Merge remote-tracking branch 'origin/master' into topic/matthias/opaque

CHANGES

@@ -1,4 +1,134 @@
 
+2.1-218 | 2012-12-10 14:45:04 -0800
+
+  * Add GPRS Tunnelling Protocol (GTPv1) decapsulation. This currently
+    supports automatic decapsulation of GTP-U packets on UDP port 2152.
+    The GTPv1 headers for such tunnels can be inspected by handling
+    the "gtpv1_g_pdu_packet" event, which has a parameter of type
+    "gtpv1_hdr". Addresses #690. (Jon Siwek; derived from patch by
+    Carsten Langer)
+
+  * Change BinPAC exceptions in AYIYA/GTP analyzers to do
+    "protocol_violation". (Jon Siwek)
+
+2.1-212 | 2012-12-07 19:42:03 -0800
+
+  * Changing the HTTP parser to accept request methods in alignment
+    with the RFC. (Robin Sommer)
+
+2.1-209 | 2012-12-05 16:44:04 -0800
+
+  * Adapting the HTTP request line parsing to only accept methods
+    consisting of letters [A-Za-z]. (Robin Sommer)
+
+2.1-207 | 2012-12-05 15:47:32 -0800
+
+  * Reporting warnings if kill/waitpid fail in communication system.
+    (Bill Parker)
+
+  * Replace() bzero with memset(). (Bill Parker)
+
+  * Merge remote-tracking branch 'vlad/topic/vladg/http-verbs'
+
+    * vlad/topic/vladg/http-verbs:
+      A test for HTTP methods, including some horribly illegal requests.
+      Remove hardcoded HTTP verbs from the analyzer (#741)
+
+    I added a "bad_HTTP_request" weird for HTTP request lines that don't
+    have more than a single word.
+
+    Closes #741. (Robin Sommer)
+
+  * A test for HTTP methods, including some horribly illegal requests. (Vlad Grigorescu)
+
+  * Remove hardcoded HTTP verbs from the analyzer (#741) (Vlad Grigorescu)
+
+
+2.1-203 | 2012-12-05 14:36:56 -0800
+
+  * Fix segfault: Synchronization of state between connecting peers
+    now skips over identifiers that aren't initialized with a value
+    yet. Addresses #66. (Jon Siwek)
+
+  * Fix segfault: Delete correct entry in error case in input
+    framework. (Bernhard Amann)
+
+  * Bad record constructor initializers now give an error. Addresses
+    #34. (Jon Siwek)
+
+  * Invalid vector indices now generate error message. Addresses #24.
+    (Jon Siwek)
+
+  * Bump CPack RPM package requirement to Python >= 2.6.0. (Jon Siwek)
+
+  * Interpreter exceptions occurring in "when" blocks are now handled.
+    Addresses #779 (Jon Siwek)
+
+2.1-195 | 2012-12-03 14:50:33 -0800
+
+  * Catching out-of-memory in patricia tree code. (Bill Parker)
+    
+2.1-194 | 2012-12-03 14:36:26 -0800
+
+  * Renaming ASCII writer filter option 'only_single_header_row' to
+    'tsv'. Also clarifying usage. Closes #912. (Robin Sommer)
+
+2.1-193 | 2012-12-03 14:11:14 -0800
+
+  * Fix a set of bugs with table/set attributes. (Jon Siwek)
+
+    - Identifiers that are initialized with set()/table() constructor
+      expressions now inherit attributes from the expression.  Before,
+      statements like
+
+         const i: set[string] = set() &redef;
+
+      associated the attribute with the set() constructor, but not the
+      "i" identifier, preventing redefinition.  Addresses #866.
+
+    - Allow &default attribute to apply to tables initialized as empty
+      (via either "{ }" or "table()") or if the expression supplied to it
+      can evaluate to a type that's promotable to the same yield type as
+      the table.
+
+2.1-191 | 2012-12-03 14:08:56 -0800
+
+  * Add test of record() constructor to table initializer unit test.
+    (Jon Siwek)
+
+  * Fix table(), set(), vector() constructors in table initializer
+    lists. Also adds type checking of yield values to table()
+    constructor and fixes the type checking of yield values in
+    vector() constructor. Addresses #5. (Jon Siwek)
+
+2.1-188 | 2012-12-03 14:04:29 -0800
+
+  * Hook functions now callable with "hook" expression (i.e., hook is
+    no longer a statement). The return value of the call is an
+    implicit boolean value of T if all hook handlers ran, or F if one
+    hook handler exited as a result of a break statement and
+    potentially prevented other handlers from running.
+
+    Scripts don't need to declare hooks with an explicit return type of bool
+    (internally, that's assumed), and any values given to (optional) return
+    statements in handler definitions are just ignored.
+
+    Addresses #918. (Jon Siwek)
+
+  * Clarification in hook documentation. (Jon Siwek)
+
+2.1-184 | 2012-12-03 13:59:50 -0800
+
+  * Slightly fix up file name extraction from Content-Disposition
+    headers. (Seth Hall)
+
+  * Adding -b flag to bro in unit tests so they run faster.
+
+  * Fixed a DNS attribute issue. Reported by Matt Thompson. (Seth
+    Hall)
+
+  * Adding NEWS placeholder for hooks and CSV mode. (Robin Sommer)
+    
 2.1-178 | 2012-11-23 19:35:32 -0800
 
   * The ASCII writer now supports a new filter config option

CMakeLists.txt

@@ -195,7 +195,7 @@ CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
 
 if (INSTALL_BROCTL)
     # CPack RPM Generator may not automatically detect this
-    set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.4.0")
+    set(CPACK_RPM_PACKAGE_REQUIRES "python >= 2.6.0")
 endif ()
 
 # If this CMake project is a sub-project of another, we will not

NEWS

@@ -13,6 +13,8 @@ Bro 2.2
 New Functionality
 ~~~~~~~~~~~~~~~~~
 
+- GPRS Tunnelling Protocol (GTPv1) decapsulation.
+
 - GridFTP support. TODO: Extend.
 
 - ssl.log now also records the subject client and issuer certificates.

VERSION

@@ -1 +1 @@
-2.1-179
+2.1-218

aux/broccoli

@@ -1 +1 @@
-Subproject commit a8846fc5b004ffe4e3d00e826d0077ba19518192
+Subproject commit 06682dbb15d26d2688bdc9ad76efec17d38dc80f

aux/broctl

@@ -1 +1 @@
-Subproject commit 834131cd0ec0f63cce9de818726fe6167dedbf34
+Subproject commit 91e3b8ad445cb4d8919b4ee1cc6f0753c3fa0a55

doc/scripts/builtins.rst

@@ -505,15 +505,14 @@ The Bro scripting language supports the following built-in types.
     A hook is another flavor of function that shares characteristics of
     both a :bro:type:`function` and a :bro:type:`event`.  They are like
     events in that many handler bodies can be defined for the same hook
-    identifier, they have no return vale, and the order of execution
+    identifier and the order of execution can be enforced with
-    can be enforced with :bro:attr:`&priority`.  They are more like
+    :bro:attr:`&priority`.  They are more like functions in the way they
-    functions in the way they are invoked/called, because, unlike
+    are invoked/called, because, unlike events, their execution is
-    events, their execution is immediate and they do not get scheduled
+    immediate and they do not get scheduled through an event queue.
-    through an event queue.  Also, a unique feature of a hook is that
+    Also, a unique feature of a hook is that a given hook handler body
-    a given hook handler body can short-circuit the execution of
+    can short-circuit the execution of remaining hook handlers simply by
-    remaining hook handlers simply by exiting from the body as a result
+    exiting from the body as a result of a ``break`` statement (as
-    of a ``break`` statement (as opposed to a ``return`` or just
+    opposed to a ``return`` or just reaching the end of the body).
-    reaching the end of the body).
 
     A hook type is declared like::
 
@@ -549,18 +548,26 @@ The Bro scripting language supports the following built-in types.
             print "not going to happen", s;
             }
 
-    Note that, although the first (forward) declaration of ``myhook`` as
+    Note that the first (forward) declaration of ``myhook`` as a hook
-    a hook type isn't strictly required, when it is provided, the
+    type isn't strictly required.  Argument types must match for all
-    argument types must match.
+    hook handlers and any forward declaration of a given hook.
 
-    To invoke immediate execution of all hook handler bodies, a ``hook``
+    To invoke immediate execution of all hook handler bodies, they
-    statement must be used:
+    are called similarly to a function, except preceded by the ``hook``
+    keyword:
 
     .. code:: bro
 
         hook myhook("hi");
 
-    And the output would like like::
+    or
+
+    .. code:: bro
+
+        if ( hook myhook("hi") )
+            print "all handlers ran";
+
+    And the output would look like::
 
         priority 10 myhook handler, hi
         break out of myhook handling, bye
@@ -568,6 +575,12 @@ The Bro scripting language supports the following built-in types.
     Note how the modification to arguments can be seen by remaining
     hook handlers.
 
+    The return value of a hook call is an implicit :bro:type:`bool`
+    value with ``T`` meaning that all handlers for the hook were
+    executed and ``F`` meaning that only some of the handlers may have
+    executed due to one handler body exiting as a result of a ``break``
+    statement.
+
 Attributes
 ----------
 

scripts/base/frameworks/logging/writers/ascii.bro

@@ -2,11 +2,14 @@
 ##! to tweak the output format of ASCII logs.
 ##!
 ##! The ASCII writer supports currently one writer-specific filter option via
-##! ``config``: setting ``only_single_header_row`` to ``T`` turns the output into
+##! ``config``: setting ``tsv`` to the string ``T`` turns the output into into
-##! into CSV mode where only a single header row with the column names is printed
+##! "tab-separated-value" mode where only a single header row with the column names
-##! out as meta information. Example filter using this::
+##! is printed out as meta information, with no "# fields" prepended; no other meta
+##! data gets included in that mode.   
 ##! 
-##!    local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["only_single_header_row"] = "T")]; 
+##! Example filter using this::
+##! 
+##!    local my_filter: Log::Filter = [$name = "my-filter", $writer = Log::WRITER_ASCII, $config = table(["tsv"] = "T")]; 
 ##!
 
 module LogAscii;

scripts/base/frameworks/tunnels/main.bro

@@ -88,7 +88,10 @@ redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
 const teredo_ports = { 3544/udp };
 redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
 
-redef likely_server_ports += { ayiya_ports, teredo_ports };
+const gtpv1u_ports = { 2152/udp };
+redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1u_ports] };
+
+redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1u_ports };
 
 event bro_init() &priority=5
 	{

scripts/base/init-bare.bro

@@ -1450,6 +1450,44 @@ type teredo_hdr: record {
 	hdr:    pkt_hdr;                 ##< IPv6 and transport protocol headers.
 };
 
+## A GTPv1 (GPRS Tunneling Protocol) header.
+type gtpv1_hdr: record {
+	## The 3-bit version field, which for GTPv1 should be 1.
+	version:   count;
+	## Protocol Type value differentiates GTP (value 1) from GTP' (value 0).
+	pt_flag:   bool;
+	## Reserved field, should be 0.
+	rsv:       bool;
+	## Extension Header flag.  When 0, the *next_type* field may or may not
+	## be present, but shouldn't be meaningful.  When 1, *next_type* is
+	## present and meaningful.
+	e_flag:    bool;
+	## Sequence Number flag.  When 0, the *seq* field may or may not
+	## be present, but shouldn't be meaningful.  When 1, *seq* is
+	## present and meaningful.
+	s_flag:    bool;
+	## N-PDU flag.  When 0, the *n_pdu* field may or may not
+	## be present, but shouldn't be meaningful.  When 1, *n_pdu* is
+	## present and meaningful.
+	pn_flag:   bool;
+	## Message Type.  A value of 255 indicates user-plane data is encapsulated.
+	msg_type:  count;
+	## Length of the GTP packet payload (the rest of the packet following the
+	## mandatory 8-byte GTP header).
+	length:    count;
+	## Tunnel Endpoint Identifier.  Unambiguously identifies a tunnel endpoint
+	## in receiving GTP-U or GTP-C protocol entity.
+	teid:      count;
+	## Sequence Number.  Set if any *e_flag*, *s_flag*, or *pn_flag* field is
+	## set.
+	seq:       count &optional;
+	## N-PDU Number.  Set if any *e_flag*, *s_flag*, or *pn_flag* field is set.
+	n_pdu:     count &optional;
+	## Next Extension Header Type.  Set if any *e_flag*, *s_flag*, or *pn_flag*
+	## field is set.
+	next_type: count &optional;
+};
+
 ## Definition of "secondary filters". A secondary filter is a BPF filter given as
 ## index in this table. For each such filter, the corresponding event is raised for
 ## all matching packets.
@@ -2786,6 +2824,9 @@ export {
 	## Toggle whether to do IPv6-in-Teredo decapsulation.
 	const enable_teredo = T &redef;
 
+	## Toggle whether to do GTPv1 decapsulation.
+	const enable_gtpv1 = T &redef;
+
 	## With this option set, the Teredo analysis will first check to see if
 	## other protocol analyzers have confirmed that they think they're
 	## parsing the right protocol and only continue with Teredo tunnel
@@ -2802,6 +2843,15 @@ export {
 	## :bro:see:`Tunnel::yielding_teredo_decapsulation`.
 	const delay_teredo_confirmation = T &redef;
 
+	## With this set, the GTP analyzer waits until the most-recent upflow
+	## and downflow packets are a valid GTPv1 encapsulation before
+	## issuing :bro:see:`protocol_confirmation`.  If it's false, the
+	## first occurence of a packet with valid GTPv1 encapsulation causes
+	## confirmation.  Since the same inner connection can be carried
+	## differing outer upflow/downflow connections, setting to false
+	## may work better.
+	const delay_gtp_confirmation = F &redef;
+
 	## How often to cleanup internal state for inactive IP tunnels.
 	const ip_tunnel_timeout = 24hrs &redef;
 } # end export

scripts/base/protocols/dns/main.bro

@@ -67,7 +67,7 @@ export {
 		ready:         bool            &default=F;
 		## The total number of resource records in a reply message's answer
 		## section.
-		total_answers: count           &default=0;
+		total_answers: count           &optional;
 		## The total number of resource records in a reply message's answer,
 		## authority, and additional sections.
 		total_replies: count           &optional;
@@ -231,6 +231,7 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 		Log::write(DNS::LOG, c$dns);
 		# This record is logged and no longer pending.
 		delete c$dns_state$pending[c$dns$trans_id];
+		delete c$dns;
 		}
 	}
 

scripts/base/protocols/http/main.bro

@@ -95,6 +95,19 @@ export {
 		"PROXY-CONNECTION",
 	} &redef;
 
+	## A list of HTTP methods. Other methods will generate a weird. Note
+        ## that the HTTP analyzer will only accept methods consisting solely
+        ## of letters ``[A-Za-z]``.
+	const http_methods: set[string] = {
+		"GET", "POST", "HEAD", "OPTIONS",
+		"PUT", "DELETE", "TRACE", "CONNECT",
+		# HTTP methods for distributed authoring:
+		"PROPFIND", "PROPPATCH", "MKCOL",
+		"COPY", "MOVE", "LOCK", "UNLOCK",
+		"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
+		"SEARCH"
+	} &redef;
+	
 	## Event that can be handled to access the HTTP record as it is sent on 
 	## to the logging framework.
 	global log_http: event(rec: Info);
@@ -180,6 +193,9 @@ event http_request(c: connection, method: string, original_URI: string,
 	
 	c$http$method = method;
 	c$http$uri = unescaped_URI;
+
+	if ( method !in http_methods )
+		event conn_weird("unknown_HTTP_method", c, method);
 	}
 	
 event http_reply(c: connection, version: string, code: count, reason: string) &priority=5

scripts/base/utils/files.bro

@@ -19,7 +19,7 @@ function generate_extraction_filename(prefix: string, c: connection, suffix: str
 ## the filename.
 function extract_filename_from_content_disposition(data: string): string
 	{
-	local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE]=/, "");
+	local filename = sub(data, /^.*[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*=[[:blank:]]*/, "");
 	# Remove quotes around the filename if they are there.
 	if ( /^\"/ in filename )
 		filename =  split_n(filename, /\"/, F, 2)[2];

src/AYIYA.cc

@@ -20,5 +20,13 @@ void AYIYA_Analyzer::Done()
 void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+
+	try
+		{
 		interp->NewData(orig, data, data + len);
 		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}

src/Analyzer.cc

@@ -41,6 +41,7 @@
 #include "Syslog-binpac.h"
 #include "Teredo.h"
 #include "ConnSizeAnalyzer.h"
+#include "GTPv1.h"
 
 // Keep same order here as in AnalyzerTag definition!
 const Analyzer::Config Analyzer::analyzer_configs[] = {
@@ -143,6 +144,9 @@ const Analyzer::Config Analyzer::analyzer_configs[] = {
 	{ AnalyzerTag::Teredo, "TEREDO",
 		Teredo_Analyzer::InstantiateAnalyzer,
 		Teredo_Analyzer::Available, 0, false },
+	{ AnalyzerTag::GTPv1, "GTPV1",
+		GTPv1_Analyzer::InstantiateAnalyzer,
+		GTPv1_Analyzer::Available, 0, false },
 
 	{ AnalyzerTag::File, "FILE", File_Analyzer::InstantiateAnalyzer,
 		File_Analyzer::Available, 0, false },

src/AnalyzerTags.h

@@ -38,6 +38,7 @@ namespace AnalyzerTag {
 		AYIYA,
 		SOCKS,
 		Teredo,
+		GTPv1,
 
 		// Other
 		File, Backdoor, InterConn, SteppingStone, TCPStats,

src/Attr.cc

@@ -260,6 +260,11 @@ void Attributes::CheckAttr(Attr* a)
 				// Ok.
 				break;
 
+			if ( type->Tag() == TYPE_TABLE &&
+			     type->AsTableType()->IsUnspecifiedTable() )
+				// Ok.
+				break;
+
 			a->AttrExpr()->Error("&default value has inconsistent type", type);
 			}
 
@@ -290,6 +295,11 @@ void Attributes::CheckAttr(Attr* a)
 					// Ok.
 					break;
 
+				Expr* e = a->AttrExpr();
+				if ( check_and_promote_expr(e, ytype) )
+					// Ok.
+					break;
+
 				Error("&default value has inconsistent type 2");
 				}
 

src/CMakeLists.txt

@@ -203,6 +203,8 @@ binpac_target(dns.pac
     dns-protocol.pac dns-analyzer.pac)
 binpac_target(dns_tcp.pac
     dns.pac)
+binpac_target(gtpv1.pac
+    gtpv1-protocol.pac gtpv1-analyzer.pac)
 binpac_target(http.pac
     http-protocol.pac http-analyzer.pac)
 binpac_target(ncp.pac)
@@ -332,6 +334,7 @@ set(bro_SRCS
     Frame.cc
     Func.cc
     Gnutella.cc
+    GTPv1.cc
     HTTP.cc
     HTTP-binpac.cc
     Hash.cc

src/Expr.cc

@@ -2663,7 +2663,7 @@ void AssignExpr::EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const
 	TableVal* tv = aggr->AsTableVal();
 
 	Val* index = op1->Eval(f);
-	Val* v = op2->Eval(f);
+	Val* v = check_and_promote(op2->Eval(f), t->YieldType(), 1);
 	if ( ! index || ! v )
 		return;
 
@@ -2950,16 +2950,12 @@ Val* IndexExpr::Fold(Val* v1, Val* v2) const
 	if ( IsError() )
 		return 0;
 
-	if ( v1->Type()->Tag() == TYPE_VECTOR )
+	Val* v = 0;
-		{
-		Val* v = v1->AsVectorVal()->Lookup(v2);
-		// ### dangerous - this can silently fail larger operations
-		// due to a missing element
-		return v ? v->Ref() : 0;
-		}
 
-	TableVal* v_tbl = v1->AsTableVal();
+	if ( v1->Type()->Tag() == TYPE_VECTOR )
-	Val* v = v_tbl->Lookup(v2);
+		v = v1->AsVectorVal()->Lookup(v2);
+	else
+		v = v1->AsTableVal()->Lookup(v2);
 
 	if ( v )
 		return v->Ref();
@@ -3290,7 +3286,11 @@ RecordConstructorExpr::RecordConstructorExpr(ListExpr* constructor_list)
 
 Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 	{
-	RecordVal* rv = Eval(0)->AsRecordVal();
+	Val* v = Eval(0);
+
+	if ( v )
+		{
+		RecordVal* rv = v->AsRecordVal();
 		RecordVal* ar = rv->CoerceTo(t->AsRecordType(), aggr);
 
 		if ( ar )
@@ -3298,13 +3298,11 @@ Val* RecordConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 			Unref(rv);
 			return ar;
 			}
+		}
 
-	else
-		{
 	Error("bad record initializer");
 	return 0;
 	}
-	}
 
 Val* RecordConstructorExpr::Fold(Val* v) const
 	{
@@ -3386,7 +3384,14 @@ Val* TableConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 	if ( IsError() )
 		return 0;
 
-	return op->InitVal(t, aggr);
+	TableType* tt = Type()->AsTableType();
+	TableVal* tval = aggr ? aggr->AsTableVal() : new TableVal(tt, attrs);
+	const expr_list& exprs = op->AsListExpr()->Exprs();
+
+	loop_over_list(exprs, i)
+		exprs[i]->EvalIntoAggregate(t, tval, 0);
+
+	return tval;
 	}
 
 void TableConstructorExpr::ExprDescribe(ODesc* d) const
@@ -3438,7 +3443,7 @@ Val* SetConstructorExpr::Eval(Frame* f) const
 	if ( IsError() )
 		return 0;
 
-	TableVal* aggr = new TableVal(type->AsTableType(), 0);
+	TableVal* aggr = new TableVal(type->AsTableType(), attrs);
 	const expr_list& exprs = op->AsListExpr()->Exprs();
 
 	loop_over_list(exprs, i)
@@ -3456,7 +3461,26 @@ Val* SetConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 	if ( IsError() )
 		return 0;
 
-	return op->InitVal(t, aggr);
+	const BroType* index_type = t->AsTableType()->Indices();
+	TableType* tt = Type()->AsTableType();
+	TableVal* tval = aggr ? aggr->AsTableVal() : new TableVal(tt, attrs);
+	const expr_list& exprs = op->AsListExpr()->Exprs();
+
+	loop_over_list(exprs, i)
+		{
+		Expr* e = exprs[i];
+		Val* element = check_and_promote(e->Eval(0), index_type, 1);
+
+		if ( ! element || ! tval->Assign(element, 0) )
+			{
+			Error(fmt("initialization type mismatch in set"), e);
+			return 0;
+			}
+
+		Unref(element);
+		}
+
+	return tval;
 	}
 
 void SetConstructorExpr::ExprDescribe(ODesc* d) const
@@ -3536,14 +3560,14 @@ Val* VectorConstructorExpr::InitVal(const BroType* t, Val* aggr) const
 	if ( IsError() )
 		return 0;
 
-	VectorVal* vec = aggr->AsVectorVal();
+	VectorType* vt = Type()->AsVectorType();
-	const BroType* vt = vec->Type()->AsVectorType()->YieldType();
+	VectorVal* vec = aggr ? aggr->AsVectorVal() : new VectorVal(vt);
 	const expr_list& exprs = op->AsListExpr()->Exprs();
 
 	loop_over_list(exprs, i)
 		{
 		Expr* e = exprs[i];
-		Val* v = check_and_promote(e->Eval(0), vt, 1);
+		Val* v = check_and_promote(e->Eval(0), t->YieldType(), 1);
 
 		if ( ! v || ! vec->Assign(i, v, e) )
 			{
@@ -4394,6 +4418,13 @@ CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args, bool in_hook)
 		return;
 		}
 
+	if ( func_type->AsFuncType()->Flavor() == FUNC_FLAVOR_HOOK && ! in_hook )
+		{
+		func->Error("hook cannot be called directly, use hook operator");
+		SetError();
+		return;
+		}
+
 	if ( ! func_type->MatchesIndex(args) )
 		SetError("argument type mismatch in function call");
 	else
@@ -4415,13 +4446,8 @@ CallExpr::CallExpr(Expr* arg_func, ListExpr* arg_args, bool in_hook)
 				break;
 
 			case FUNC_FLAVOR_HOOK:
-				// It's fine to not have a yield if it's known that the call
+				Error("hook has no yield type");
-				// is being done from a hook statement.
-				if ( ! in_hook )
-					{
-					Error("hook called in expression, use hook statement instead");
 				SetError();
-					}
 				break;
 
 			default:

src/Expr.h

@@ -747,6 +747,8 @@ public:
 	TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs);
 	~TableConstructorExpr()	{ Unref(attrs); }
 
+	Attributes* Attrs() { return attrs; }
+
 	Val* Eval(Frame* f) const;
 
 protected:
@@ -767,6 +769,8 @@ public:
 	SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs);
 	~SetConstructorExpr()	{ Unref(attrs); }
 
+	Attributes* Attrs() { return attrs; }
+
 	Val* Eval(Frame* f) const;
 
 protected:

src/Func.cc

@@ -349,16 +349,31 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 			break;
 			}
 
-		if ( flow == FLOW_BREAK && Flavor() == FUNC_FLAVOR_HOOK )
+		if ( Flavor() == FUNC_FLAVOR_HOOK )
 			{
-			// short-circuit execution of remaining hook handler bodies
+			// Ignore any return values of hook bodies, final return value
+			// depends on whether a body returns as a result of break statement.
+			Unref(result);
+			result = 0;
+
+			if ( flow == FLOW_BREAK )
+				{
+				// Short-circuit execution of remaining hook handler bodies.
+				result = new Val(false, TYPE_BOOL);
 				break;
 				}
 			}
+		}
+
+	if ( Flavor() == FUNC_FLAVOR_HOOK )
+		{
+		if ( ! result )
+			result = new Val(true, TYPE_BOOL);
+		}
 
 	// Warn if the function returns something, but we returned from
 	// the function without an explicit return, or without a value.
-	if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID &&
+	else if ( FType()->YieldType() && FType()->YieldType()->Tag() != TYPE_VOID &&
 	     (flow != FLOW_RETURN /* we fell off the end */ ||
 	      ! result /* explicit return with no result */) &&
 	     ! f->HasDelayed() )

src/GTPv1.cc

@@ -0,0 +1,31 @@
+#include "GTPv1.h"
+
+GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn)
+: Analyzer(AnalyzerTag::GTPv1, conn)
+	{
+	interp = new binpac::GTPv1::GTPv1_Conn(this);
+	}
+
+GTPv1_Analyzer::~GTPv1_Analyzer()
+	{
+	delete interp;
+	}
+
+void GTPv1_Analyzer::Done()
+	{
+	Analyzer::Done();
+	Event(udp_session_done);
+	}
+
+void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, int seq, const IP_Hdr* ip, int caplen)
+	{
+	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}

src/GTPv1.h

@@ -0,0 +1,29 @@
+#ifndef GTPv1_h
+#define GTPv1_h
+
+#include "gtpv1_pac.h"
+
+class GTPv1_Analyzer : public Analyzer {
+public:
+	GTPv1_Analyzer(Connection* conn);
+	virtual ~GTPv1_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverPacket(int len, const u_char* data, bool orig,
+					int seq, const IP_Hdr* ip, int caplen);
+
+	static Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new GTPv1_Analyzer(conn); }
+
+	static bool Available()
+		{ return BifConst::Tunnel::enable_gtpv1 &&
+		         BifConst::Tunnel::max_depth > 0; }
+
+protected:
+	friend class AnalyzerTimer;
+	void ExpireTimer(double t);
+
+	binpac::GTPv1::GTPv1_Conn* interp;
+};
+
+#endif

src/HTTP.cc

@@ -1116,38 +1116,39 @@ const char* HTTP_Analyzer::PrefixWordMatch(const char* line,
 	return line;
 	}
 
+static bool is_HTTP_token_char(char c)
+	{
+	return c > 31 && c != 127 &&      // CTL per RFC 2616.
+	        c != ' ' && c != '\t' &&  // Separators.
+		c != '(' && c != ')' && c != '<' && c != '>' && c != '@' &&
+		c != ',' && c != ';' && c != ':' && c != '\\' && c != '"' &&
+		c != '/' && c != '[' && c != ']' && c != '?' && c != '=' &&
+		c != '{' && c != '}';
+	}
+
+static const char* get_HTTP_token(const char* s, const char* e)
+	{
+	while ( s < e && is_HTTP_token_char(*s) )
+		++s;
+
+	return s;
+	}
+
+
 int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 	{
 	const char* rest = 0;
-	static const char* http_methods[] = {
+	const char* end_of_method = get_HTTP_token(line, end_of_line);
-		"GET", "POST", "HEAD",
 
-		"OPTIONS", "PUT", "DELETE", "TRACE", "CONNECT",
+	if ( end_of_method == line )
+		goto error;
 
-		// HTTP methods for distributed authoring.
+	rest = skip_whitespace(end_of_method, end_of_line);
-		"PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT",
-		"COPY", "MOVE", "LOCK", "UNLOCK",
-		"POLL", "REPORT", "SUBSCRIBE", "BMOVE",
 
-		"SEARCH",
+	if ( rest == end_of_method )
+		goto error;
 
-		0,
+	request_method = new StringVal(end_of_method - line, line);
-	};
-
-	int i;
-	for ( i = 0; http_methods[i]; ++i )
-		if ( (rest = PrefixWordMatch(line, end_of_line, http_methods[i])) != 0 )
-			break;
-
-	if ( ! http_methods[i] )
-		{
-		// Weird("HTTP_unknown_method");
-		if ( RequestExpected() )
-			HTTP_Event("unknown_HTTP_method", new_string_val(line, end_of_line));
-		return 0;
-		}
-
-	request_method = new StringVal(http_methods[i]);
 
 	if ( ! ParseRequest(rest, end_of_line) )
 		reporter->InternalError("HTTP ParseRequest failed");
@@ -1157,6 +1158,10 @@ int HTTP_Analyzer::HTTP_RequestLine(const char* line, const char* end_of_line)
 			unescaped_URI->AsString()->Len(), true, true, true, true);
 
 	return 1;
+
+error:
+	reporter->Weird(Conn(), "bad_HTTP_request");
+	return 0;
 	}
 
 int HTTP_Analyzer::ParseRequest(const char* line, const char* end_of_line)

src/NetVar.cc

@@ -5,6 +5,7 @@
 #include "Var.h"
 #include "NetVar.h"
 
+RecordType* gtpv1_hdr_type;
 RecordType* conn_id;
 RecordType* endpoint;
 RecordType* endpoint_stats;
@@ -308,6 +309,7 @@ void init_net_var()
 #include "input.bif.netvar_init"
 #include "reporter.bif.netvar_init"
 
+	gtpv1_hdr_type = internal_type("gtpv1_hdr")->AsRecordType();
 	conn_id = internal_type("conn_id")->AsRecordType();
 	endpoint = internal_type("endpoint")->AsRecordType();
 	endpoint_stats = internal_type("endpoint_stats")->AsRecordType();

src/NetVar.h

@@ -8,6 +8,7 @@
 #include "EventRegistry.h"
 #include "Stats.h"
 
+extern RecordType* gtpv1_hdr_type;
 extern RecordType* conn_id;
 extern RecordType* endpoint;
 extern RecordType* endpoint_stats;

src/RemoteSerializer.cc

@@ -545,8 +545,11 @@ RemoteSerializer::~RemoteSerializer()
 	{
 	if ( child_pid )
 		{
-		kill(child_pid, SIGKILL);
+		if ( kill(child_pid, SIGKILL) < 0 )
-		waitpid(child_pid, 0, 0);
+			reporter->Warning("warning: cannot kill child (pid %d), %s", child_pid, strerror(errno));
+
+		else if ( waitpid(child_pid, 0, 0) < 0 )
+			reporter->Warning("warning: error encountered during waitpid(%d), %s", child_pid, strerror(errno));
 		}
 
 	delete io;
@@ -1032,6 +1035,14 @@ bool RemoteSerializer::SendAllSynchronized(Peer* peer, SerialInfo* info)
 
 	for ( ; index < sync_ids.length(); ++index )
 		{
+		if ( ! sync_ids[index]->ID_Val() )
+			{
+#ifdef DEBUG
+			DBG_LOG(DBG_COMM, "Skip sync of ID with null value: %s\n",
+			        sync_ids[index]->Name());
+#endif
+			continue;
+			}
 		cont->SaveContext();
 
 		StateAccess sa(OP_ASSIGN, sync_ids[index],
@@ -3153,7 +3164,10 @@ void RemoteSerializer::FatalError(const char* msg)
 	reporter->Error("%s", msg);
 
 	closed = true;
-	kill(child_pid, SIGQUIT);
+
+	if ( kill(child_pid, SIGQUIT) < 0 )
+		reporter->Warning("warning: cannot kill child pid %d, %s", child_pid, strerror(errno));
+
 	child_pid = 0;
 	using_communication = false;
 	io->Clear();
@@ -3963,7 +3977,7 @@ bool SocketComm::Connect(Peer* peer)
 	{
 	int status;
 	addrinfo hints, *res, *res0;
-	bzero(&hints, sizeof(hints));
+        memset(&hints, 0, sizeof(hints));
 
 	hints.ai_family = PF_UNSPEC;
 	hints.ai_protocol = IPPROTO_TCP;
@@ -4095,7 +4109,7 @@ bool SocketComm::Listen()
 	{
 	int status, on = 1;
 	addrinfo hints, *res, *res0;
-	bzero(&hints, sizeof(hints));
+        memset(&hints, 0, sizeof(hints));
 
 	IPAddr listen_ip(listen_if);
 
@@ -4360,7 +4374,8 @@ void SocketComm::Kill()
 
 	CloseListenFDs();
 
-	kill(getpid(), SIGTERM);
+	if ( kill(getpid(), SIGTERM) < 0 )
+		Log(fmt("warning: cannot kill SocketComm pid %d, %s", getpid(), strerror(errno)));
 
 	while ( 1 )
 		; // loop until killed

src/SerialTypes.h

@@ -170,7 +170,6 @@ SERIAL_STMT(EVENT_BODY_LIST, 16)
 SERIAL_STMT(INIT_STMT, 17)
 SERIAL_STMT(NULL_STMT, 18)
 SERIAL_STMT(WHEN_STMT, 19)
-SERIAL_STMT(HOOK_STMT, 20)
 
 #define SERIAL_TYPE(name, val) SERIAL_CONST(name, val, BRO_TYPE)
 SERIAL_TYPE(BRO_TYPE, 1)

src/Stmt.cc

@@ -23,7 +23,7 @@ const char* stmt_name(BroStmtTag t)
 		"print", "event", "expr", "if", "when", "switch",
 		"for", "next", "break", "return", "add", "delete",
 		"list", "bodylist",
-		"<init>", "hook",
+		"<init>",
 		"null",
 	};
 
@@ -933,52 +933,6 @@ bool EventStmt::DoUnserialize(UnserialInfo* info)
 	return event_expr != 0;
 	}
 
-HookStmt::HookStmt(CallExpr* arg_e) : ExprStmt(STMT_HOOK, arg_e)
-	{
-	call_expr = arg_e;
-	}
-
-Val* HookStmt::Exec(Frame* f, stmt_flow_type& flow) const
-	{
-	RegisterAccess();
-
-	Val* ret = call_expr->Eval(f);
-	Unref(ret);
-
-	flow = FLOW_NEXT;
-
-	return 0;
-	}
-
-TraversalCode HookStmt::Traverse(TraversalCallback* cb) const
-	{
-	TraversalCode tc = cb->PreStmt(this);
-	HANDLE_TC_STMT_PRE(tc);
-
-	// call expr is stored in base class's "e" field.
-	tc = e->Traverse(cb);
-	HANDLE_TC_STMT_PRE(tc);
-
-	tc = cb->PostStmt(this);
-	HANDLE_TC_STMT_POST(tc);
-	}
-
-IMPLEMENT_SERIAL(HookStmt, SER_HOOK_STMT);
-
-bool HookStmt::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_HOOK_STMT, ExprStmt);
-	return call_expr->Serialize(info);
-	}
-
-bool HookStmt::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(ExprStmt);
-
-	call_expr = (CallExpr*) Expr::Unserialize(info, EXPR_CALL);
-	return call_expr != 0;
-	}
-
 ForStmt::ForStmt(id_list* arg_loop_vars, Expr* loop_expr)
 : ExprStmt(STMT_FOR, loop_expr)
 	{
@@ -1378,7 +1332,10 @@ ReturnStmt::ReturnStmt(Expr* arg_e) : ExprStmt(STMT_RETURN, arg_e)
 		}
 
 	else if ( ! e )
+		{
+		if ( ft->Flavor() != FUNC_FLAVOR_HOOK )
 			Error("return statement needs expression");
+		}
 
 	else
 		(void) check_and_promote_expr(e, yt);
@@ -1990,7 +1947,6 @@ int same_stmt(const Stmt* s1, const Stmt* s2)
 	case STMT_RETURN:
 	case STMT_EXPR:
 	case STMT_EVENT:
-	case STMT_HOOK:
 		{
 		const ExprStmt* e1 = (const ExprStmt*) s1;
 		const ExprStmt* e2 = (const ExprStmt*) s2;

src/Stmt.h

@@ -286,24 +286,6 @@ protected:
 	EventExpr* event_expr;
 };
 
-class HookStmt : public ExprStmt {
-public:
-	HookStmt(CallExpr* e);
-
-	Val* Exec(Frame* f, stmt_flow_type& flow) const;
-
-	TraversalCode Traverse(TraversalCallback* cb) const;
-
-protected:
-	friend class Stmt;
-
-	HookStmt() { call_expr = 0; }
-
-	DECLARE_SERIAL(HookStmt);
-
-	CallExpr* call_expr;
-};
-
 class ForStmt : public ExprStmt {
 public:
 	ForStmt(id_list* loop_vars, Expr* loop_expr);

src/StmtEnums.h

@@ -15,7 +15,7 @@ typedef enum {
 	STMT_RETURN,
 	STMT_ADD, STMT_DELETE,
 	STMT_LIST, STMT_EVENT_BODY_LIST,
-	STMT_INIT, STMT_HOOK,
+	STMT_INIT,
 	STMT_NULL
 #define NUM_STMTS (int(STMT_NULL) + 1)
 } BroStmtTag;

src/Trigger.cc

@@ -217,8 +217,15 @@ bool Trigger::Eval()
 			Name());
 
 	Unref(v);
+	v = 0;
 	stmt_flow_type flow;
+
+	try
+		{
 		v = body->Exec(f, flow);
+		}
+	catch ( InterpreterException& e )
+		{ /* Already reported. */ }
 
 	if ( is_return )
 		{
@@ -300,7 +307,14 @@ void Trigger::Timeout()
 		{
 		stmt_flow_type flow;
 		Frame* f = frame->Clone();
-		Val* v = timeout_stmts->Exec(f, flow);
+		Val* v = 0;
+
+		try
+			{
+			v = timeout_stmts->Exec(f, flow);
+			}
+		catch ( InterpreterException& e )
+			{ /* Already reported. */ }
 
 		if ( is_return )
 			{
@@ -382,7 +396,7 @@ void Trigger::Attach(Trigger *trigger)
 
 void Trigger::Cache(const CallExpr* expr, Val* v)
 	{
-	if ( disabled )
+	if ( disabled || ! v )
 		return;
 
 	ValCache::iterator i = cache.find(expr);

src/Val.cc

@@ -3149,6 +3149,9 @@ bool OpaqueVal::DoUnserialize(UnserialInfo* info)
 
 Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	{
+	if ( ! v )
+		return 0;
+
 	BroType* vt = v->Type();
 
 	vt = flatten_type(vt);

src/Var.cc

@@ -109,6 +109,36 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 	if ( attr )
 		id->AddAttrs(new Attributes(attr, t, false));
 
+	if ( init )
+		{
+		switch ( init->Tag() ) {
+		case EXPR_TABLE_CONSTRUCTOR:
+			{
+			TableConstructorExpr* ctor = (TableConstructorExpr*) init;
+			if ( ctor->Attrs() )
+				{
+				::Ref(ctor->Attrs());
+				id->AddAttrs(ctor->Attrs());
+				}
+			}
+			break;
+
+		case EXPR_SET_CONSTRUCTOR:
+			{
+			SetConstructorExpr* ctor = (SetConstructorExpr*) init;
+			if ( ctor->Attrs() )
+				{
+				::Ref(ctor->Attrs());
+				id->AddAttrs(ctor->Attrs());
+				}
+			}
+			break;
+
+		default:
+			break;
+		}
+		}
+
 	if ( id->FindAttr(ATTR_PERSISTENT) || id->FindAttr(ATTR_SYNCHRONIZED) )
 		{
 		if ( dt == VAR_CONST )
@@ -294,12 +324,12 @@ void add_type(ID* id, BroType* t, attr_list* attr, int /* is_event */)
 void begin_func(ID* id, const char* module_name, function_flavor flavor,
 		int is_redef, FuncType* t)
 	{
-	if ( flavor == FUNC_FLAVOR_EVENT || flavor == FUNC_FLAVOR_HOOK )
+	if ( flavor == FUNC_FLAVOR_EVENT )
 		{
 		const BroType* yt = t->YieldType();
 
 		if ( yt && yt->Tag() != TYPE_VOID )
-			id->Error("event/hook cannot yield a value", t);
+			id->Error("event cannot yield a value", t);
 
 		t->ClearYieldType(flavor);
 		}

src/const.bif

@@ -15,8 +15,10 @@ const Tunnel::max_depth: count;
 const Tunnel::enable_ip: bool;
 const Tunnel::enable_ayiya: bool;
 const Tunnel::enable_teredo: bool;
+const Tunnel::enable_gtpv1: bool;
 const Tunnel::yielding_teredo_decapsulation: bool;
 const Tunnel::delay_teredo_confirmation: bool;
+const Tunnel::delay_gtp_confirmation: bool;
 const Tunnel::ip_tunnel_timeout: interval;
 
 const Threading::heartbeat_interval: interval;

src/event.bif

@@ -577,6 +577,19 @@ event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
 ##    it may become particularly expensive for real-time analysis.
 event teredo_bubble%(outer: connection, inner: teredo_hdr%);
 
+## Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+## that includes a GTP header followed by an IPv4 or IPv6 packet.
+##
+## outer: The GTP outer tunnel connection.
+##
+## inner_gtp: The GTP header.
+##
+## inner_ip: The inner IP and transport layer packet headers.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
+
 ## Generated for every packet that has a non-empty transport-layer payload.
 ## This is a very low-level and expensive event that should be avoided when
 ## at all possible.  It's usually infeasible to handle when processing even
@@ -858,7 +871,7 @@ event udp_contents%(u: connection, is_orig: bool, contents: string%);
 ## Generated when a UDP session for a supported protocol has finished. Some of
 ## Bro's application-layer UDP analyzers flag the end of a session by raising
 ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
-## and Teredo support this.
+## Teredo, and GTPv1 support this.
 ##
 ## u: The connection record for the corresponding UDP flow.
 ##

src/gtpv1-analyzer.pac

@@ -0,0 +1,161 @@
+
+connection GTPv1_Conn(bro_analyzer: BroAnalyzer)
+	{
+	upflow = GTPv1_Flow(true);
+	downflow = GTPv1_Flow(false);
+
+	%member{
+		bool valid_orig;
+		bool valid_resp;
+	%}
+
+	%init{
+		valid_orig = valid_resp = false;
+	%}
+
+	function valid(orig: bool): bool
+		%{
+		return orig ? valid_orig : valid_resp;
+		%}
+
+	function set_valid(orig: bool, val: bool): void
+		%{
+		if ( orig )
+			valid_orig = val;
+		else
+			valid_resp = val;
+		%}
+	}
+
+%code{
+inline void violate(const char* r, const BroAnalyzer& a, const bytestring& p)
+	{
+	a->ProtocolViolation(r, (const char*) p.data(), p.length());
+	}
+%}
+
+flow GTPv1_Flow(is_orig: bool)
+	{
+	datagram = GTPv1_Header withcontext(connection, this);
+
+	function process_gtpv1(pdu: GTPv1_Header): bool
+		%{
+		BroAnalyzer a = connection()->bro_analyzer();
+		Connection *c = a->Conn();
+		const EncapsulationStack* e = c->GetEncapsulation();
+
+		connection()->set_valid(is_orig(), false);
+
+		if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
+			{
+			reporter->Weird(c, "tunnel_depth");
+			return false;
+			}
+
+		if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
+			{
+			// GTP is never tunneled in GTP so, this must be a regular packet
+			violate("GTP-in-GTP", a, ${pdu.packet});
+			return false;
+			}
+
+		if ( ${pdu.version} != 1 )
+			{
+			// Only know of GTPv1 with Version == 1
+			violate("GTPv1 bad Version", a, ${pdu.packet});
+			return false;
+			}
+
+		if ( ! ${pdu.pt_flag} )
+			{
+			// Not interested in GTP'
+			return false;
+			}
+
+		if ( ${pdu.e_flag} )
+			{
+			// TODO: can't currently parse past extension headers
+			return false;
+			}
+
+		if ( ${pdu.msg_type} != 0xff )
+			{
+			// Only interested in decapsulating user plane data beyond here.
+			return false;
+			}
+
+		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
+			{
+			violate("Truncated GTPv1", a, ${pdu.packet});
+			return false;
+			}
+
+		const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
+
+		if ( ip->ip_v != 4 && ip->ip_v != 6 )
+			{
+			violate("non-IP packet in GTPv1", a, ${pdu.packet});
+			return false;
+			}
+
+		IP_Hdr* inner = 0;
+		int result = sessions->ParseIPPacket(${pdu.packet}.length(),
+		     ${pdu.packet}.data(), ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4,
+		     inner);
+
+		if ( result == 0 )
+			{
+			connection()->set_valid(is_orig(), true);
+
+			if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
+			     (connection()->valid(true) && connection()->valid(false)) )
+				a->ProtocolConfirmation();
+			}
+
+		else if ( result < 0 )
+			violate("Truncated GTPv1", a, ${pdu.packet});
+
+		else
+			violate("GTPv1 payload length", a, ${pdu.packet});
+
+		if ( result != 0 )
+			{
+			delete inner;
+			return false;
+			}
+
+		if ( ::gtpv1_g_pdu_packet )
+			{
+			RecordVal* rv = new RecordVal(gtpv1_hdr_type);
+
+			rv->Assign(0, new Val(${pdu.version}, TYPE_COUNT));
+			rv->Assign(1, new Val(${pdu.pt_flag}, TYPE_BOOL));
+			rv->Assign(2, new Val(${pdu.rsv}, TYPE_BOOL));
+			rv->Assign(3, new Val(${pdu.e_flag}, TYPE_BOOL));
+			rv->Assign(4, new Val(${pdu.s_flag}, TYPE_BOOL));
+			rv->Assign(5, new Val(${pdu.pn_flag}, TYPE_BOOL));
+			rv->Assign(6, new Val(${pdu.msg_type}, TYPE_COUNT));
+			rv->Assign(7, new Val(ntohs(${pdu.length}), TYPE_COUNT));
+			rv->Assign(8, new Val(ntohl(${pdu.teid}), TYPE_COUNT));
+
+			if ( ${pdu.has_opt} )
+				{
+				rv->Assign(9, new Val(ntohs(${pdu.opt_hdr.seq}), TYPE_COUNT));
+				rv->Assign(10, new Val(${pdu.opt_hdr.n_pdu}, TYPE_COUNT));
+				rv->Assign(11, new Val(${pdu.opt_hdr.next_type}, TYPE_COUNT));
+				}
+
+			BifEvent::generate_gtpv1_g_pdu_packet(a, c, rv,
+			                                      inner->BuildPktHdrVal());
+			}
+
+		EncapsulatingConn ec(c, BifEnum::Tunnel::GTPv1);
+
+		sessions->DoNextInnerPacket(network_time(), 0, inner, e, ec);
+
+		return (result == 0) ? true : false;
+		%}
+
+	};
+
+refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };

src/gtpv1-protocol.pac

@@ -0,0 +1,27 @@
+
+type GTPv1_Header = record {
+	flags:     uint8;
+	msg_type:  uint8;
+	length:    uint16;
+	teid:      uint32;
+	opt:       case has_opt of {
+		true  -> opt_hdr: GTPv1_Opt_Header;
+		false -> no_opt:  empty;
+	} &requires(has_opt);
+	packet:    bytestring &restofdata;
+
+} &let {
+	version:  uint8 = (flags & 0xE0) >> 5;
+	pt_flag:  bool  = flags & 0x10;
+	rsv:      bool  = flags & 0x08;
+	e_flag:   bool  = flags & 0x04;
+	s_flag:   bool  = flags & 0x02;
+	pn_flag:  bool  = flags & 0x01;
+	has_opt:  bool  = flags & 0x07;
+} &byteorder = littleendian;
+
+type GTPv1_Opt_Header = record {
+	seq:       uint16;
+	n_pdu:     uint8;
+	next_type: uint8;
+}

src/gtpv1.pac

@@ -0,0 +1,10 @@
+%include binpac.pac
+%include bro.pac
+
+analyzer GTPv1 withcontext {
+	connection:	GTPv1_Conn;
+	flow:		GTPv1_Flow;
+};
+
+%include gtpv1-protocol.pac
+%include gtpv1-analyzer.pac

src/input/readers/Ascii.cc

@@ -572,7 +572,7 @@ bool Ascii::DoUpdate()
 			// array structure.
 
 			for ( int i = 0; i < fpos; i++ )
-				delete fields[fpos];
+				delete fields[i];
 
 			delete [] fields;
 			continue;

src/logging/writers/Ascii.cc

@@ -19,7 +19,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	{
 	fd = 0;
 	ascii_done = false;
-	only_single_header_row = false;
+	tsv = false;
 
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
@@ -81,7 +81,7 @@ void Ascii::CloseFile(double t)
 	if ( ! fd )
 		return;
 
-	if ( include_meta && ! only_single_header_row )
+	if ( include_meta && ! tsv )
 		WriteHeaderField("close", Timestamp(0));
 
 	safe_close(fd);
@@ -111,17 +111,17 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 
 	for ( WriterInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
 		{
-		if ( strcmp(i->first, "only_single_header_row") == 0 )
+		if ( strcmp(i->first, "tsv") == 0 )
 			{
 			if ( strcmp(i->second, "T") == 0 )
-				only_single_header_row = true;
+				tsv = true;
 
 			else if ( strcmp(i->second, "F") == 0 )
-				only_single_header_row = false;
+				tsv = false;
 
 			else
 				{
-				Error("invalid value for 'only_single_header_row', must be boolean (T/F)");
+				Error("invalid value for 'tsv', must be a string and either \"T\" or \"F\"");
 				return false;
 				}
 			}
@@ -144,9 +144,9 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 			types += fields[i]->TypeName().c_str();
 			}
 
-		if ( only_single_header_row )
+		if ( tsv )
 			{
-			// A single CSV-style line is all we need.
+			// A single TSV-style line is all we need.
 			string str = names + "\n";
 			if ( ! safe_write(fd, str.c_str(), str.length()) )
 				goto write_error;

src/logging/writers/Ascii.h

@@ -45,7 +45,7 @@ private:
 	// Options set from the script-level.
 	bool output_to_stdout;
 	bool include_meta;
-	bool only_single_header_row;
+	bool tsv;
 
 	char* separator;
 	int separator_len;

src/parse.y

@@ -32,6 +32,7 @@
 
 %token TOK_NO_TEST
 
+%nonassoc TOK_HOOK
 %left ',' '|'
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':'
@@ -56,7 +57,6 @@
 %type <re> pattern
 %type <expr> expr init anonymous_function
 %type <event_expr> event
-%type <call_expr> hook
 %type <stmt> stmt stmt_list func_body for_head
 %type <type> type opt_type enum_body
 %type <func_type> func_hdr func_params
@@ -119,6 +119,7 @@ extern const char* g_curr_debug_error;
 
 #define YYLTYPE yyltype
 
+static int in_hook = 0;
 int in_init = 0;
 int in_record = 0;
 bool resolving_global_ID = false;
@@ -212,7 +213,6 @@ static std::list<std::string>* concat_opt_docs (std::list<std::string>* pre,
 	Val* val;
 	RE_Matcher* re;
 	Expr* expr;
-	CallExpr* call_expr;
 	EventExpr* event_expr;
 	Stmt* stmt;
 	ListExpr* list;
@@ -517,7 +517,16 @@ expr:
 	|	expr '(' opt_expr_list ')'
 			{
 			set_location(@1, @4);
-			$$ = new CallExpr($1, $3);
+			$$ = new CallExpr($1, $3, in_hook > 0);
+			}
+
+	|	TOK_HOOK { ++in_hook; } expr
+			{
+			--in_hook;
+			set_location(@1, @3);
+			if ( $3->Tag() != EXPR_CALL )
+				$3->Error("not a valid hook call expression");
+			$$ = $3;
 			}
 
 	|	expr TOK_HAS_FIELD TOK_ID
@@ -874,7 +883,7 @@ type:
 	|	TOK_HOOK '(' formal_args ')'
 				{
 				set_location(@1, @3);
-				$$ = new FuncType($3, 0, FUNC_FLAVOR_HOOK);
+				$$ = new FuncType($3, base_type(TYPE_BOOL), FUNC_FLAVOR_HOOK);
 				}
 
 	|	TOK_FILE TOK_OF type
@@ -1214,6 +1223,8 @@ func_hdr:
 			}
 	|	TOK_HOOK def_global_id func_params
 			{
+			$3->ClearYieldType(FUNC_FLAVOR_HOOK);
+			$3->SetYieldType(base_type(TYPE_BOOL));
 			begin_func($2, current_module.c_str(),
 				   FUNC_FLAVOR_HOOK, 0, $3);
 			$$ = $3;
@@ -1377,14 +1388,6 @@ stmt:
 			    brofiler.AddStmt($$);
 			}
 
-	|	TOK_HOOK hook ';' opt_no_test
-			{
-			set_location(@1, @4);
-			$$ = new HookStmt($2);
-			if ( ! $4 )
-			    brofiler.AddStmt($$);
-			}
-
 	|	TOK_IF '(' expr ')' stmt
 			{
 			set_location(@1, @4);
@@ -1538,14 +1541,6 @@ event:
 			}
 	;
 
-hook:
-		expr '(' opt_expr_list ')'
-			{
-			set_location(@1, @4);
-			$$ = new CallExpr($1, $3, true);
-			}
-	;
-
 case_list:
 		case_list case
 			{ $1->append($2); }

src/patricia.c

@@ -66,6 +66,9 @@ static char copyright[] =
 
 #define Delete free
 
+// From Bro for reporting memory exhaustion.
+extern void out_of_memory(const char* where);
+
 /* { from prefix.c */
 
 /* prefix_tochar
@@ -251,6 +254,9 @@ New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
         default_bitlen = 128;
 	if (prefix == NULL) {
             prefix = calloc(1, sizeof (prefix_t));
+            if (prefix == NULL)
+                out_of_memory("patrica/new_prefix2: unable to allocate memory");
+
 	    dynamic_allocated++;
 	}
 	memcpy (&prefix->add.sin6, dest, 16);
@@ -260,10 +266,14 @@ New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
 		if (prefix == NULL) {
 #ifndef NT
             prefix = calloc(1, sizeof (prefix4_t));
+            if (prefix == NULL)
+                out_of_memory("patrica/new_prefix2: unable to allocate memory");
 #else
 			//for some reason, compiler is getting
 			//prefix4_t size incorrect on NT
 			prefix = calloc(1, sizeof (prefix_t));
+                        if (prefix == NULL)
+                            out_of_memory("patrica/new_prefix2: unable to allocate memory");
 #endif /* NT */
 
 			dynamic_allocated++;
@@ -396,6 +406,8 @@ patricia_tree_t *
 New_Patricia (int maxbits)
 {
     patricia_tree_t *patricia = calloc(1, sizeof *patricia);
+    if (patricia == NULL)
+        out_of_memory("patrica/new_patricia: unable to allocate memory");
 
     patricia->maxbits = maxbits;
     patricia->head = NULL;
@@ -665,6 +677,9 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
 
     if (patricia->head == NULL) {
 	node = calloc(1, sizeof *node);
+        if (node == NULL)
+            out_of_memory("patrica/patrica_lookup: unable to allocate memory");
+
 	node->bit = prefix->bitlen;
 	node->prefix = Ref_Prefix (prefix);
 	node->parent = NULL;
@@ -776,6 +791,9 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
     }
 
     new_node = calloc(1, sizeof *new_node);
+    if (new_node == NULL)
+        out_of_memory("patrica/patrica_lookup: unable to allocate memory");
+
     new_node->bit = prefix->bitlen;
     new_node->prefix = Ref_Prefix (prefix);
     new_node->parent = NULL;
@@ -828,6 +846,9 @@ patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
     }
     else {
         glue = calloc(1, sizeof *glue);
+        if (glue == NULL)
+            out_of_memory("patrica/patrica_lookup: unable to allocate memory");
+
         glue->bit = differ_bit;
         glue->prefix = NULL;
         glue->parent = node->parent;

src/types.bif

@@ -184,6 +184,7 @@ enum Type %{
 	AYIYA,
 	TEREDO,
 	SOCKS,
+	GTPv1,
 %}
 
 type EncapsulatingConn: record;

src/util.cc

@@ -1416,7 +1416,7 @@ void safe_close(int fd)
 		}
 	}
 
-void out_of_memory(const char* where)
+extern "C" void out_of_memory(const char* where)
 	{
 	fprintf(stderr, "out of memory in %s.\n", where);
 

src/util.h

@@ -303,7 +303,7 @@ extern bool safe_write(int fd, const char* data, int len);
 // Wraps close(2) to emit error messages and abort on unrecoverable errors.
 extern void safe_close(int fd);
 
-extern void out_of_memory(const char* where);
+extern "C" void out_of_memory(const char* where);
 
 inline void* safe_realloc(void* ptr, size_t size)
 	{

testing/btest/Baseline/bifs.strptime/.stdout

@@ -1,2 +0,0 @@
-1350604800.0
-0.0

testing/btest/Baseline/bifs.strptime/out

@@ -0,0 +1,3 @@
+warning: strptime conversion failed: fmt:%m d:1980-10-24
+1350604800.0
+0.0

testing/btest/Baseline/bifs.strptime/reporter.log

@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	reporter
-#open	2012-10-19-06-06-36
-#fields	ts	level	message	location
-#types	time	enum	string	string
-0.000000	Reporter::WARNING	strptime conversion failed: fmt:%m d:1980-10-24	(empty)
-#close	2012-10-19-06-06-36

testing/btest/Baseline/core.dns-interpreter-exceptions/out

@@ -0,0 +1,12 @@
+1300475167.096535 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 28: field value missing [p$ip]
+1300475167.096535 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 49: field value missing [p$ip]
+1300475168.902195 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 39: field value missing [p$ip]
+1300475168.902195 expression error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/core.dns-interpreter-exceptions/dns-interpreter-exceptions.bro, line 12: field value missing [p$ip]
+timeout g(), F
+timeout g(), T
+timeout
+g() done, no exception, T
+localhost resolved
+localhost resolved from f(), T
+localhost resolved from f(), F
+f() done, no exception, T

testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log

@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-03-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.321642	arKYeMETxOg	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	-	0	ShADadf	29	2310	49	65396	UWkUyAuUGXf,k6kgXLOoSKl
+1333458850.325787	k6kgXLOoSKl	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	0	D	49	67160	0	0	(empty)
+1333458850.321642	UWkUyAuUGXf	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	0	D	29	3354	0	0	(empty)
+#close	2012-10-19-17-03-55

testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/http.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2012-10-19-17-03-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1333458850.340368	arKYeMETxOg	10.131.17.170	51803	173.199.115.168	80	1	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=4&cac=1&t=728x90&cb=1333458879	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&channel=4&cb=1333458905296	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	application/x-shockwave-flash	-	-
+1333458850.399501	arKYeMETxOg	10.131.17.170	51803	173.199.115.168	80	2	GET	cdn.epicgameads.com	/ads/flash/728x90_nx8com.swf?clickTAG=http://www.epicgameads.com/ads/bannerclickPage.php?id=e3ubwU6IF&pd=1&adid=0&icpc=1&axid=0&uctt=1&channel=0&cac=1&t=728x90&cb=1333458881	http://www.epicgameads.com/ads/banneriframe.php?id=e3ubwU6IF&t=728x90&cb=1333458920207	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)	0	31461	200	OK	-	-	-	(empty)	-	-	-	application/x-shockwave-flash	-	-
+#close	2012-10-19-17-03-55

testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/tunnel.log

@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-03-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458850.321642	UWkUyAuUGXf	167.55.105.244	5906	207.233.125.40	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.325787	k6kgXLOoSKl	207.233.125.40	2152	167.55.105.244	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.579544	k6kgXLOoSKl	207.233.125.40	2152	167.55.105.244	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.579544	UWkUyAuUGXf	167.55.105.244	5906	207.233.125.40	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-03-55

testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-07-44
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458871.219794	UWkUyAuUGXf	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	0	D	1	64	0	0	(empty)
+#close	2012-10-19-17-07-44

testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2012-10-19-17-07-44
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1333458871.219794	UWkUyAuUGXf	10.131.24.6	2152	195.178.38.3	53	udp	27595	abcd.efg.hijklm.nm	1	C_INTERNET	1	A	-	-	F	F	T	F	0	-	-	F
+#close	2012-10-19-17-07-44

testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log

@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-21-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458851.770000	arKYeMETxOg	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	-	0	D	1	80	0	0	UWkUyAuUGXf
+1333458851.770000	UWkUyAuUGXf	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	0	D	2	208	0	0	(empty)
+1333458851.969236	k6kgXLOoSKl	fe80::224c:4fff:fe43:414c	133	ff02::2	134	icmp	-	-	-	-	OTH	-	0	-	1	56	0	0	UWkUyAuUGXf
+#close	2012-10-19-17-21-27

testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/tunnel.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-21-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458851.770000	UWkUyAuUGXf	118.92.124.41	2152	118.92.124.72	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458851.969236	UWkUyAuUGXf	118.92.124.41	2152	118.92.124.72	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-21-27

testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log

@@ -0,0 +1,26 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-34-25
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.037956	qCaWGmzFtM5	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	84	GSxOnSLghOa
+1333458850.040098	70MGiRM1Qf4	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	0	D	2	248	0	0	(empty)
+1333458850.016620	nQcgTWjvg4c	172.24.16.121	61901	94.245.121.251	3544	udp	teredo	-	-	-	S0	-	0	D	1	80	0	0	k6kgXLOoSKl
+1333458850.029781	FrJExwHcSal	172.24.16.67	52298	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	TEfuqmmG4bh
+1333458850.035456	VW0XPVINV8a	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	0	D	2	250	0	0	(empty)
+1333458850.016620	k6kgXLOoSKl	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	0	Dd	1	116	1	120	(empty)
+1333458850.029781	TEfuqmmG4bh	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	0	D	2	248	0	0	(empty)
+1333458850.035460	iE6yhOq3SF	172.27.159.9	63912	94.245.121.254	3544	udp	teredo	-	-	-	S0	-	0	D	1	89	0	0	VW0XPVINV8a
+1333458850.037956	GSxOnSLghOa	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	0	D	1	120	0	0	(empty)
+1333458850.014199	UWkUyAuUGXf	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	0	D	1	124	0	0	(empty)
+1333458850.040098	h5DsfNtYzi1	172.24.203.81	54447	65.55.158.118	3544	udp	teredo	0.003698	120	0	S0	-	0	D	2	176	0	0	70MGiRM1Qf4
+1333458850.029783	5OKnoww6xl4	172.24.16.67	52298	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	TEfuqmmG4bh
+1333458850.032887	3PKsZ2Uye21	10.131.42.160	62069	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	0	d	0	0	1	84	k6kgXLOoSKl
+1333458850.014199	arKYeMETxOg	172.24.204.200	56528	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	0	D	1	88	0	0	UWkUyAuUGXf
+1333458850.035456	fRFu0wcOle6	172.27.159.9	63912	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	0	D	1	89	0	0	VW0XPVINV8a
+1333458850.016620	j4u32Pc5bif	2001:0:5ef5:79fb:38b8:1695:2b37:be8e	128	2002:2571:c817::2571:c817	129	icmp	-	-	-	-	OTH	-	0	-	1	52	0	0	nQcgTWjvg4c
+1333458850.035456	qSsw6ESzHV4	fe80::ffff:ffff:fffe	133	ff02::2	134	icmp	-	0.000004	0	0	OTH	-	0	-	2	96	0	0	fRFu0wcOle6,iE6yhOq3SF
+#close	2012-10-19-17-34-25

testing/btest/Baseline/core.tunnels.gtp.inner_teredo/tunnel.log

@@ -0,0 +1,27 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-34-25
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458850.014199	UWkUyAuUGXf	174.94.190.213	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.016620	k6kgXLOoSKl	174.94.190.229	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.016620	nQcgTWjvg4c	172.24.16.121	61901	94.245.121.251	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1333458850.029781	TEfuqmmG4bh	190.104.181.254	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.035456	VW0XPVINV8a	190.104.181.210	2152	190.104.181.125	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.035456	fRFu0wcOle6	172.27.159.9	63912	94.245.121.253	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1333458850.035460	iE6yhOq3SF	172.27.159.9	63912	94.245.121.254	3544	Tunnel::TEREDO	Tunnel::DISCOVER
+1333458850.037956	GSxOnSLghOa	190.104.181.57	2152	190.104.181.222	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.040098	70MGiRM1Qf4	174.94.190.229	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.043796	70MGiRM1Qf4	174.94.190.229	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	nQcgTWjvg4c	172.24.16.121	61901	94.245.121.251	3544	Tunnel::TEREDO	Tunnel::CLOSE
+1333458850.043796	VW0XPVINV8a	190.104.181.210	2152	190.104.181.125	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	k6kgXLOoSKl	174.94.190.229	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	TEfuqmmG4bh	190.104.181.254	2152	190.104.181.62	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	iE6yhOq3SF	172.27.159.9	63912	94.245.121.254	3544	Tunnel::TEREDO	Tunnel::CLOSE
+1333458850.043796	GSxOnSLghOa	190.104.181.57	2152	190.104.181.222	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	UWkUyAuUGXf	174.94.190.213	2152	190.104.181.57	2152	Tunnel::GTPv1	Tunnel::CLOSE
+1333458850.043796	fRFu0wcOle6	172.27.159.9	63912	94.245.121.253	3544	Tunnel::TEREDO	Tunnel::CLOSE
+#close	2012-10-19-17-34-25

testing/btest/Baseline/core.tunnels.gtp.non_recursive/out

@@ -0,0 +1 @@
+protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [n\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80(]\xcew\x84\xae}\xd2...]

testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-46-48
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.532814	UWkUyAuUGXf	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	0	D	1	52	0	0	(empty)
+1333458850.867091	arKYeMETxOg	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	0	Dd	1	40	1	42	(empty)
+#close	2012-10-19-17-46-48

testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-17-19-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458852.011535	arKYeMETxOg	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	-	0	ShADad	17	1604	14	1762	UWkUyAuUGXf
+1333458852.011535	UWkUyAuUGXf	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	0	Dd	17	2216	14	2322	(empty)
+#close	2012-10-19-17-19-16

testing/btest/Baseline/core.tunnels.gtp.opt_header/out

@@ -0,0 +1,31 @@
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=60, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=64, teid=159098, seq=0, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=170, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=1, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=194, teid=159098, seq=2, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=111, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=3, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=89, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=4, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=93, teid=159098, seq=5, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=457, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=6, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=7, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=137, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=56, teid=159098, seq=8, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=157, teid=159098, seq=9, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=10, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=173, teid=159098, seq=11, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=205, teid=159098, seq=12, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=T, pn_flag=F, msg_type=255, length=189, teid=159098, seq=13, n_pdu=0, next_type=0]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]
+gtpv1_packet, [version=1, pt_flag=T, rsv=F, e_flag=F, s_flag=F, pn_flag=F, msg_type=255, length=52, teid=1980578736, seq=<uninitialized>, n_pdu=<uninitialized>, next_type=<uninitialized>]

testing/btest/Baseline/core.tunnels.gtp.opt_header/tunnel.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-19-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458852.011535	UWkUyAuUGXf	79.188.154.91	2152	243.149.173.198	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458852.585034	UWkUyAuUGXf	79.188.154.91	2152	243.149.173.198	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-19-16

testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2012-10-19-16-44-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
+1333458850.364667	arKYeMETxOg	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	-	0	ShADadfF	27	3204	41	52594	UWkUyAuUGXf
+1333458850.364667	UWkUyAuUGXf	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	0	Dd	27	4176	41	54070	(empty)
+#close	2012-10-19-16-44-02

testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/http.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2012-10-19-16-44-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1333458850.375568	arKYeMETxOg	10.131.47.185	1923	79.101.110.141	80	1	GET	o-o.preferred.telekomrs-beg1.v2.lscache8.c.youtube.com	/videoplayback?upn=MTU2MDY5NzQ5OTM0NTI3NDY4NDc&sparams=algorithm,burst,cp,factor,id,ip,ipbits,itag,source,upn,expire&fexp=912300,907210&algorithm=throttle-factor&itag=34&ip=212.0.0.0&burst=40&sver=3&signature=832FB1042E20780CFCA77A4DB5EA64AC593E8627.D1166C7E8365732E52DAFD68076DAE0146E0AE01&source=youtube&expire=1333484980&key=yt1&ipbits=8&factor=1.25&cp=U0hSSFRTUl9NSkNOMl9MTVZKOjh5eEN2SG8tZF84&id=ebf1e932d4bd1286&cm2=1	http://s.ytimg.com/yt/swfbin/watch_as3-vflqrJwOA.swf	Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko; X-SBLSP) Chrome/17.0.963.83 Safari/535.11	0	56320	206	Partial Content	-	-	-	(empty)	-	-	-	application/octet-stream	-	-
+#close	2012-10-19-16-44-02

testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/tunnel.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-16-44-02
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458850.364667	UWkUyAuUGXf	239.114.155.111	2152	63.94.149.181	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458850.434480	UWkUyAuUGXf	239.114.155.111	2152	63.94.149.181	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-16-44-02

testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dpd
+#open	2012-10-19-17-38-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
+#types	time	string	addr	port	addr	port	enum	string	string
+1333458853.075889	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1 [E\x00\x05\xc8G\xea@\x00\x80\x06\xb6\x83\x0a\x83w&\xd9\x14\x9c\x04\xd9\xc2\x00P\xddh\xb4\x8f41eVP\x10\x10\xe0u\xcf\x00\x00...]
+#close	2012-10-19-17-38-54

testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/tunnel.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2012-10-19-17-38-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1333458853.034734	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	Tunnel::GTPv1	Tunnel::DISCOVER
+1333458853.108391	UWkUyAuUGXf	173.86.159.28	2152	213.72.147.186	2152	Tunnel::GTPv1	Tunnel::CLOSE
+#close	2012-10-19-17-38-54

testing/btest/Baseline/istate.sync/receiver.vars.log

@@ -31,3 +31,4 @@ file "test2" of string
 6667/tcp
 [2, 20, 3, 4]
 [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
+122112

testing/btest/Baseline/istate.sync/sender.vars.log

@@ -31,3 +31,4 @@ file "test2" of string
 6667/tcp
 [2, 20, 3, 4]
 [a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
+122112

testing/btest/Baseline/language.hook/out

@@ -1,7 +1,18 @@
 myhook, &priority=10, [a=1156, b=hello world]
+myhook return F
+myhook return T
 myhook, &priority=5, [a=37, b=goobye world]
+F
 myhook3, 8
+T
 myhook4, 2
 myhook4, 1
+T
+myhook4, 2
+myhook4, 1
+myhook4 all handlers ran
 myhook, &priority=10, [a=2, b=it works]
+myhook return F
+myhook return T
 myhook, &priority=5, [a=37, b=goobye world]
+F

testing/btest/Baseline/language.hook_calls/invalid.out

@@ -0,0 +1,10 @@
+error in ./invalid.bro, line 9: hook cannot be called directly, use hook operator (myhook)
+warning in ./invalid.bro, line 9: expression value ignored (myhook(3))
+error in ./invalid.bro, line 10: hook cannot be called directly, use hook operator (myhook)
+error in ./invalid.bro, line 11: hook cannot be called directly, use hook operator (myhook)
+error in ./invalid.bro, line 12: not a valid hook call expression (2 + 2)
+warning in ./invalid.bro, line 12: expression value ignored (2 + 2)
+error in ./invalid.bro, line 13: not a valid hook call expression (2 + 2)
+error in ./invalid.bro, line 15: hook cannot be called directly, use hook operator (h)
+warning in ./invalid.bro, line 15: expression value ignored (h(3))
+error in ./invalid.bro, line 16: hook cannot be called directly, use hook operator (h)

testing/btest/Baseline/language.hook_calls/valid.out

@@ -0,0 +1,42 @@
+myhook(), 3
+other myhook(), 3
+myhook(), 3
+other myhook(), 3
+T
+myhook(), 0
+F
+-----------
+indirect()
+myhook(), 3
+other myhook(), 3
+indirect()
+myhook(), 3
+other myhook(), 3
+T
+-----------
+really_indirect()
+indirect()
+myhook(), 3
+other myhook(), 3
+really_indirect()
+indirect()
+myhook(), 3
+other myhook(), 3
+T
+-----------
+myhook(), 3
+other myhook(), 3
+myhook(), 3
+other myhook(), 3
+T
+myhook(), 3
+other myhook(), 3
+yes
+myhook(), 0
+double yes
+-----------
+myhook(), 3
+other myhook(), 3
+myhook(), 3
+other myhook(), 3
+T

testing/btest/Baseline/language.invalid_hook/out

@@ -1 +0,0 @@
-error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_hook/invalid_hook.bro, line 15: hook called in expression, use hook statement instead (myhook(nope))

testing/btest/Baseline/language.invalid_index/out

@@ -0,0 +1,7 @@
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 8: no such index (foo[1])
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 9: no such index (foo[2])
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 12: no such index (foo2[1])
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.invalid_index/invalid_index.bro, line 13: no such index (foo2[2])
+foo[0], 42
+foo2[0], 13
+done

testing/btest/Baseline/language.record-bad-ctor/out

@@ -0,0 +1,3 @@
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 6: no type given (asdfasdf)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: uninitialized list value ($ports=asdfasdf)
+error in /Users/jsiwek/Projects/bro/bro/testing/btest/.tmp/language.record-bad-ctor/record-bad-ctor.bro, line 7: bad record initializer ([$ports=asdfasdf])

testing/btest/Baseline/language.table-init-attrs/output

@@ -0,0 +1,91 @@
+my_set_ctor_init
+{
+test2,
+test3,
+test4,
+test1
+}
+
+my_table_ctor_init
+{
+[2] = test2,
+[1] = test1,
+[3] = test3
+}
+nope
+
+my_set_init
+{
+test2,
+test3,
+test4,
+test1
+}
+
+my_table_init
+{
+[2] = test2,
+[4] = test4,
+[1] = test1,
+[3] = test3
+}
+nope
+
+inception
+{
+[0] = {
+[13] = bar
+}
+}
+{
+[13] = bar
+}
+bar
+forty-two
+{
+
+}
+we need to go deeper
+{
+[0] = {
+[13] = bar
+}
+}
+{
+[13] = bar
+}
+bar
+forty-two
+{
+
+}
+we need to go deeper
+
+local table t1
+{
+[1] = foo
+}
+foo
+nope
+
+local table t2
+{
+[1] = foo
+}
+foo
+nope
+
+local table t3
+{
+
+}
+nope
+nope
+
+local table t4
+{
+
+}
+nope
+nope
+

testing/btest/Baseline/language.table-init-container-ctors/output

@@ -0,0 +1,50 @@
+table of set
+{
+[13] = {
+[bar, 2] ,
+[foo, 1] 
+},
+[5] = {
+[bah, 3] ,
+[baz, 4] 
+}
+}
+
+table of vector
+{
+[13] = [1, 2],
+[5] = [3, 4]
+}
+
+table of table
+{
+[13] = {
+[bar, 2] = 2,
+[foo, 1] = 1
+},
+[5] = {
+[bah, 3] = 3,
+[baz, 4] = 4
+}
+}
+
+table of record
+{
+[13] = [a=1, b=foo],
+[5] = [a=2, b=bar]
+}
+
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T
+T

testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/.stderrwithoutfirstline

@@ -0,0 +1,4 @@
+error: ../input.log/Input::READER_ASCII: String 'l' contained no parseable number
+error: ../input.log/Input::READER_ASCII: Could not convert line '	l' to Val. Ignoring line.
+received termination signal
+>>>

testing/btest/Baseline/scripts.base.frameworks.input.invalidtext/out

@@ -0,0 +1,3 @@
+{
+[] = [c=5]
+}

testing/btest/Baseline/scripts.base.protocols.http.http-methods/http.log

@@ -0,0 +1,58 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2012-12-07-04-43-19
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
+1354328870.191989	UWkUyAuUGXf	128.2.6.136	46562	173.194.75.103	80	1	OPTIONS	www.google.com	*	-	-	0	962	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.237327	arKYeMETxOg	128.2.6.136	46563	173.194.75.103	80	1	OPTIONS	www.google.com	HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.299063	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.342591	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328874.364020	j4u32Pc5bif	128.2.6.136	46566	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43911	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328878.470424	TEfuqmmG4bh	128.2.6.136	46567	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43983	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.575456	FrJExwHcSal	128.2.6.136	46568	173.194.75.103	80	1	GET	www.google.com	/HTTP/1.1	-	-	0	1207	403	Forbidden	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.928027	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.968948	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328882.990373	VW0XPVINV8a	128.2.6.136	46571	173.194.75.103	80	1	GET	www.google.com	/	-	-	0	43913	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328887.114613	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	0	-	-	-	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.161077	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.204740	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.245592	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.287655	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328891.309065	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.355012	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	1	CCM_POST	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.416133	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.459490	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328895.480865	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	1	CCM_POST	www.google.com	/	-	-	0	963	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328899.526682	EAr0uf4mhq	128.2.6.136	46582	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.572533	GvmoxJFXdTa	128.2.6.136	46583	173.194.75.103	80	1	CONNECT	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.634196	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.676395	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328903.697693	UfGkYA2HI2g	128.2.6.136	46586	173.194.75.103	80	1	CONNECT	www.google.com	/	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328907.743696	i2rO3KD1Syg	128.2.6.136	46587	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.790590	2cx26uAvUPl	128.2.6.136	46588	173.194.75.103	80	1	TRACE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.853464	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.897044	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328911.918511	zno26fFZkrh	128.2.6.136	46591	173.194.75.103	80	1	TRACE	www.google.com	/	-	-	0	960	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328915.964678	v5rgkJBig5l	128.2.6.136	46592	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.010458	eWZCH7OONC1	128.2.6.136	46593	173.194.75.103	80	1	DELETE	www.google.com	/HTTP/1.1	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.072101	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.114526	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328920.136714	yC2d6kVg709	128.2.6.136	46596	173.194.75.103	80	1	DELETE	www.google.com	/	-	-	0	961	405	Method Not Allowed	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.183211	VcgagLjnO92	128.2.6.136	46597	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.224567	bdRoHfaPBo3	128.2.6.136	46598	173.194.75.103	80	1	PUT	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.287402	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.328257	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.350343	xNYSS2hJkle	128.2.6.136	46601	173.194.75.103	80	1	PUT	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.391728	vMVjlplKKbd	128.2.6.136	46602	173.194.75.103	80	1	POST	www.google.com	/	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.433150	3omNawSNrxj	128.2.6.136	46603	173.194.75.103	80	1	POST	www.google.com	/HTTP/1.1	-	-	0	934	411	Length Required	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.496732	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.537671	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328924.559704	E490YZTUozc	128.2.6.136	46606	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-
+1354328928.625437	YIeWJmXWNWj	128.2.6.136	46607	173.194.75.103	80	1	HEAD	www.google.com	/	-	-	0	0	200	OK	-	-	-	(empty)	-	-	-	-	-	-
+1354328932.692706	ydiZblvsYri	128.2.6.136	46608	173.194.75.103	80	1	HEAD	www.google.com	/HTTP/1.1	-	-	0	0	400	Bad Request	-	-	-	(empty)	-	-	-	-	-	-
+1354328932.754657	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+1354328932.796568	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	0	-	-	-	-	-	0	925	400	Bad Request	-	-	-	(empty)	-	-	-	text/html	-	-
+#close	2012-12-07-04-43-19

testing/btest/Baseline/scripts.base.protocols.http.http-methods/weird.log

@@ -0,0 +1,58 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2012-12-07-04-43-19
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1354328874.278822	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328874.299063	k6kgXLOoSKl	128.2.6.136	46564	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328874.321792	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328874.342591	nQcgTWjvg4c	128.2.6.136	46565	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328882.908690	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328882.928027	5OKnoww6xl4	128.2.6.136	46569	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328882.949510	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328882.968948	3PKsZ2Uye21	128.2.6.136	46570	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328887.094494	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328887.114613	fRFu0wcOle6	128.2.6.136	46572	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.141058	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.161077	qSsw6ESzHV4	128.2.6.136	46573	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.183942	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.204740	iE6yhOq3SF	128.2.6.136	46574	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.226199	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.245592	GSxOnSLghOa	128.2.6.136	46575	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.267625	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328891.287655	qCaWGmzFtM5	128.2.6.136	46576	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328891.309065	70MGiRM1Qf4	128.2.6.136	46577	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328895.355012	h5DsfNtYzi1	128.2.6.136	46578	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328895.396634	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328895.416133	P654jzLoe3a	128.2.6.136	46579	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328895.438812	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328895.459490	Tw8jXtpTGu6	128.2.6.136	46580	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328895.480865	c4Zw9TmAE05	128.2.6.136	46581	173.194.75.103	80	unknown_HTTP_method	CCM_POST	F	bro
+1354328903.614145	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328903.634196	0Q4FH8sESw5	128.2.6.136	46584	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328903.656369	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328903.676395	slFea8xwSmb	128.2.6.136	46585	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328911.832856	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328911.853464	BWaU4aSuwkc	128.2.6.136	46589	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328911.876341	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328911.897044	10XodEwRycf	128.2.6.136	46590	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328920.052085	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328920.072101	0Pwk3ntf8O3	128.2.6.136	46594	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328920.094072	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328920.114526	0HKorjr8Zp7	128.2.6.136	46595	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.266693	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.287402	zHqb7t7kv28	128.2.6.136	46599	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.308714	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.328257	rrZWoMUQpv8	128.2.6.136	46600	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.476011	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.496732	Rv8AJVfi9Zi	128.2.6.136	46604	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328924.518204	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328924.537671	wEyF3OvvcQe	128.2.6.136	46605	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328932.734579	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328932.754657	HFYOnBqSE5e	128.2.6.136	46609	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+1354328932.776609	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	bad_HTTP_request	-	F	bro
+1354328932.796568	JcUvhfWUMgd	128.2.6.136	46610	173.194.75.103	80	unmatched_HTTP_reply	-	F	bro
+#close	2012-12-07-04-43-19

testing/btest/bifs/addr_count_conversion.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: bro -b %INPUT >output
 # @TEST-EXEC: btest-diff output
 
 global v: index_vec;

testing/btest/bifs/addr_to_ptr_name.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: bro -b %INPUT >output
 # @TEST-EXEC: btest-diff output
 
 print addr_to_ptr_name([2607:f8b0:4009:802::1012]);

testing/btest/bifs/addr_version.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 print is_v4_addr(1.2.3.4);

testing/btest/bifs/all_set.bro

@@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 event bro_init()

testing/btest/bifs/analyzer_name.bro

@@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro %INPUT >out
+# @TEST-EXEC: bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 event bro_init()