Remove BackDoor analyzer

2025-10-02 14:48:21 +00:00 · 2019-06-27 18:22:39 -07:00 · 2019-06-27 18:22:39 -07:00 · 7dc3fca754
commit 7dc3fca754
parent a940cf3fb5
20 changed files with 33 additions and 1085 deletions
--- a/20
+++ b/20
@ -413,6 +413,21 @@ Removed Functionality
    - ``print_hook``
    - ``interconn_stats``
    - ``interconn_remove_conn``
    - ``root_backdoor_signature_found``
    - ``napster_signature_found``
    - ``kazaa_signature_found``
    - ``gaobot_signature_found``
    - ``ftp_signature_found``
    - ``gnutella_signature_found``
    - ``http_signature_found``
    - ``irc_signature_found``
    - ``telnet_signature_found``
    - ``ssh_signature_found``
    - ``rlogin_signature_found``
    - ``smtp_signature_found``
    - ``http_proxy_signature_found``
    - ``backdoor_stats``
    - ``backdoor_remove_conn``
 - The following types/records were deprecated in version 2.6 or below and are
  removed from this release:
@ -450,6 +465,9 @@ Removed Functionality
    - ``interconn_stat_period``
    - ``interconn_stat_backoff``
    - ``interconn_endp_stats``
    - ``backdoor_stat_period``
    - ``backdoor_stat_backoff``
    - ``backdoor_endp_stats``
 - The following constants were used as part of deprecated functionality in version 2.6
  or below and are removed from this release:
@ -497,6 +515,8 @@ Removed Functionality
 - Removed the InterConn analyzer.
 - Removed the BackDoor analyzer.
 Deprecated Functionality
 ------------------------
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@ -125,7 +125,6 @@ export {
 	## contains legacy analyzers that are no longer supported.
 	global disabled_analyzers: set[Analyzer::Tag] = {
 		ANALYZER_STEPPINGSTONE,
 		ANALYZER_BACKDOOR,
 		ANALYZER_TCPSTATS,
 	} &redef;
 }
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -3864,24 +3864,6 @@ const stp_idle_min: interval &redef;
 ## Internal to the stepping stone detector.
 global stp_skip_src: set[addr] &redef;
 ## Deprecated.
 const backdoor_stat_period: interval &redef;
 ## Deprecated.
 const backdoor_stat_backoff: double &redef;
 ## Deprecated.
 type backdoor_endp_stats: record {
 	is_partial: bool;
 	num_pkts: count;
 	num_8k0_pkts: count;
 	num_8k4_pkts: count;
 	num_lines: count;
 	num_normal_lines: count;
 	num_bytes: count;
 	num_7bit_ascii: count;
 };
 ## Description of a signature match.
 ##
 ## .. zeek:see:: signature_match
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@ -125,11 +125,6 @@ double stp_delta;
 double stp_idle_min;
 TableVal* stp_skip_src;
 double backdoor_stat_period;
 double backdoor_stat_backoff;
 RecordType* backdoor_endp_stats;
 double table_expire_interval;
 double table_expire_delay;
 int table_incremental_step;
@ -381,10 +376,6 @@ void init_net_var()
 	stp_idle_min = opt_internal_double("stp_idle_min");
 	stp_skip_src = internal_val("stp_skip_src")->AsTableVal();
 	backdoor_stat_period = opt_internal_double("backdoor_stat_period");
 	backdoor_stat_backoff = opt_internal_double("backdoor_stat_backoff");
 	backdoor_endp_stats = internal_type("backdoor_endp_stats")->AsRecordType();
 	orig_addr_anonymization = opt_internal_int("orig_addr_anonymization");
 	resp_addr_anonymization = opt_internal_int("resp_addr_anonymization");
 	other_addr_anonymization = opt_internal_int("other_addr_anonymization");
--- a/src/NetVar.h
+++ b/src/NetVar.h
@ -128,11 +128,6 @@ extern double stp_delta;
 extern double stp_idle_min;
 extern TableVal* stp_skip_src;
 extern double backdoor_stat_period;
 extern double backdoor_stat_backoff;
 extern RecordType* backdoor_endp_stats;
 extern double table_expire_interval;
 extern double table_expire_delay;
 extern int table_incremental_step;
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -20,8 +20,6 @@
 #include "analyzer/protocol/stepping-stone/SteppingStone.h"
 #include "analyzer/protocol/stepping-stone/events.bif.h"
 #include "analyzer/protocol/backdoor/BackDoor.h"
 #include "analyzer/protocol/backdoor/events.bif.h"
 #include "analyzer/protocol/arp/ARP.h"
 #include "analyzer/protocol/arp/events.bif.h"
 #include "Discard.h"
@ -117,13 +115,6 @@ NetSessions::NetSessions()
 	packet_filter = 0;
 	build_backdoor_analyzer =
 		backdoor_stats || rlogin_signature_found ||
 		telnet_signature_found || ssh_signature_found ||
 		root_backdoor_signature_found || ftp_signature_found ||
 		napster_signature_found || kazaa_signature_found ||
 		http_signature_found || http_proxy_signature_found;
 	dump_this_packet = 0;
 	num_packets_processed = 0;
--- a/src/Sessions.h
+++ b/src/Sessions.h
@ -231,7 +231,6 @@ protected:
 	analyzer::stepping_stone::SteppingStoneManager* stp_manager;
 	Discarder* discarder;
 	PacketFilter* packet_filter;
 	int build_backdoor_analyzer;
 	int dump_this_packet;	// if true, current packet should be recorded
 	uint64 num_packets_processed;
 	PacketProfiler* pkt_profiler;
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@ -5,7 +5,6 @@
 #include "Hash.h"
 #include "Val.h"
 #include "protocol/backdoor/BackDoor.h"
 #include "protocol/conn-size/ConnSize.h"
 #include "protocol/icmp/ICMP.h"
 #include "protocol/pia/PIA.h"
@ -86,7 +85,6 @@ Manager::~Manager()
 void Manager::InitPreScript()
 	{
 	// Cache these tags.
 	analyzer_backdoor = GetComponentTag("BACKDOOR");
 	analyzer_connsize = GetComponentTag("CONNSIZE");
 	analyzer_stepping = GetComponentTag("STEPPINGSTONE");
 	analyzer_tcpstats = GetComponentTag("TCPSTATS");
@ -459,11 +457,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 		if ( reass )
 			tcp->EnableReassembly();
 		if ( IsEnabled(analyzer_backdoor) )
 			// Add a BackDoor analyzer if requested.  This analyzer
 			// can handle both reassembled and non-reassembled input.
 			tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false);
 		if ( IsEnabled(analyzer_stepping) )
 			{
 			// Add a SteppingStone analyzer if requested.  The port
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@ -355,7 +355,6 @@ private:
 	analyzer_map_by_port analyzers_by_port_tcp;
 	analyzer_map_by_port analyzers_by_port_udp;
 	Tag analyzer_backdoor;
 	Tag analyzer_connsize;
 	Tag analyzer_stepping;
 	Tag analyzer_tcpstats;
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@ -1,7 +1,6 @@
 add_subdirectory(arp)
 add_subdirectory(ayiya)
 add_subdirectory(backdoor)
 add_subdirectory(bittorrent)
 add_subdirectory(conn-size)
 add_subdirectory(dce-rpc)
--- a/src/analyzer/protocol/backdoor/BackDoor.cc
+++ b/src/analyzer/protocol/backdoor/BackDoor.cc
@ -1,819 +0,0 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include "zeek-config.h"
 #include "BackDoor.h"
 #include "Event.h"
 #include "Net.h"
 #include "analyzer/protocol/tcp/TCP.h"
 #include "events.bif.h"
 using namespace analyzer::backdoor;
 BackDoorEndpoint::BackDoorEndpoint(tcp::TCP_Endpoint* e)
 	{
 	endp = e;
 	is_partial = 0;
 	max_top_seq = 0;
 	rlogin_checking_done = 0;
 	rlogin_string_separator_pos = 0;
 	rlogin_num_null = 0;
 	rlogin_slash_seen = 0;
 	num_pkts = num_8k0_pkts = num_8k4_pkts =
 		num_lines = num_normal_lines = num_bytes = num_7bit_ascii = 0;
 	}
 #define NORMAL_LINE_LENGTH 80
 #define TELNET_IAC 255
 #define IS_TELNET_NEGOTIATION_CMD(c) ((c) >= 251 && (c) <= 254)
 #define DEFAULT_MTU 512
 #define RLOGIN_MAX_SIGNATURE_LENGTH 256
 void BackDoorEndpoint::FinalCheckForRlogin()
 	{
 	if ( ! rlogin_checking_done )
 		{
 		rlogin_checking_done = 1;
 		if ( rlogin_num_null > 0 )
 			RloginSignatureFound(0);
 		}
 	}
 int BackDoorEndpoint::DataSent(double /* t */, uint64 seq,
 				int len, int caplen, const u_char* data,
 				const IP_Hdr* /* ip */,
 				const struct tcphdr* /* tp */)
 	{
 	if ( caplen < len )
 		len = caplen;
 	if ( len <= 0 )
 		return 0;
 	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
 		is_partial = 1;
 	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
 	uint64 top_seq = seq + len;
 	if ( top_seq <= ack || top_seq <= max_top_seq )
 		// There is no new data in this packet.
 		return 0;
 	if ( rlogin_signature_found )
 		CheckForRlogin(seq, len, data);
 	if ( telnet_signature_found )
 		CheckForTelnet(seq, len, data);
 	if ( ssh_signature_found )
 		CheckForSSH(seq, len, data);
 	if ( ftp_signature_found )
 		CheckForFTP(seq, len, data);
 	if ( root_backdoor_signature_found )
 		CheckForRootBackdoor(seq, len, data);
 	if ( napster_signature_found )
 		CheckForNapster(seq, len, data);
 	if ( gnutella_signature_found )
 		CheckForGnutella(seq, len, data);
 	if ( kazaa_signature_found )
 		CheckForKazaa(seq, len, data);
 	if ( http_signature_found || http_proxy_signature_found )
 		CheckForHTTP(seq, len, data);
 	if ( smtp_signature_found )
 		CheckForSMTP(seq, len, data);
 	if ( irc_signature_found )
 		CheckForIRC(seq, len, data);
 	if ( gaobot_signature_found )
 		CheckForGaoBot(seq, len, data);
 	max_top_seq = top_seq;
 	return 1;
 	}
 RecordVal* BackDoorEndpoint::BuildStats()
 	{
 	RecordVal* stats = new RecordVal(backdoor_endp_stats);
 	stats->Assign(0, val_mgr->GetBool(is_partial));
 	stats->Assign(1, val_mgr->GetCount(num_pkts));
 	stats->Assign(2, val_mgr->GetCount(num_8k0_pkts));
 	stats->Assign(3, val_mgr->GetCount(num_8k4_pkts));
 	stats->Assign(4, val_mgr->GetCount(num_lines));
 	stats->Assign(5, val_mgr->GetCount(num_normal_lines));
 	stats->Assign(6, val_mgr->GetCount(num_bytes));
 	stats->Assign(7, val_mgr->GetCount(num_7bit_ascii));
 	return stats;
 	}
 void BackDoorEndpoint::CheckForRlogin(uint64 seq, int len, const u_char* data)
 	{
 	if ( rlogin_checking_done )
 		return;
 	// Looking for pattern:
 	//	<null>string<null>string<null>string/string<null>
 	// where all string's are non-empty 7-bit-ascii string
 	//
 	// To avoid having to reassemble, we keep testing each byte until
 	// one of the following happens:
 	//
 	//	- A gap in sequence number occurs
 	//	- Four null's have been found
 	//	- The number of bytes we examined reaches RLOGIN_MAX_SIGNATURE_LENGTH
 	//	- An empty or non-7-bit-ascii string is found
 	//
 	if ( seq == 1 )
 		{ // Check if first byte is a NUL.
 		if ( data[0] == 0 )
 			{
 			rlogin_num_null = 1;
 			if ( ! endp->IsOrig() )
 				{
 				RloginSignatureFound(len);
 				return;
 				}
 			rlogin_string_separator_pos = 1;
 			++seq;	// move past the byte
 			++data;
 			--len;
 			}
 		else
 			{
 			rlogin_checking_done = 1;
 			return;
 			}
 		}
 	if ( seq > max_top_seq && max_top_seq != 0 )
 		{ // A gap! Since we don't reassemble things, stop now.
 		RloginSignatureFound(0);
 		return;
 		}
 	if ( seq + len <= max_top_seq )
 		return;	// nothing new
 	if ( seq < max_top_seq )
 		{ // trim to just the new data
 		int64 delta = max_top_seq - seq;
 		seq += delta;
 		data += delta;
 		len -= delta;
 		}
 	// Search for rlogin signature.
 	for ( int i = 0; i < len && rlogin_num_null < 4; ++i )
 		{
 		if ( data[i] == 0 )
 			{
 			if ( i + seq == rlogin_string_separator_pos + 1 )
 				{ // Empty string found.
 				rlogin_checking_done = 1;
 				return;
 				}
 			else
 				{
 				rlogin_string_separator_pos = i + seq;
 				++rlogin_num_null;
 				}
 			}
 		else if ( data[i] == '/' )
 			{
 			if ( rlogin_num_null == 3 )
 				{
 				if ( i + seq == rlogin_string_separator_pos + 1 )
 					{ // Empty terminal type.
 					rlogin_checking_done = 1;
 					return;
 					}
 				rlogin_string_separator_pos = i + seq;
 				rlogin_slash_seen = 1;
 				}
 			}
 		else if ( data[i] >= 128 )
 			{ // Non-7-bit-ascii
 			rlogin_checking_done = 1;
 			return;
 			}
 		}
 	if ( rlogin_num_null == 4 )
 		{
 		if ( rlogin_slash_seen )
 			RloginSignatureFound(0);
 		else
 			rlogin_checking_done = 1;
 		return;
 		}
 	if ( seq + len > RLOGIN_MAX_SIGNATURE_LENGTH )
 		{ // We've waited for too long
 		RloginSignatureFound(0);
 		return;
 		}
 	}
 void BackDoorEndpoint::RloginSignatureFound(int len)
 	{
 	if ( rlogin_checking_done )
 		return;
 	rlogin_checking_done = 1;
 	if ( ! rlogin_signature_found )
 		return;
 	endp->TCP()->ConnectionEventFast(rlogin_signature_found, {
 		endp->TCP()->BuildConnVal(),
 		val_mgr->GetBool(endp->IsOrig()),
 		val_mgr->GetCount(rlogin_num_null),
 		val_mgr->GetCount(len),
 	});
 	}
 void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data)
 	{
 	if ( len >= 3 &&
 	     data[0] == TELNET_IAC && IS_TELNET_NEGOTIATION_CMD(data[1]) )
 		{
 		TelnetSignatureFound(len);
 		return;
 		}
 	// Note, we do the analysis per-packet rather than on the reassembled
 	// stream.  This is a lot more efficient as then we don't need to
 	// do stream reassembly; but it's potentially less accurate, and
 	// subject to evasion.  *But*: backdoor detection is inherently
 	// subject to a wide variety of evasion, so allowing this form
 	// (which is a pain to exploit) costs little.
 	num_bytes += len;
 	int last_char = 0;
 	int offset = 0;	// where we consider the latest line to have begun
 	int option_length = 0; // length of options in a line
 	for ( int i = 0; i < len; ++i )
 		{
 		unsigned int c = data[i];
 		if ( c == '\n' && last_char == '\r' )
 			{
 			// Compress CRLF to just one line termination.
 			last_char = c;
 			continue;
 			}
 		if ( c == '\n' || c == '\r' )
 			{
 			++num_lines;
 			if ( i - offset - option_length <= NORMAL_LINE_LENGTH )
 				++num_normal_lines;
 			option_length = 0;
 			offset = i;
 			}
 		else if ( c == TELNET_IAC )
 			{
 			++option_length;
 			--num_bytes;
 			if ( ++i < len )
 				{
 				unsigned int code = data[i];
 				if ( code == TELNET_IAC )
 					// Escaped IAC.
 					last_char = code;
 				else if ( code >= 251 && code <= 254 )
 					{ // 3-byte option: ignore next byte
 					++i;
 					option_length += 2;
 					num_bytes -= 2;
 					}
 				else
 					// XXX: We don't deal with sub option for simplicity
 					// although we SHOULD!
 					{
 					++option_length;
 					--num_bytes;
 					}
 				}
 			continue;
 			}
 		else if ( c != 0 && c < 128 )
 			++num_7bit_ascii;
 		last_char = c;
 		}
 	}
 void BackDoorEndpoint::TelnetSignatureFound(int len)
 	{
 	if ( ! telnet_signature_found )
 		return;
 	endp->TCP()->ConnectionEventFast(telnet_signature_found, {
 		endp->TCP()->BuildConnVal(),
 		val_mgr->GetBool(endp->IsOrig()),
 		val_mgr->GetCount(len),
 	});
 	}
 void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq == 1 && CheckForString("SSH-", data, len) && len > 4 &&
 	     (data[4] == '1' || data[4] == '2') )
 		{
 		SignatureFound(ssh_signature_found, 1);
 		return;
 		}
 	// Check for length pattern.
 	if ( seq < max_top_seq || max_top_seq == 0 )
 		// Retransmission involved, or first pkt => size info useless.
 		return;
 	if ( seq > max_top_seq )
 		{ // Estimate number of packets in the sequence gap
 		int64 gap = seq - max_top_seq;
 		if ( gap > 0 )
 			num_pkts += uint64((gap + DEFAULT_MTU - 1) / DEFAULT_MTU);
 		}
 	++num_pkts;
 	// According to the spec:
 	//	SSH 1.x pkts have size 8k+4
 	//	SSH 2.x pkts have size 8k >= 16 (most cipher blocks are 8n)
 	if ( len <= 127 )
 		switch ( len & 7 ) {
 		case 0:
 			if ( len >= 16 )
 				++num_8k0_pkts;
 			break;
 		case 4:
 			++num_8k4_pkts;
 			break;
 		}
 	else
 		{ // len is likely to be some MTU.
 		}
 	}
 void BackDoorEndpoint::CheckForRootBackdoor(uint64 seq, int len, const u_char* data)
 	{
 	// Check for root backdoor signature: an initial payload of
 	// exactly "# ".
 	if ( seq == 1 && len == 2 && ! endp->IsOrig() &&
 	     data[0] == '#' && data[1] == ' ' )
 		SignatureFound(root_backdoor_signature_found);
 	}
 void BackDoorEndpoint::CheckForFTP(uint64 seq, int len, const u_char* data)
 	{
 	// Check for FTP signature
 	//
 	// Currently, the signatures include: "220 ", "220-"
 	//
 	// For a day's worth of LBNL FTP activity (7,229 connections),
 	// the distribution of the code in the first line returned by
 	// the server (the lines always began with a code) is:
 	//
 	//	220: 6685
 	//	421: 535
 	//	226: 7
 	//	426: 1
 	//	200: 1
 	//
 	// The 421's are all "host does not have access" or "timeout" of
 	// some form, so it's not big deal with we miss them (if that helps
 	// keep down the false positives).
 	if ( seq != 1 || endp->IsOrig() || len < 4 )
 		return;
 	if ( CheckForString("220", data, len) &&
 	     (data[3] == ' ' || data[3] == '-') )
 		SignatureFound(ftp_signature_found);
 	else if ( CheckForString("421", data, len) &&
 		  (data[3] == '-' || data[3] == ' ') )
 		SignatureFound(ftp_signature_found);
 	}
 void BackDoorEndpoint::CheckForNapster(uint64 seq, int len, const u_char* data)
 	{
 	// Check for Napster signature "GETfoobar" or "SENDfoobar" where
 	// "foobar" is the Napster handle associated with the request
 	// (so pretty much any arbitrary identifier, but sent adjacent
 	// to the GET or SEND with no intervening whitespace; but also
 	// sent in a separate packet.
 	if ( seq != 1 || ! endp->IsOrig() )
 		return;
 	if ( len == 3 && CheckForString("GET", data, len) )
 		// GETfoobar.
 		SignatureFound(napster_signature_found);
 	else if ( len == 4 && CheckForString("SEND", data, len) )
 		// SENDfoobar.
 		SignatureFound(napster_signature_found);
 	}
 void BackDoorEndpoint::CheckForSMTP(uint64 seq, int len, const u_char* data)
 	{
 	const char* smtp_handshake[] = { "HELO", "EHLO", 0 };
 	if ( seq != 1 )
 		return;
 	if ( CheckForStrings(smtp_handshake, data, len) )
 		SignatureFound(smtp_signature_found);
 	}
 void BackDoorEndpoint::CheckForIRC(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq != 1 || is_partial )
 		return;
 	const char* irc_indicator[] = {
 		"ERROR", "INVITE", "ISON", "JOIN", "KICK", "NICK",
 		"NJOIN", "NOTICE AUTH", "OPER", "PART", "PING", "PONG",
 		"PRIVMSG", "SQUERY", "SQUIT", "WHO", 0,
 	};
 	if ( CheckForStrings(irc_indicator, data, len) )
 		SignatureFound(irc_signature_found);
 	}
 void BackDoorEndpoint::CheckForGnutella(uint64 seq, int len, const u_char* data)
 	{
 	// After connecting to the server, the connecting client says:
 	//
 	//		GNUTELLA CONNECT/<version>\n\n
 	//
 	// The accepting server responds:
 	//
 	//		GNUTELLA OK\n\n
 	//
 	// We find checking the first 8 bytes suffices, and that will
 	// also catch variants that use something other than "CONNECT".
 	if ( seq == 1 && CheckForString("GNUTELLA ", data, len) )
 		SignatureFound(gnutella_signature_found);
 	}
 void BackDoorEndpoint::CheckForGaoBot(uint64 seq, int len, const u_char* data)
 	{
 	if ( seq == 1 && CheckForString("220 Bot Server (Win32)", data, len) )
 		SignatureFound(gaobot_signature_found);
 	}
 void BackDoorEndpoint::CheckForKazaa(uint64 seq, int len, const u_char* data)
 	{
 	// *Some*, though not all, KaZaa connections begin with:
 	//
 	//		GIVE<space>
 	if ( seq == 1 && CheckForString("GIVE ", data, len) )
 		SignatureFound(kazaa_signature_found);
 	}
 int is_http_whitespace(const u_char ch)
 	{
 	return ! isprint(ch) || isspace(ch);
 	}
 int skip_http_whitespace(const u_char* data, int len, int max)
 	{
 	int k;
 	for ( k = 0; k < len; ++k )
 		{
 		if ( ! is_http_whitespace(data[k]) )
 			break;
 		// Here we do not go beyond CR -- this is OK for
 		// processing first line of HTTP requests. However, it
 		// cannot be used to process multiple-line headers.
 		if ( data[k] == '\015' || k == max )
 			return -1;
 		}
 	return k < len ? k : -1;
 	}
 int is_absolute_url(const u_char* data, int len)
 	{
 	// Look for '://' in the URL.
 	const char* abs_url_sig = "://";
 	const char* abs_url_sig_pos = abs_url_sig;
 	// Warning: the following code is NOT general for any signature string,
 	// but only works for specific strings like "://".
 	for ( int pos = 0; pos < len; ++pos )
 		{
 		if ( *abs_url_sig_pos == '\0' )
 			return 1;
 		if ( data[pos] == *abs_url_sig_pos )
 			++abs_url_sig_pos;
 		else
 			{
 			if ( is_http_whitespace(data[pos]) )
 				return 0;
 			abs_url_sig_pos = abs_url_sig;
 			if ( *abs_url_sig != '\0' &&
 			     *abs_url_sig_pos == data[pos] )
 				++abs_url_sig_pos;
 			}
 		}
 	return *abs_url_sig_pos == '\0';
 	}
 void BackDoorEndpoint::CheckForHTTP(uint64 seq, int len, const u_char* data)
 	{
 	// According to the RFC, we should look for
 	// '<method> SP <url> SP HTTP/<version> CR LF'
 	// where:
 	//
 	//	<method> = GET | HEAD | POST
 	//
 	// (i.e., HTTP 1.1 methods are ignored for now)
 	// <version> = 1.0 | 1.1.
 	//
 	// However, this is probably too restrictive to catch 'non-standard'
 	// requests. Instead, we look for certain methods only in the first
 	// line of the first packet only.
 	//
 	// "The method is case-sensitive." -- RFC 2616
 	const char* http_method[] = { "GET", "HEAD", "POST", 0 };
 	if ( seq != 1 )
 		return; // first packet only
 	// Pick up the method.
 	int pos = skip_http_whitespace (data, len, 0);
 	if ( pos < 0 )
 		return;
 	int method;
 	for ( method = 0; http_method[method]; ++method )
 		{
 		const char* s = http_method[method];
 		int i;
 		for ( i = pos; i < len; ++i, ++s )
 			if ( data[i] != *s )
 				break;
 		if ( *s == '\0' )
 			{
 			pos = i;
 			break;
 			}
 		}
 	if ( ! http_method[method] )
 		return;
 	if ( pos >= len || ! is_http_whitespace(data[pos]) )
 		return;
 	if ( http_signature_found )
 		SignatureFound(http_signature_found);
 	if ( http_proxy_signature_found )
 		{
 		const u_char* rest = data + pos;
 		int rest_len = len - pos;
 		pos = skip_http_whitespace(rest, rest_len, rest_len);
 		if ( pos >= 0 )
 			CheckForHTTPProxy(seq, rest_len - pos, rest + pos);
 		}
 	}
 void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len,
 					const u_char* data)
 	{
 	// Proxy ONLY accepts absolute URI's: "The absoluteURI form is
 	// REQUIRED when the request is being made to a proxy." -- RFC 2616
 	if ( is_absolute_url(data, len) )
 		SignatureFound(http_proxy_signature_found);
 	}
 void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig)
 	{
 	if ( ! e )
 		return;
 	if ( do_orig )
 		endp->TCP()->ConnectionEventFast(e,
 		    {endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())});
 	else
 		endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal()});
 	}
 int BackDoorEndpoint::CheckForStrings(const char** strs,
 					const u_char* data, int len)
 	{
 	for ( ; *strs; ++strs )
 		if ( CheckForFullString(*strs, data, len) )
 			return 1;
 	return 0;
 	}
 int BackDoorEndpoint::CheckForFullString(const char* str,
 					const u_char* data, int len)
 	{
 	for ( ; len > 0 && *str; --len, ++data, ++str )
 		if ( *str != *data )
 			return 0;
 	// A "full" string means a non-prefix match.
 	return *str == 0 && (len == 0 || *data == ' ' || *data == '\t');
 	}
 int BackDoorEndpoint::CheckForString(const char* str,
 					const u_char* data, int len)
 	{
 	for ( ; len > 0 && *str; --len, ++data, ++str )
 		if ( *str != *data )
 			return 0;
 	return *str == 0;
 	}
 BackDoor_Analyzer::BackDoor_Analyzer(Connection* c)
 : tcp::TCP_ApplicationAnalyzer("BACKDOOR", c)
 	{
 	orig_endp = resp_endp = 0;
 	orig_stream_pos = resp_stream_pos = 1;
 	timeout = backdoor_stat_period;
 	backoff = backdoor_stat_backoff;
 	c->GetTimerMgr()->Add(new BackDoorTimer(network_time + timeout, this));
 	}
 BackDoor_Analyzer::~BackDoor_Analyzer()
 	{
 	delete orig_endp;
 	delete resp_endp;
 	}
 void BackDoor_Analyzer::Init()
 	{
 	tcp::TCP_ApplicationAnalyzer::Init();
 	assert(TCP());
 	orig_endp = new BackDoorEndpoint(TCP()->Orig());
 	resp_endp = new BackDoorEndpoint(TCP()->Resp());
 	}
 void BackDoor_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 					uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 	if ( is_orig )
 		orig_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
 	else
 		resp_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
 	}
 void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	{
 	Analyzer::DeliverStream(len, data, is_orig);
 	if ( is_orig )
 		{
 		orig_endp->DataSent(network_time, orig_stream_pos,
 					len, len, data, 0, 0);
 		orig_stream_pos += len;
 		}
 	else
 		{
 		resp_endp->DataSent(network_time, resp_stream_pos,
 					len, len, data, 0, 0);
 		resp_stream_pos += len;
 		}
 	}
 void BackDoor_Analyzer::Done()
 	{
 	tcp::TCP_ApplicationAnalyzer::Done();
 	if ( ! IsFinished() )
 		{
 		orig_endp->FinalCheckForRlogin();
 		resp_endp->FinalCheckForRlogin();
 		if ( ! TCP()->Skipping() )
 			StatEvent();
 		RemoveEvent();
 		}
 	}
 void BackDoor_Analyzer::StatTimer(double t, int is_expire)
 	{
 	if ( IsFinished() || TCP()->Skipping() )
 		return;
 	StatEvent();
 	if ( ! is_expire )
 		{
 		timeout *= backoff;
 		timer_mgr->Add(new BackDoorTimer(t + timeout, this));
 		}
 	}
 void BackDoor_Analyzer::StatEvent()
 	{
 	if ( ! backdoor_stats )
 		return;
 	TCP()->ConnectionEventFast(backdoor_stats, {
 		TCP()->BuildConnVal(),
 		orig_endp->BuildStats(),
 		resp_endp->BuildStats(),
 	});
 	}
 void BackDoor_Analyzer::RemoveEvent()
 	{
 	if ( ! backdoor_remove_conn )
 		return;
 	TCP()->ConnectionEventFast(backdoor_remove_conn, {TCP()->BuildConnVal()});
 	}
 BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a)
 : Timer(t, TIMER_BACKDOOR)
 	{
 	analyzer = a;
 	// Make sure connection does not expire.
 	Ref(a->Conn());
 	}
 BackDoorTimer::~BackDoorTimer()
 	{
 	Unref(analyzer->Conn());
 	}
 void BackDoorTimer::Dispatch(double t, int is_expire)
 	{
 	analyzer->StatTimer(t, is_expire);
 	}
--- a/src/analyzer/protocol/backdoor/BackDoor.h
+++ b/src/analyzer/protocol/backdoor/BackDoor.h
@ -1,112 +0,0 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #ifndef ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H
 #define ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H
 #include "analyzer/protocol/tcp/TCP.h"
 #include "Timer.h"
 #include "NetVar.h"
 #include "analyzer/protocol/login/Login.h"
 namespace analyzer { namespace backdoor {
 class BackDoorEndpoint {
 public:
 	explicit BackDoorEndpoint(tcp::TCP_Endpoint* e);
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
 	RecordVal* BuildStats();
 	void FinalCheckForRlogin();
 protected:
 	void CheckForRlogin(uint64 seq, int len, const u_char* data);
 	void RloginSignatureFound(int len);
 	void CheckForTelnet(uint64 seq, int len, const u_char* data);
 	void TelnetSignatureFound(int len);
 	void CheckForSSH(uint64 seq, int len, const u_char* data);
 	void CheckForFTP(uint64 seq, int len, const u_char* data);
 	void CheckForRootBackdoor(uint64 seq, int len, const u_char* data);
 	void CheckForNapster(uint64 seq, int len, const u_char* data);
 	void CheckForGnutella(uint64 seq, int len, const u_char* data);
 	void CheckForKazaa(uint64 seq, int len, const u_char* data);
 	void CheckForHTTP(uint64 seq, int len, const u_char* data);
 	void CheckForHTTPProxy(uint64 seq, int len, const u_char* data);
 	void CheckForSMTP(uint64 seq, int len, const u_char* data);
 	void CheckForIRC(uint64 seq, int len, const u_char* data);
 	void CheckForGaoBot(uint64 seq, int len, const u_char* data);
 	void SignatureFound(EventHandlerPtr e, int do_orig = 0);
 	int CheckForStrings(const char** strs, const u_char* data, int len);
 	int CheckForFullString(const char* str, const u_char* data, int len);
 	int CheckForString(const char* str, const u_char* data, int len);
 	tcp::TCP_Endpoint* endp;
 	int is_partial;
 	uint64 max_top_seq;
 	int rlogin_checking_done;
 	int rlogin_num_null;
 	uint64 rlogin_string_separator_pos;
 	int rlogin_slash_seen;
 	uint32 num_pkts;
 	uint32 num_8k4_pkts;
 	uint32 num_8k0_pkts;
 	uint32 num_lines;
 	uint32 num_normal_lines;
 	uint32 num_bytes;
 	uint32 num_7bit_ascii;
 };
 class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	explicit BackDoor_Analyzer(Connection* c);
 	~BackDoor_Analyzer() override;
 	void Init() override;
 	void Done() override;
 	void StatTimer(double t, int is_expire);
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new BackDoor_Analyzer(conn); }
 protected:
 	// We support both packet and stream input, and can be instantiated
 	// even if the TCP analyzer is not yet reassembling.
 	void DeliverPacket(int len, const u_char* data, bool is_orig,
 					uint64 seq, const IP_Hdr* ip, int caplen) override;
 	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 	void StatEvent();
 	void RemoveEvent();
 	BackDoorEndpoint* orig_endp;
 	BackDoorEndpoint* resp_endp;
 	int orig_stream_pos;
 	int resp_stream_pos;
 	double timeout;
 	double backoff;
 };
 class BackDoorTimer : public Timer {
 public:
 	BackDoorTimer(double t, BackDoor_Analyzer* a);
 	~BackDoorTimer() override;
 	void Dispatch(double t, int is_expire) override;
 protected:
 	BackDoor_Analyzer* analyzer;
 };
 } } // namespace analyzer::* 
 #endif
--- a/src/analyzer/protocol/backdoor/CMakeLists.txt
+++ b/src/analyzer/protocol/backdoor/CMakeLists.txt
@ -1,9 +0,0 @@
 include(ZeekPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 zeek_plugin_begin(Zeek BackDoor)
 zeek_plugin_cc(BackDoor.cc Plugin.cc)
 zeek_plugin_bif(events.bif)
 zeek_plugin_end()
--- a/src/analyzer/protocol/backdoor/Plugin.cc
+++ b/src/analyzer/protocol/backdoor/Plugin.cc
@ -1,25 +0,0 @@
 // See the file  in the main distribution directory for copyright.
 #include "plugin/Plugin.h"
 #include "BackDoor.h"
 namespace plugin {
 namespace Zeek_BackDoor {
 class Plugin : public plugin::Plugin {
 public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::analyzer::Component("BackDoor", ::analyzer::backdoor::BackDoor_Analyzer::Instantiate));
 		plugin::Configuration config;
 		config.name = "Zeek::BackDoor";
 		config.description = "Backdoor Analyzer deprecated";
 		return config;
 		}
 } plugin;
 }
 }
--- a/src/analyzer/protocol/backdoor/events.bif
+++ b/src/analyzer/protocol/backdoor/events.bif
@ -1,32 +0,0 @@
 ## Deprecated. Will be removed.
 event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%);
 ## Deprecated. Will be removed.
 event backdoor_remove_conn%(c: connection%);
 ## Deprecated. Will be removed.
 event ftp_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event gnutella_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event http_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event irc_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event telnet_signature_found%(c: connection, is_orig: bool, len: count%);
 ## Deprecated. Will be removed.
 event ssh_signature_found%(c: connection, is_orig: bool%);
 ## Deprecated. Will be removed.
 event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%);
 ## Deprecated. Will be removed.
 event smtp_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event http_proxy_signature_found%(c: connection%);
--- a/src/analyzer/protocol/gnutella/events.bif
+++ b/src/analyzer/protocol/gnutella/events.bif
@ -4,7 +4,7 @@
 ## information about the Gnutella protocol.
 ##
 ## .. zeek:see::  gnutella_binary_msg gnutella_establish gnutella_http_notify
-##    gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
+##    gnutella_not_establish gnutella_partial_binary_msg
 ##
 ##
 ## .. todo:: Zeek's current default configuration does not activate the protocol
@ -19,7 +19,7 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 ## information about the Gnutella protocol.
 ##
 ## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
-##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##    gnutella_partial_binary_msg gnutella_text_msg
 ##
 ## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@ -36,7 +36,7 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 ## information about the Gnutella protocol.
 ##
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
-##    gnutella_not_establish  gnutella_signature_found gnutella_text_msg
+##    gnutella_not_establish  gnutella_text_msg
 ##
 ## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@ -51,7 +51,7 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool,
 ## information about the Gnutella protocol.
 ##
 ## .. zeek:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
-##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##    gnutella_partial_binary_msg gnutella_text_msg
 ##
 ## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@ -65,7 +65,7 @@ event gnutella_establish%(c: connection%);
 ## information about the Gnutella protocol.
 ##
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
-##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##    gnutella_partial_binary_msg gnutella_text_msg
 ##
 ## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@ -79,7 +79,7 @@ event gnutella_not_establish%(c: connection%);
 ## information about the Gnutella protocol.
 ##
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
-##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
+##    gnutella_partial_binary_msg gnutella_text_msg
 ##
 ## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
--- a/src/event.bif
+++ b/src/event.bif
@ -799,17 +799,5 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr
 ## params: The event's parameters.
 event new_event%(name: string, params: call_argument_vector%);
 ## Deprecated. Will be removed.
 event root_backdoor_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event napster_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event kazaa_signature_found%(c: connection%);
 ## Deprecated. Will be removed.
 event gaobot_signature_found%(c: connection%);
 ## Shows an IP address anonymization mapping.
 event anonymization_mapping%(orig: addr, mapped: addr%);
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@ -62,7 +62,6 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/top-k.bif.zeek
  build/scripts/base/bif/plugins/__load__.zeek
    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_BackDoor.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@ -62,7 +62,6 @@ scripts/base/init-frameworks-and-bifs.zeek
    build/scripts/base/bif/top-k.bif.zeek
  build/scripts/base/bif/plugins/__load__.zeek
    build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_BackDoor.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek
    build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@ -1,4 +1,3 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
@ -64,7 +63,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
@ -276,7 +274,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@ -457,7 +455,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@ -572,7 +570,6 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_ARP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_AsciiReader.ascii.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_AsciiWriter.ascii.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BackDoor.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BinaryReader.binary.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_BitTorrent.events.bif.zeek) -> -1
@ -892,7 +889,6 @@
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
@ -958,7 +954,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
@ -1170,7 +1165,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@ -1351,7 +1346,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@ -1466,7 +1461,6 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_ARP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_AsciiReader.ascii.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_AsciiWriter.ascii.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BackDoor.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BinaryReader.binary.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_BitTorrent.events.bif.zeek)
@ -1786,7 +1780,6 @@
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000   MetaHookPre   QueueEvent(zeek_init())
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
@ -1852,7 +1845,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
@ -2063,7 +2055,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@ -2244,7 +2236,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@ -2359,7 +2351,6 @@
 0.000000 | HookLoadFile  .<...>/Zeek_ARP.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_AsciiReader.ascii.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_AsciiWriter.ascii.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_BackDoor.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_BinaryReader.binary.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_BitTorrent.events.bif.zeek
@ -2675,7 +2666,7 @@
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLoadFile  base<...>/zeek.bif.zeek
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()