Add AYIYA packet analyzer, disable old analyzer

scripts/base/frameworks/tunnels/main.zeek

@@ -90,16 +90,14 @@ export {
 	global finalize_tunnel: Conn::RemovalHook;
 }
 
-const ayiya_ports = { 5072/udp };
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports, geneve_ports };
+redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports, geneve_ports };
 
 event zeek_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
 
-	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);

scripts/base/packet-protocols/__load__.zeek

@@ -14,9 +14,11 @@
 @load base/packet-protocols/pppoe
 @load base/packet-protocols/vlan
 @load base/packet-protocols/mpls
-@load base/packet-protocols/gre
-@load base/packet-protocols/iptunnel
 @load base/packet-protocols/vntag
 @load base/packet-protocols/udp
 @load base/packet-protocols/tcp
 @load base/packet-protocols/icmp
+
+@load base/packet-protocols/gre
+@load base/packet-protocols/iptunnel
+@load base/packet-protocols/ayiya

scripts/base/packet-protocols/ayiya/__load__.zeek

@@ -0,0 +1 @@
+@load ./main

scripts/base/packet-protocols/ayiya/main.zeek

@@ -0,0 +1,19 @@
+module PacketAnalyzer::AYIYA;
+
+# Needed for port registration for BPF
+@load base/frameworks/analyzer/main
+
+const IPPROTO_IPV4 : count = 4;
+const IPPROTO_IPV6 : count = 41;
+
+const ayiya_ports = { 5072/udp };
+redef likely_server_ports += { ayiya_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, IPPROTO_IPV4, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, IPPROTO_IPV6, PacketAnalyzer::ANALYZER_IP);
+
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, ayiya_ports);
+	}

scripts/base/protocols/tunnels/dpd.sig

@@ -1,12 +1,6 @@
 # Provide DPD signatures for tunneling protocols that otherwise
 # wouldn't be detected at all.
 
-signature dpd_ayiya {
-  ip-proto = udp
-  payload /^..\x11\x29/
-  enable "ayiya"
-}
-
 signature dpd_teredo {
   ip-proto = udp
   payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/

src/analyzer/protocol/CMakeLists.txt

@@ -1,5 +1,4 @@
-
+#add_subdirectory(ayiya)
-add_subdirectory(ayiya)
 add_subdirectory(bittorrent)
 add_subdirectory(conn-size)
 add_subdirectory(dce-rpc)

src/packet_analysis/protocol/CMakeLists.txt

@@ -18,6 +18,8 @@ add_subdirectory(ip)
 add_subdirectory(udp)
 add_subdirectory(tcp)
 add_subdirectory(icmp)
+add_subdirectory(vntag)
+
 add_subdirectory(gre)
 add_subdirectory(iptunnel)
-add_subdirectory(vntag)
+add_subdirectory(ayiya)

src/packet_analysis/protocol/ayiya/AYIYA.cc

@@ -0,0 +1,77 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/ayiya/AYIYA.h"
+
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+
+using namespace zeek::packet_analysis::AYIYA;
+
+AYIYAAnalyzer::AYIYAAnalyzer() : zeek::packet_analysis::Analyzer("AYIYA") { }
+
+bool AYIYAAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_ayiya )
+		return false;
+
+	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Weird("exceeded_tunnel_max_depth", packet);
+		return false;
+		}
+
+	// This will be expanded based on the header data, but it has to be at least
+	// this long.
+	size_t hdr_size = 8;
+
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("Truncated AYIYA", packet->session);
+		return false;
+		}
+
+	uint8_t identity_len = 1 << (data[0] >> 4);
+	uint8_t signature_len = (data[1] >> 4) * 4;
+	hdr_size += identity_len + signature_len;
+
+	// Double-check this one now that we know the actual full length of the header.
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("Truncated AYIYA", packet->session);
+		return false;
+		}
+
+	uint8_t op_code = data[2] & 0x0F;
+
+	// Check that op_code is the "forward" command. Everything else is ignored.
+	// This isn't an error, it's just the end of our parsing.
+	if ( op_code != 1 )
+		return true;
+
+	uint8_t next_header = data[3];
+
+	len -= hdr_size;
+	data += hdr_size;
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::AYIYA,
+		GetAnalyzerTag());
+
+	AnalyzerConfirmation(packet->session);
+
+	// Skip the header and pass on to the next analyzer. It's possible for AYIYA to
+	// just be a header and nothing after it, so check for that case.
+	if ( len > hdr_size )
+		return ForwardPacket(len, data, inner_packet.get(), next_header);
+
+	return true;
+	}
+
+bool AYIYAAnalyzer::DetectProtocol(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_ayiya )
+		return false;
+
+	// These magic numbers are based on the old DPD entry, which was based on... something?
+	return len >= 3 && data[1] == 0x52 && data[2] == 0x11;
+	}

src/packet_analysis/protocol/ayiya/AYIYA.h

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::AYIYA
+	{
+
+class AYIYAAnalyzer : public zeek::packet_analysis::Analyzer
+	{
+public:
+	AYIYAAnalyzer();
+	~AYIYAAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<AYIYAAnalyzer>();
+		}
+
+	bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) override;
+	};
+
+	}

src/packet_analysis/protocol/ayiya/CMakeLists.txt

@@ -0,0 +1,5 @@
+include(ZeekPlugin)
+
+zeek_plugin_begin(Zeek AYIYA)
+zeek_plugin_cc(AYIYA.cc Plugin.cc)
+zeek_plugin_end()

src/packet_analysis/protocol/ayiya/Plugin.cc

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/ayiya/AYIYA.h"
+
+namespace zeek::plugin::Zeek_AYIYA
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"AYIYA", zeek::packet_analysis::AYIYA::AYIYAAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::AYIYA";
+		config.description = "AYIYA packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -55,10 +55,6 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/vlan/main.zeek
     scripts/base/packet-protocols/mpls/__load__.zeek
       scripts/base/packet-protocols/mpls/main.zeek
-    scripts/base/packet-protocols/gre/__load__.zeek
-      scripts/base/packet-protocols/gre/main.zeek
-    scripts/base/packet-protocols/iptunnel/__load__.zeek
-      scripts/base/packet-protocols/iptunnel/main.zeek
     scripts/base/packet-protocols/vntag/__load__.zeek
       scripts/base/packet-protocols/vntag/main.zeek
     scripts/base/packet-protocols/udp/__load__.zeek
@@ -67,6 +63,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/gre/__load__.zeek
+      scripts/base/packet-protocols/gre/main.zeek
+    scripts/base/packet-protocols/iptunnel/__load__.zeek
+      scripts/base/packet-protocols/iptunnel/main.zeek
+    scripts/base/packet-protocols/ayiya/__load__.zeek
+      scripts/base/packet-protocols/ayiya/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -55,10 +55,6 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/vlan/main.zeek
     scripts/base/packet-protocols/mpls/__load__.zeek
       scripts/base/packet-protocols/mpls/main.zeek
-    scripts/base/packet-protocols/gre/__load__.zeek
-      scripts/base/packet-protocols/gre/main.zeek
-    scripts/base/packet-protocols/iptunnel/__load__.zeek
-      scripts/base/packet-protocols/iptunnel/main.zeek
     scripts/base/packet-protocols/vntag/__load__.zeek
       scripts/base/packet-protocols/vntag/main.zeek
     scripts/base/packet-protocols/udp/__load__.zeek
@@ -67,6 +63,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/gre/__load__.zeek
+      scripts/base/packet-protocols/gre/main.zeek
+    scripts/base/packet-protocols/iptunnel/__load__.zeek
+      scripts/base/packet-protocols/iptunnel/main.zeek
+    scripts/base/packet-protocols/ayiya/__load__.zeek
+      scripts/base/packet-protocols/ayiya/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -1,6 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
@@ -66,7 +65,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
@@ -131,7 +129,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <no result>
@@ -587,6 +584,10 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -632,6 +633,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -642,6 +644,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
@@ -672,6 +675,7 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
@@ -919,6 +923,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer, <...>/analyzer) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/api, <...>/api.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ayiya, <...>/ayiya) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/broker, <...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/cluster, <...>/cluster) -> -1
@@ -1213,6 +1218,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./magic, <...>/magic) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./main.zeek, <...>/main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./max, <...>/max.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./min, <...>/min.zeek) -> (-1, <no content>)
@@ -1286,6 +1292,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/api, <...>/api.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ayiya, <...>/ayiya) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/broker, <...>/broker) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/cluster, <...>/cluster) -> (-1, <no content>)
@@ -1335,6 +1342,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main.zeek, <...>/main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/modbus, <...>/modbus) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mpls, <...>/mpls) -> (-1, <no content>)
@@ -1422,7 +1430,6 @@
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
@@ -1488,7 +1495,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
@@ -1553,7 +1559,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
@@ -2009,6 +2014,10 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -2054,6 +2063,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -2064,6 +2074,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
@@ -2094,6 +2105,7 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
@@ -2341,6 +2353,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer, <...>/analyzer)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ayiya, <...>/ayiya)
 0.000000   MetaHookPre   LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/broker, <...>/broker)
 0.000000   MetaHookPre   LoadFile(0, base<...>/cluster, <...>/cluster)
@@ -2635,6 +2648,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./magic, <...>/magic)
 0.000000   MetaHookPre   LoadFileExtended(0, ./main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./max, <...>/max.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./min, <...>/min.zeek)
@@ -2708,6 +2722,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer, <...>/analyzer)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ayiya, <...>/ayiya)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/broker, <...>/broker)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/cluster, <...>/cluster)
@@ -2757,6 +2772,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/modbus, <...>/modbus)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mpls, <...>/mpls)
@@ -2844,7 +2860,6 @@
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000   MetaHookPre   QueueEvent(zeek_init())
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
@@ -2910,7 +2925,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
@@ -2975,7 +2989,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
@@ -3430,6 +3443,10 @@
 0.000000 | HookCallFunction Option::set_change_handler(ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5)
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -3475,6 +3492,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -3485,6 +3503,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
@@ -3515,6 +3534,7 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction port_to_count(5072/udp)
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
@@ -3774,6 +3794,7 @@
 0.000000 | HookLoadFile  base<...>/analyzer <...>/analyzer
 0.000000 | HookLoadFile  base<...>/analyzer.bif <...>/analyzer.bif.zeek
 0.000000 | HookLoadFile  base<...>/api <...>/api.zeek
+0.000000 | HookLoadFile  base<...>/ayiya <...>/ayiya
 0.000000 | HookLoadFile  base<...>/backtrace <...>/backtrace.zeek
 0.000000 | HookLoadFile  base<...>/broker <...>/broker
 0.000000 | HookLoadFile  base<...>/cluster <...>/cluster
@@ -4065,6 +4086,7 @@
 0.000000 | HookLoadFileExtended ./logging.bif.zeek <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended ./magic <...>/magic
 0.000000 | HookLoadFileExtended ./main <...>/main.zeek
+0.000000 | HookLoadFileExtended ./main.zeek <...>/main.zeek
 0.000000 | HookLoadFileExtended ./max <...>/max.zeek
 0.000000 | HookLoadFileExtended ./messaging.bif.zeek <...>/messaging.bif.zeek
 0.000000 | HookLoadFileExtended ./min <...>/min.zeek
@@ -4141,6 +4163,7 @@
 0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer
 0.000000 | HookLoadFileExtended base<...>/analyzer.bif <...>/analyzer.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/api <...>/api.zeek
+0.000000 | HookLoadFileExtended base<...>/ayiya <...>/ayiya
 0.000000 | HookLoadFileExtended base<...>/backtrace <...>/backtrace.zeek
 0.000000 | HookLoadFileExtended base<...>/broker <...>/broker
 0.000000 | HookLoadFileExtended base<...>/cluster <...>/cluster
@@ -4190,6 +4213,7 @@
 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek
+0.000000 | HookLoadFileExtended base<...>/main.zeek <...>/main.zeek
 0.000000 | HookLoadFileExtended base<...>/messaging.bif <...>/messaging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/modbus <...>/modbus
 0.000000 | HookLoadFileExtended base<...>/mpls <...>/mpls

testing/btest/Baseline/signatures.dpd/dpd-ipv4.out

@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous

testing/btest/Baseline/signatures.dpd/dpd-ipv6.out

@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous

testing/btest/Baseline/signatures.dpd/nosig-ipv4.out

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1

testing/btest/Baseline/signatures.dpd/nosig-ipv6.out

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1