100-continue.trace %INPUT stop_cnt=2 >out2
+# @TEST-EXEC: zeek -b -r $TRACES/http/100-continue.trace %INPUT stop_cnt=2 >out2
 # @TEST-EXEC: btest-diff out2

@load base/protocols/conn
--- a/testing/btest/scripts/base/protocols/conn/threshold.zeek
+++ b/testing/btest/scripts/base/protocols/conn/threshold.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event connection_established(c: connection)
--- a/testing/btest/scripts/base/protocols/dce-rpc/context.zeek
+++ b/testing/btest/scripts/base/protocols/dce-rpc/context.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT >out
+# @TEST-EXEC: zeek -b -C -r $TRACES/dce-rpc/cs_window7-join_stream092.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff dce_rpc.log

--- a/testing/btest/scripts/base/protocols/dce-rpc/mapi.test
+++ b/testing/btest/scripts/base/protocols/dce-rpc/mapi.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -r $TRACES/dce-rpc/mapi.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/dce-rpc/mapi.pcap %INPUT
 # @TEST-EXEC: btest-diff dce_rpc.log
 # @TEST-EXEC: btest-diff ntlm.log

--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
@ -2,5 +2,5 @@
 # The trace has a message of each DHCP message type,
 # but only one lease should show up in the logs.

-# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-all-msg-types.btest
@ -2,5 +2,5 @@
 # The trace has a message of each DHCP message type,
 # but only one lease should show up in the logs.

-# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
@ -2,5 +2,5 @@
 # The trace has a message of each DHCP message type,
 # but only one lease should show up in the logs.

-# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
--- a/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
@ -1,2 +1,2 @@
-# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
+# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
 # @TEST-EXEC: btest-diff dhcp.log
--- a/testing/btest/scripts/base/protocols/dhcp/inform.test
+++ b/testing/btest/scripts/base/protocols/dhcp/inform.test
@ -1,5 +1,5 @@
 # DHCPINFORM leases are special-cased in the code.
 # This tests that those leases are correctly logged.

-# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_inform.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/dhcp/dhcp_inform.trace %INPUT
 # @TEST-EXEC: btest-diff dhcp.log
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_del_measure.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_del_measure.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_en_spon.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_en_spon.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_del.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_del.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_read.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_read.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_file_write.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_file_write.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_link_only.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -C -r $TRACES/dnp3/dnp3_link_only.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_read.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_read.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_rec_time.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_rec_time.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_select_operate.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_select_operate.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_en_spon.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_en_spon.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_read.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_read.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_select_operate.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_select_operate.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_udp_write.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_udp_write.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/dnp3_write.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3_write.pcap %DIR/events.zeek >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dnp3/events.zeek
+++ b/testing/btest/scripts/base/protocols/dnp3/events.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/dnp3/dnp3.trace %INPUT >output
+# @TEST-EXEC: zeek -r $TRACES/dnp3/dnp3.trace %INPUT >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $1}' | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/dnp3/events.bif  | grep "^event dnp3_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/dns/caa.zeek
+++ b/testing/btest/scripts/base/protocols/dns/caa.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/dns-caa.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/dns-caa.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event dns_CAA_reply(c: connection, msg: dns_msg, ans: dns_answer, flags: count, tag: string, value: string)
--- a/testing/btest/scripts/base/protocols/dns/dns-key.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dns-key.zeek
@ -1,4 +1,4 @@
 # Making sure DNSKEY gets logged as such.
 #
-# @TEST-EXEC: bro -r $TRACES/dnssec/dnskey2.pcap
+# @TEST-EXEC: zeek -r $TRACES/dnssec/dnskey2.pcap
 # @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/dns/dnskey.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dnskey.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output
+# @TEST-EXEC: zeek -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/dns/ds.zeek
+++ b/testing/btest/scripts/base/protocols/dns/ds.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/dnssec/ds.pcap %INPUT > output
+# @TEST-EXEC: zeek -C -r $TRACES/dnssec/ds.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek
+++ b/testing/btest/scripts/base/protocols/dns/duplicate-reponses.zeek
@ -1,4 +1,4 @@
 # This tests the case where the DNS server responded with zero RRs.
 #
-# @TEST-EXEC: bro -r $TRACES/dns-two-responses.trace
+# @TEST-EXEC: zeek -r $TRACES/dns-two-responses.trace
 # @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/dns/flip.zeek
+++ b/testing/btest/scripts/base/protocols/dns/flip.zeek
@ -1,3 +1,3 @@
-# @TEST-EXEC: bro -r $TRACES/dns53.pcap
+# @TEST-EXEC: zeek -r $TRACES/dns53.pcap
 # @TEST-EXEC: btest-diff dns.log
 # If the DNS reply is seen first, should be able to correctly set orig/resp.
--- a/testing/btest/scripts/base/protocols/dns/huge-ttl.zeek
+++ b/testing/btest/scripts/base/protocols/dns/huge-ttl.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/dns-huge-ttl.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/dns-huge-ttl.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr)
--- a/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek
+++ b/testing/btest/scripts/base/protocols/dns/multiple-txt-strings.zeek
@ -1,4 +1,4 @@
 # This tests the case where the DNS server responded with zero RRs.
 #
-# @TEST-EXEC: bro -r $TRACES/dns-txt-multiple.trace
+# @TEST-EXEC: zeek -r $TRACES/dns-txt-multiple.trace
 # @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/dns/nsec.zeek
+++ b/testing/btest/scripts/base/protocols/dns/nsec.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec.pcap %INPUT > output
+# @TEST-EXEC: zeek -C -r $TRACES/dnssec/nsec.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/dns/nsec3.zeek
+++ b/testing/btest/scripts/base/protocols/dns/nsec3.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output
+# @TEST-EXEC: zeek -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/dns/rrsig.zeek
+++ b/testing/btest/scripts/base/protocols/dns/rrsig.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output
+# @TEST-EXEC: zeek -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output
 # @TEST-EXEC: btest-diff dns.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/dns/tsig.zeek
+++ b/testing/btest/scripts/base/protocols/dns/tsig.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/dns-tsig.trace %INPUT >out
+# @TEST-EXEC: zeek -r $TRACES/dns-tsig.trace %INPUT >out
 # @TEST-EXEC: btest-diff out

 redef dns_skip_all_addl = F;
--- a/testing/btest/scripts/base/protocols/dns/zero-responses.zeek
+++ b/testing/btest/scripts/base/protocols/dns/zero-responses.zeek
@ -1,4 +1,4 @@
 # This tests the case where the DNS server responded with zero RRs.
 #
-# @TEST-EXEC: bro -r $TRACES/dns-zero-RRs.trace
+# @TEST-EXEC: zeek -r $TRACES/dns-zero-RRs.trace
 # @TEST-EXEC: btest-diff dns.log
--- a/testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/cwd-navigation.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/ftp/cwd-navigation.pcap >output.log %INPUT
+# @TEST-EXEC: zeek -r $TRACES/ftp/cwd-navigation.pcap >output.log %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log
 # @TEST-EXEC: btest-diff output.log
--- a/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-get-file-size.zeek
@ -1,5 +1,5 @@
 # This tests extracting the server reported file size 
 # from FTP sessions.
 #
-# @TEST-EXEC: bro -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap
+# @TEST-EXEC: zeek -r $TRACES/ftp/ftp-with-numbers-in-filename.pcap
 # @TEST-EXEC: btest-diff ftp.log
--- a/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-ipv4.zeek
@ -1,6 +1,6 @@
 # This tests both active and passive FTP over IPv4.
 #
-# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace
+# @TEST-EXEC: zeek -r $TRACES/ftp/ipv4.trace
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log

--- a/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek
+++ b/testing/btest/scripts/base/protocols/ftp/ftp-ipv6.zeek
@ -1,6 +1,6 @@
 # This tests both active and passive FTP over IPv6.
 #
-# @TEST-EXEC: bro -r $TRACES/ftp/ipv6.trace
+# @TEST-EXEC: zeek -r $TRACES/ftp/ipv6.trace
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ftp.log

--- a/testing/btest/scripts/base/protocols/ftp/gridftp.test
+++ b/testing/btest/scripts/base/protocols/ftp/gridftp.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/globus-url-copy.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/globus-url-copy.trace %INPUT
 # @TEST-EXEC: btest-diff notice.log
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
--- a/testing/btest/scripts/base/protocols/http/100-continue.zeek
+++ b/testing/btest/scripts/base/protocols/http/100-continue.zeek
@ -3,7 +3,7 @@
 # a given request.  The http scripts should also be able log such replies
 # in a way that correlates the final response with the request.
 #
-# @TEST-EXEC: bro -r $TRACES/http/100-continue.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/100-continue.trace %INPUT
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: btest-diff http.log

--- a/testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek
+++ b/testing/btest/scripts/base/protocols/http/101-switching-protocols.zeek
@ -1,7 +1,7 @@
 # This tests that the HTTP analyzer does not generate a dpd error as a
 # result of seeing an upgraded connection.
 #
-# @TEST-EXEC: bro -r $TRACES/http/websocket.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/websocket.pcap %INPUT
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: btest-diff http.log
--- a/testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek
+++ b/testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/http/content-range-gap-skip.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap-skip.trace %INPUT

 # In this trace, we should be able to determine that a gap lies
 # entirely within the body of an entity that specifies Content-Range,
--- a/testing/btest/scripts/base/protocols/http/content-range-gap.zeek
+++ b/testing/btest/scripts/base/protocols/http/content-range-gap.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/http/content-range-gap.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap.trace %INPUT
 # @TEST-EXEC: btest-diff extract_files/thefile

 event file_new(f: fa_file)
--- a/testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek
+++ b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek
@ -1,3 +1,3 @@
-# @TEST-EXEC: bro -r $TRACES/http/content-range-less-than-len.pcap
+# @TEST-EXEC: zeek -r $TRACES/http/content-range-less-than-len.pcap
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
--- a/testing/btest/scripts/base/protocols/http/entity-gap.zeek
+++ b/testing/btest/scripts/base/protocols/http/entity-gap.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/http/entity_gap.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/entity_gap.trace %INPUT
 # @TEST-EXEC: btest-diff entity_data
 # @TEST-EXEC: btest-diff extract_files/file0

--- a/testing/btest/scripts/base/protocols/http/entity-gap2.zeek
+++ b/testing/btest/scripts/base/protocols/http/entity-gap2.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/http/entity_gap2.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/entity_gap2.trace %INPUT
 # @TEST-EXEC: btest-diff entity_data
 # @TEST-EXEC: btest-diff extract_files/file0

--- a/testing/btest/scripts/base/protocols/http/fake-content-length.zeek
+++ b/testing/btest/scripts/base/protocols/http/fake-content-length.zeek
@ -1,2 +1,2 @@
-# @TEST-EXEC: bro -r $TRACES/http/fake-content-length.pcap
+# @TEST-EXEC: zeek -r $TRACES/http/fake-content-length.pcap
 # @TEST-EXEC: btest-diff http.log
--- a/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
+# @TEST-EXEC: zeek -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek
@ -1,7 +1,7 @@
 # This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly
 # when the server include a header line into its response.
 #
-# @TEST-EXEC: bro -C -r $TRACES/http/connect-with-header.trace %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/http/connect-with-header.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff tunnel.log
--- a/testing/btest/scripts/base/protocols/http/http-connect.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-connect.zeek
@ -1,6 +1,6 @@
 # This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly.
 #
-# @TEST-EXEC: bro -r $TRACES/http/connect-with-smtp.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/connect-with-smtp.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff smtp.log
--- a/testing/btest/scripts/base/protocols/http/http-filename.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-filename.zeek
@ -1,6 +1,6 @@
 # This tests that the HTTP analyzer handles filenames over HTTP correctly.
 #
-# @TEST-EXEC: bro -r $TRACES/http/http-filename.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/http-filename.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log

 # The base analysis scripts are loaded by default.
--- a/testing/btest/scripts/base/protocols/http/http-header-crlf.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-header-crlf.zeek
@ -2,7 +2,7 @@
 # it gets confused whether it's in a header or not; it shouldn't report
 # the http_no_crlf_in_header_list wierd.
 #
-# @TEST-EXEC: bro -r $TRACES/http/byteranges.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/byteranges.trace %INPUT
 # @TEST-EXEC: test ! -f weird.log

 # The base analysis scripts are loaded by default.
--- a/testing/btest/scripts/base/protocols/http/http-methods.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-methods.zeek
@ -1,6 +1,6 @@
 # This tests that the HTTP analyzer handles strange HTTP methods properly.
 #
-# @TEST-EXEC: bro -r $TRACES/http/methods.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/methods.trace %INPUT
 # @TEST-EXEC: btest-diff weird.log
 # @TEST-EXEC: btest-diff http.log

--- a/testing/btest/scripts/base/protocols/http/http-pipelining.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-pipelining.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/http/pipelined-requests.trace %INPUT > output
+# @TEST-EXEC: zeek -r $TRACES/http/pipelined-requests.trace %INPUT > output
 # @TEST-EXEC: btest-diff http.log

 # mime type is irrelevant to this test, so filter it out
--- a/testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek
+++ b/testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek
@ -2,5 +2,5 @@
 # include an appropriate ZLIB header on deflated 
 # content.
 #
-# @TEST-EXEC: bro -r $TRACES/http/missing-zlib-header.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/missing-zlib-header.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
--- a/testing/btest/scripts/base/protocols/http/multipart-extract.zeek
+++ b/testing/btest/scripts/base/protocols/http/multipart-extract.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: cat extract_files/http-item-* | sort > extractions

--- a/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek
+++ b/testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek
@ -1,10 +1,10 @@
-# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace
+# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace
 # @TEST-EXEC: btest-diff http.log
-# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT >out-limited
+# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT >out-limited
 # @TEST-EXEC: mv http.log http-limited.log
 # @TEST-EXEC: btest-diff http-limited.log
 # @TEST-EXEC: btest-diff out-limited
-# @TEST-EXEC: bro -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored
+# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored
 # @TEST-EXEC: mv http.log http-limit-ignored.log
 # @TEST-EXEC: btest-diff http-limit-ignored.log
 # @TEST-EXEC: btest-diff out-limit-ignored
--- a/testing/btest/scripts/base/protocols/http/no-uri.zeek
+++ b/testing/btest/scripts/base/protocols/http/no-uri.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -Cr $TRACES/http/no-uri.pcap %INPUT
+# @TEST-EXEC: zeek -Cr $TRACES/http/no-uri.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/http/no-version.zeek
+++ b/testing/btest/scripts/base/protocols/http/no-version.zeek
@ -1,3 +1,3 @@
-# @TEST-EXEC: bro -Cr $TRACES/http/no-version.pcap %INPUT
+# @TEST-EXEC: zeek -Cr $TRACES/http/no-version.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log

--- a/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: zeek -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/http/x-gzip.zeek
+++ b/testing/btest/scripts/base/protocols/http/x-gzip.zeek
@ -1,2 +1,2 @@
-# @TEST-EXEC: bro -r $TRACES/http/x-gzip.pcap
+# @TEST-EXEC: zeek -r $TRACES/http/x-gzip.pcap
 # @TEST-EXEC: btest-diff http.log
--- a/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.zeek
+++ b/testing/btest/scripts/base/protocols/http/zero-length-bodies-with-drops.zeek
@ -3,7 +3,7 @@
 # files when there isn't actually any body there and shouldn't
 # create a file.
 #
-# @TEST-EXEC: bro -r $TRACES/http/zero-length-bodies-with-drops.pcap %INPUT
+# @TEST-EXEC: zeek -r $TRACES/http/zero-length-bodies-with-drops.pcap %INPUT

 # There shouldn't be a files log (no files!)
 # @TEST-EXEC: test ! -f files.log
--- a/testing/btest/scripts/base/protocols/imap/capabilities.test
+++ b/testing/btest/scripts/base/protocols/imap/capabilities.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

@load base/protocols/ssl
--- a/testing/btest/scripts/base/protocols/imap/starttls.test
+++ b/testing/btest/scripts/base/protocols/imap/starttls.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/imap-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
--- a/testing/btest/scripts/base/protocols/irc/basic.test
+++ b/testing/btest/scripts/base/protocols/irc/basic.test
@ -1,7 +1,7 @@
 # This tests that basic IRC commands (NICK, USER, JOIN, DCC SEND)
 # are logged for a client.

-# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
 # @TEST-EXEC: btest-diff irc.log
 # @TEST-EXEC: btest-diff conn.log

--- a/testing/btest/scripts/base/protocols/irc/events.test
+++ b/testing/btest/scripts/base/protocols/irc/events.test
@ -1,8 +1,8 @@
 # Test IRC events

-# @TEST-EXEC: bro -r $TRACES/irc-dcc-send.trace %INPUT
-# @TEST-EXEC: bro -r $TRACES/irc-basic.trace %INPUT
-# @TEST-EXEC: bro -r $TRACES/irc-whitespace.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/irc-dcc-send.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/irc-basic.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/irc-whitespace.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout

 event irc_privmsg_message(c: connection, is_orig: bool, source: string, target: string, message: string)
--- a/testing/btest/scripts/base/protocols/irc/longline.test
+++ b/testing/btest/scripts/base/protocols/irc/longline.test
@ -1,6 +1,6 @@
 # This tests that an excessively long line is truncated by the contentline
 # analyzer

-# @TEST-EXEC: bro -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
 # @TEST-EXEC: btest-diff weird.log

--- a/testing/btest/scripts/base/protocols/irc/names-weird.zeek
+++ b/testing/btest/scripts/base/protocols/irc/names-weird.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/irc-353.pcap %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/irc-353.pcap %INPUT
 # @TEST-EXEC: btest-diff weird.log

 event irc_names_info(c: connection, is_orig: bool, c_type: string, channel: string, users: string_set)
--- a/testing/btest/scripts/base/protocols/irc/starttls.test
+++ b/testing/btest/scripts/base/protocols/irc/starttls.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -C -r $TRACES/tls/irc-starttls.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/tls/irc-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
--- a/testing/btest/scripts/base/protocols/krb/kinit.test
+++ b/testing/btest/scripts/base/protocols/krb/kinit.test
@ -1,6 +1,6 @@
 # This test exercises many of the Linux kinit options against a KDC

-# @TEST-EXEC: bro -b -r $TRACES/krb/kinit.trace %INPUT > output
+# @TEST-EXEC: zeek -b -r $TRACES/krb/kinit.trace %INPUT > output
 # @TEST-EXEC: btest-diff kerberos.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/krb/smb2_krb.test
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb.test
@ -5,7 +5,7 @@
 # @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
 #
 # @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
-# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 redef KRB::keytab = "smb2_krb.keytab";
--- a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
@ -4,7 +4,7 @@
 # @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
 #
 # @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
-# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: zeek -C -r $TRACES/krb/smb2_krb.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 # @TEST-EXEC: btest-diff .stderr

--- a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
+++ b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
@ -3,7 +3,7 @@
 #   SMB authentication event and therfore relies on the SMB
 #   analyzer as well.

-# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
 # @TEST-EXEC: btest-diff kerberos.log
 # @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb

--- a/testing/btest/scripts/base/protocols/krb/tgs.test
+++ b/testing/btest/scripts/base/protocols/krb/tgs.test
@ -1,6 +1,6 @@
 # This test exercises a Kerberos authentication to a Kerberized SSH server

-# @TEST-EXEC: bro -b -r $TRACES/krb/auth.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/krb/auth.trace %INPUT
 # @TEST-EXEC: btest-diff kerberos.log

@load base/protocols/krb
--- a/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/coil_parsing_big.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -C -r $TRACES/modbus/modbusBig.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: zeek -C -r $TRACES/modbus/modbusBig.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/coil_parsing_small.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -C -r $TRACES/modbus/modbusSmall.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: zeek -C -r $TRACES/modbus/modbusSmall.pcap %INPUT | sort | uniq -c | sed 's/^ *//g' >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/modbus/events.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/events.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
+# @TEST-EXEC: zeek -r $TRACES/modbus/modbus.trace %INPUT | sort | uniq -c | sed 's/^ *//g' >output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: cat output | awk '{print $2}' | grep "^modbus_" | sort | uniq | wc -l >covered
 # @TEST-EXEC: cat ${DIST}/src/analyzer/protocol/modbus/events.bif  | grep "^event modbus_" | wc -l >total
--- a/testing/btest/scripts/base/protocols/modbus/exception_handling.test
+++ b/testing/btest/scripts/base/protocols/modbus/exception_handling.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/modbus/fuzz-72.trace
+# @TEST-EXEC: zeek -r $TRACES/modbus/fuzz-72.trace
 # @TEST-EXEC: btest-diff modbus.log

 # The pcap has a flow with some fuzzed modbus traffic in it that should cause
--- a/testing/btest/scripts/base/protocols/modbus/length_mismatch.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/length_mismatch.zeek
@ -11,4 +11,4 @@
 # as that can cause reading from a location that exceeds the end of the
 # data buffer.

-# @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
+# @TEST-EXEC: zeek -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
--- a/testing/btest/scripts/base/protocols/modbus/policy.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/policy.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r $TRACES/modbus/modbus.trace %INPUT
+# @TEST-EXEC: zeek -r $TRACES/modbus/modbus.trace %INPUT
 # @TEST-EXEC: btest-diff modbus.log
 # @TEST-EXEC: btest-diff modbus_register_change.log
 # @TEST-EXEC: btest-diff known_modbus.log
--- a/testing/btest/scripts/base/protocols/modbus/register_parsing.zeek
+++ b/testing/btest/scripts/base/protocols/modbus/register_parsing.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -r $TRACES/modbus/fuzz-1011.trace %INPUT >output
+# @TEST-EXEC: zeek -r $TRACES/modbus/fuzz-1011.trace %INPUT >output
 # @TEST-EXEC: btest-diff modbus.log
 # @TEST-EXEC: btest-diff output

--- a/testing/btest/scripts/base/protocols/mount/basic.test
+++ b/testing/btest/scripts/base/protocols/mount/basic.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -r $TRACES/mount/mount_base.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/mount/mount_base.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 global mount_ports: set[port] = { 635/tcp, 635/udp, 20048/tcp, 20048/udp } &redef;
--- a/testing/btest/scripts/base/protocols/mysql/auth.test
+++ b/testing/btest/scripts/base/protocols/mysql/auth.test
@ -1,6 +1,6 @@
 # This tests that successful/unsuccesful auth attempts get logged correctly

-# @TEST-EXEC: bro -b -r $TRACES/mysql/auth.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/auth.trace %INPUT
 # @TEST-EXEC: btest-diff mysql.log

@load base/protocols/mysql
--- a/testing/btest/scripts/base/protocols/mysql/encrypted.test
+++ b/testing/btest/scripts/base/protocols/mysql/encrypted.test
@ -2,7 +2,7 @@
 # can't parse much of value. We're testing for an empty mysql.log file.

 # @TEST-EXEC: touch mysql.log
-# @TEST-EXEC: bro -b -r $TRACES/mysql/encrypted.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/encrypted.trace %INPUT
 # @TEST-EXEC: btest-diff mysql.log

@load base/protocols/mysql
--- a/testing/btest/scripts/base/protocols/mysql/wireshark.test
+++ b/testing/btest/scripts/base/protocols/mysql/wireshark.test
@ -1,6 +1,6 @@
 # This tests a PCAP with a few MySQL commands from the Wireshark samples.

-# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out
+# @TEST-EXEC: zeek -b -r $TRACES/mysql/mysql.trace %INPUT >out
 # @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff mysql.log

--- a/testing/btest/scripts/base/protocols/ncp/event.zeek
+++ b/testing/btest/scripts/base/protocols/ncp/event.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT >out
+# @TEST-EXEC: zeek -C -r $TRACES/ncp.pcap %INPUT >out
 # @TEST-EXEC: btest-diff out

 redef likely_server_ports += { 524/tcp };
--- a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek
+++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
+# @TEST-EXEC: zeek -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
 # @TEST-EXEC: btest-diff out

 redef likely_server_ports += { 524/tcp };
--- a/testing/btest/scripts/base/protocols/nfs/basic.test
+++ b/testing/btest/scripts/base/protocols/nfs/basic.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -r $TRACES/nfs/nfs_base.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/nfs/nfs_base.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout

 global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef;
--- a/testing/btest/scripts/base/protocols/pop3/starttls.zeek
+++ b/testing/btest/scripts/base/protocols/pop3/starttls.zeek
@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT
+# @TEST-EXEC: zeek -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
--- a/testing/btest/scripts/base/protocols/radius/auth.test
+++ b/testing/btest/scripts/base/protocols/radius/auth.test
@ -1,6 +1,6 @@
 # This tests that a RADIUS authentication gets logged correctly

-# @TEST-EXEC: bro -b -r $TRACES/radius/radius.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/radius/radius.trace %INPUT
 # @TEST-EXEC: btest-diff radius.log

@load base/protocols/radius
--- a/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
+++ b/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
@ -1,6 +1,6 @@
 # Test a more complicated radius session with multiple attempts

-# @TEST-EXEC: bro -b -C -r $TRACES/radius/radius_localhost.pcapng %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/radius/radius_localhost.pcapng %INPUT
 # @TEST-EXEC: btest-diff radius.log

@load base/protocols/radius
--- a/Show more
+++ b/Show more