Merge branch 'master' into topic/jgras/intel-update

scripts/base/frameworks/broker/__load__.bro

@@ -1 +1,2 @@
 @load ./main
+@load ./store

scripts/base/frameworks/broker/main.bro

@@ -1,11 +1,20 @@
 ##! Various data structure definitions for use with Bro's communication system.
 
-module BrokerComm;
+module Log;
+
+export {
+    type Log::ID: enum {
+        ## Dummy place-holder.
+        UNKNOWN
+    };
+}
+
+module Broker;
 
 export {
 
 	## A name used to identify this endpoint to peers.
-	## .. bro:see:: BrokerComm::connect BrokerComm::listen
+	## .. bro:see:: Broker::connect Broker::listen
 	const endpoint_name = "" &redef;
 
 	## Change communication behavior.
@@ -32,11 +41,11 @@ export {
 
 	## Opaque communication data.
 	type Data: record {
-		d: opaque of BrokerComm::Data &optional;
+		d: opaque of Broker::Data &optional;
 	};
 
 	## Opaque communication data.
-	type DataVector: vector of BrokerComm::Data;
+	type DataVector: vector of Broker::Data;
 
 	## Opaque event communication data.
 	type EventArgs: record {
@@ -49,55 +58,315 @@ export {
 	## Opaque communication data used as a convenient way to wrap key-value
 	## pairs that comprise table entries.
 	type TableItem : record {
-		key: BrokerComm::Data;
-		val: BrokerComm::Data;
+		key: Broker::Data;
+		val: Broker::Data;
 	};
+
+	## Enable use of communication.
+	##
+	## flags: used to tune the local Broker endpoint behavior.
+	##
+	## Returns: true if communication is successfully initialized.
+	global enable: function(flags: EndpointFlags &default = EndpointFlags()): bool;
+
+	## Changes endpoint flags originally supplied to :bro:see:`Broker::enable`.
+	##
+	## flags: the new endpoint behavior flags to use.
+	##
+	## Returns: true if flags were changed.
+	global set_endpoint_flags: function(flags: EndpointFlags &default = EndpointFlags()): bool;
+
+	## Allow sending messages to peers if associated with the given topic.
+	## This has no effect if auto publication behavior is enabled via the flags
+	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
+	##
+	## topic: a topic to allow messages to be published under.
+	##
+	## Returns: true if successful.
+	global publish_topic: function(topic: string): bool;
+
+	## Disallow sending messages to peers if associated with the given topic.
+	## This has no effect if auto publication behavior is enabled via the flags
+	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
+	##
+	## topic: a topic to disallow messages to be published under.
+	##
+	## Returns: true if successful.
+	global unpublish_topic: function(topic: string): bool;
+
+	## Listen for remote connections.
+	##
+	## p: the TCP port to listen on.
+	##
+	## a: an address string on which to accept connections, e.g.
+	##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
+	##
+	## reuse: equivalent to behavior of SO_REUSEADDR.
+	##
+	## Returns: true if the local endpoint is now listening for connections.
+	##
+	## .. bro:see:: Broker::incoming_connection_established
+	global listen: function(p: port, a: string &default = "", reuse: bool &default = T): bool;
+
+	## Initiate a remote connection.
+	##
+	## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
+	##
+	## p: the TCP port on which the remote side is listening.
+	##
+	## retry: an interval at which to retry establishing the
+	##        connection with the remote peer if it cannot be made initially, or
+	##        if it ever becomes disconnected.
+	##
+	## Returns: true if it's possible to try connecting with the peer and
+	##          it's a new peer.  The actual connection may not be established
+	##          until a later point in time.
+	##
+	## .. bro:see:: Broker::outgoing_connection_established
+	global connect: function(a: string, p: port, retry: interval): bool;
+
+	## Remove a remote connection.
+	##
+	## a: the address used in previous successful call to :bro:see:`Broker::connect`.
+	##
+	## p: the port used in previous successful call to :bro:see:`Broker::connect`.
+	##
+	## Returns: true if the arguments match a previously successful call to
+	##          :bro:see:`Broker::connect`.
+	global disconnect: function(a: string, p: port): bool;
+
+	## Print a simple message to any interested peers.  The receiver can use
+	## :bro:see:`Broker::print_handler` to handle messages.
+	##
+	## topic: a topic associated with the printed message.
+	##
+	## msg: the print message to send to peers.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if the message is sent.
+	global send_print: function(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool;
+
+	## Register interest in all peer print messages that use a certain topic
+	## prefix. Use :bro:see:`Broker::print_handler` to handle received
+	## messages.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new print subscription and it is now registered.
+	global subscribe_to_prints: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer print messages that use a topic prefix.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_prints`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_prints: function(topic_prefix: string): bool;
+
+	## Send an event to any interested peers.
+	##
+	## topic: a topic associated with the event message.
+	##
+	## args: event arguments as made by :bro:see:`Broker::event_args`.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if the message is sent.
+	global send_event: function(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool;
+
+	## Automatically send an event to any interested peers whenever it is
+	## locally dispatched (e.g. using "event my_event(...);" in a script).
+	##
+	## topic: a topic string associated with the event message.
+	##        Peers advertise interest by registering a subscription to some
+	##        prefix of this topic name.
+	##
+	## ev: a Bro event value.
+	##
+	## flags: tune the behavior of how the message is sent.
+	##
+	## Returns: true if automatic event sending is now enabled.
+	global auto_event: function(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool;
+
+	## Stop automatically sending an event to peers upon local dispatch.
+	##
+	## topic: a topic originally given to :bro:see:`Broker::auto_event`.
+	##
+	## ev: an event originally given to :bro:see:`Broker::auto_event`.
+	##
+	## Returns: true if automatic events will not occur for the topic/event
+	##          pair.
+	global auto_event_stop: function(topic: string, ev: any): bool;
+
+	## Register interest in all peer event messages that use a certain topic
+	## prefix.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new event subscription and it is now registered.
+	global subscribe_to_events: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer event messages that use a topic prefix.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_events`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_events: function(topic_prefix: string): bool;
+
+	## Enable remote logs for a given log stream.
+	##
+	## id: the log stream to enable remote logs for.
+	##
+	## flags: tune the behavior of how log entry messages are sent.
+	##
+	## Returns: true if remote logs are enabled for the stream.
+	global enable_remote_logs: function(id: Log::ID, flags: SendFlags &default = SendFlags()): bool;
+
+	## Disable remote logs for a given log stream.
+	##
+	## id: the log stream to disable remote logs for.
+	##
+	## Returns: true if remote logs are disabled for the stream.
+	global disable_remote_logs: function(id: Log::ID): bool;
+
+	## Check if remote logs are enabled for a given log stream.
+	##
+	## id: the log stream to check.
+	##
+	## Returns: true if remote logs are enabled for the given stream.
+	global remote_logs_enabled: function(id: Log::ID): bool;
+
+	## Register interest in all peer log messages that use a certain topic
+	## prefix. Logs are implicitly sent with topic "bro/log/<stream-name>" and
+	## the receiving side processes them through the logging framework as usual.
+	##
+	## topic_prefix: a prefix to match against remote message topics.
+	##               e.g. an empty prefix matches everything and "a" matches
+	##               "alice" and "amy" but not "bob".
+	##
+	## Returns: true if it's a new log subscription and it is now registered.
+	global subscribe_to_logs: function(topic_prefix: string): bool;
+
+	## Unregister interest in all peer log messages that use a topic prefix.
+	## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
+	## receiving side processes them through the logging framework as usual.
+	##
+	## topic_prefix: a prefix previously supplied to a successful call to
+	##               :bro:see:`Broker::subscribe_to_logs`.
+	##
+	## Returns: true if interest in the topic prefix is no longer advertised.
+	global unsubscribe_to_logs: function(topic_prefix: string): bool;
+
 }
 
-module BrokerStore;
+@load base/bif/comm.bif
+@load base/bif/messaging.bif
 
-export {
+module Broker;
 
-	## Whether a data store query could be completed or not.
-	type QueryStatus: enum {
-		SUCCESS,
-		FAILURE,
-	};
+function enable(flags: EndpointFlags &default = EndpointFlags()) : bool
+    {
+    return __enable(flags);
+    }
 
-	## An expiry time for a key-value pair inserted in to a data store.
-	type ExpiryTime: record {
-		## Absolute point in time at which to expire the entry.
-		absolute: time &optional;
-		## A point in time relative to the last modification time at which
-		## to expire the entry.  New modifications will delay the expiration.
-		since_last_modification: interval &optional;
-	};
+function set_endpoint_flags(flags: EndpointFlags &default = EndpointFlags()): bool
+    {
+    return __set_endpoint_flags(flags);
+    }
 
-	## The result of a data store query.
-	type QueryResult: record {
-		## Whether the query completed or not.
-		status: BrokerStore::QueryStatus;
-		## The result of the query.  Certain queries may use a particular
-		## data type (e.g. querying store size always returns a count, but
-		## a lookup may return various data types).
-		result: BrokerComm::Data;
-	};
+function publish_topic(topic: string): bool
+    {
+    return __publish_topic(topic);
+    }
 
-	## Options to tune the SQLite storage backend.
-	type SQLiteOptions: record {
-		## File system path of the database.
-		path: string &default = "store.sqlite";
-	};
+function unpublish_topic(topic: string): bool
+    {
+    return __unpublish_topic(topic);
+    }
 
-	## Options to tune the RocksDB storage backend.
-	type RocksDBOptions: record {
-		## File system path of the database.
-		path: string &default = "store.rocksdb";
-	};
+function listen(p: port, a: string &default = "", reuse: bool &default = T): bool
+    {
+    return __listen(p, a, reuse);
+    }
+
+function connect(a: string, p: port, retry: interval): bool
+    {
+    return __connect(a, p, retry);
+    }
+
+function disconnect(a: string, p: port): bool
+    {
+    return __disconnect(a, p);
+    }
+
+function send_print(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __send_print(topic, msg, flags);
+    }
+
+function subscribe_to_prints(topic_prefix: string): bool
+    {
+    return __subscribe_to_prints(topic_prefix);
+    }
+
+function unsubscribe_to_prints(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_prints(topic_prefix);
+    }
+
+function send_event(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __event(topic, args, flags);
+    }
+
+function auto_event(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __auto_event(topic, ev, flags);
+    }
+
+function auto_event_stop(topic: string, ev: any): bool
+    {
+    return __auto_event_stop(topic, ev);
+    }
+
+function subscribe_to_events(topic_prefix: string): bool
+    {
+    return __subscribe_to_events(topic_prefix);
+    }
+
+function unsubscribe_to_events(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_events(topic_prefix);
+    }
+
+function enable_remote_logs(id: Log::ID, flags: SendFlags &default = SendFlags()): bool
+    {
+    return __enable_remote_logs(id, flags);
+    }
+
+function disable_remote_logs(id: Log::ID): bool
+    {
+    return __disable_remote_logs(id);
+    }
+
+function remote_logs_enabled(id: Log::ID): bool
+    {
+    return __remote_logs_enabled(id);
+    }
+
+function subscribe_to_logs(topic_prefix: string): bool
+    {
+    return __subscribe_to_logs(topic_prefix);
+    }
+
+function unsubscribe_to_logs(topic_prefix: string): bool
+    {
+    return __unsubscribe_to_logs(topic_prefix);
+    }
 
-	## Options to tune the particular storage backends.
-	type BackendOptions: record {
-		sqlite: SQLiteOptions &default = SQLiteOptions();
-		rocksdb: RocksDBOptions &default = RocksDBOptions();
-	};
-}

scripts/base/frameworks/cluster/main.bro

@@ -68,7 +68,7 @@ export {
 	## Events raised by TimeMachine instances and handled by workers.
 	const tm2worker_events = /EMPTY/ &redef;
 
-	## Events sent by the control host (i.e. BroControl) when dynamically
+	## Events sent by the control host (i.e., BroControl) when dynamically
 	## connecting to a running instance to update settings or request data.
 	const control_events = Control::controller_events &redef;
 

scripts/base/frameworks/files/magic/audio.sig

@@ -2,7 +2,7 @@
 # MPEG v3 audio
 signature file-mpeg-audio {
 	file-mime "audio/mpeg", 20
-	file-magic /^\xff[\xe2\xe3\xf2\xf3\xf6\xf7\xfa\xfb\xfc\xfd]/
+	file-magic /^(ID3|\xff[\xe2\xe3\xf2\xf3\xf6\xf7\xfa\xfb\xfc\xfd])/
 }
 
 # MPEG v4 audio

scripts/base/frameworks/files/magic/general.sig

@@ -9,53 +9,53 @@ signature file-plaintext {
 
 signature file-json {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(["][^"]{1,}["]|[a-zA-Z][a-zA-Z0-9\\_]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(["]|\[|\{|[0-9]|true|false)/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x0d\x0a[:blank:]]*\{[\x0d\x0a[:blank:]]*(["][^"]{1,}["]|[a-zA-Z][a-zA-Z0-9\\_]*)[\x0d\x0a[:blank:]]*:[\x0d\x0a[:blank:]]*(["]|\[|\{|[0-9]|true|false)/
 }
 
 signature file-json2 {
 	file-mime "text/json", 1
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(((["][^"]{1,}["]|[0-9]{1,}(\.[0-9]{1,})?|true|false)[\x0d\x0a[:blank:]]*,)|\{|\[)[\x0d\x0a[:blank:]]*/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x0d\x0a[:blank:]]*\[[\x0d\x0a[:blank:]]*(((["][^"]{1,}["]|[0-9]{1,}(\.[0-9]{1,})?|true|false)[\x0d\x0a[:blank:]]*,)|\{|\[)[\x0d\x0a[:blank:]]*/
 }
 
 # Match empty JSON documents.
 signature file-json3 {
 	file-mime "text/json", 0
-	file-magic /^(\xef\xbb\xbf)?[\x0d\x0a[:blank:]]*(\[\]|\{\})[\x0d\x0a[:blank:]]*$/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x0d\x0a[:blank:]]*(\[\]|\{\})[\x0d\x0a[:blank:]]*$/
 }
 
 signature file-xml {
 	file-mime "application/xml", 10
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<\?xml /
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*\x00?<\x00?\?\x00?x\x00?m\x00?l\x00? \x00?/
 }
 
 signature file-xhtml {
 	file-mime "text/html", 100
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL]|[mM][eE][tT][aA] {1,}[hH][tT][tT][pP]-[eE][qQ][uU][iI][vV])/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<(![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]|[hH][tT][mM][lL]|[mM][eE][tT][aA] {1,}[hH][tT][tT][pP]-[eE][qQ][uU][iI][vV])/
 }
 
 signature file-html {
 	file-mime "text/html", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<![dD][oO][cC][tT][yY][pP][eE] {1,}[hH][tT][mM][lL]/
 }
 
 signature file-html2 {
 	file-mime "text/html", 20
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([hH][eE][aA][dD]|[hH][tT][mM][lL]|[tT][iI][tT][lL][eE]|[bB][oO][dD][yY])/
 }
 
 signature file-rss {
 	file-mime "text/rss", 90
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS]/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[rR][sS][sS]/
 }
 
 signature file-atom {
 	file-mime "text/atom", 100
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([rR][sS][sS][^>]*xmlns:atom|[fF][eE][eE][dD][^>]*xmlns=["']?http:\/\/www.w3.org\/2005\/Atom["']?)/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<([rR][sS][sS][^>]*xmlns:atom|[fF][eE][eE][dD][^>]*xmlns=["']?http:\/\/www.w3.org\/2005\/Atom["']?)/
 }
 
 signature file-soap {
 	file-mime "application/soap+xml", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[sS][oO][aA][pP](-[eE][nN][vV])?:[eE][nN][vV][eE][lL][oO][pP][eE]/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[sS][oO][aA][pP](-[eE][nN][vV])?:[eE][nN][vV][eE][lL][oO][pP][eE]/
 }
 
 signature file-cross-domain-policy {
@@ -70,7 +70,7 @@ signature file-cross-domain-policy2 {
 
 signature file-xmlrpc {
 	file-mime "application/xml-rpc", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][eE][tT][hH][oO][dD][rR][eE][sS][pP][oO][nN][sS][eE]>/
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][eE][tT][hH][oO][dD][rR][eE][sS][pP][oO][nN][sS][eE]>/
 }
 
 signature file-coldfusion {
@@ -81,7 +81,13 @@ signature file-coldfusion {
 # Adobe Flash Media Manifest
 signature file-f4m {
 	file-mime "application/f4m", 49
-	file-magic /^(\xef\xbb\xbf)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][aA][nN][iI][fF][eE][sS][tT][\x0d\x0a[:blank:]]{1,}xmlns=\"http:\/\/ns\.adobe\.com\/f4m\//
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*(<\?xml .*\?>)?([\x0d\x0a[:blank:]]*(<!--.*-->)?[\x0d\x0a[:blank:]]*)*<[mM][aA][nN][iI][fF][eE][sS][tT][\x0d\x0a[:blank:]]{1,}xmlns=\"http:\/\/ns\.adobe\.com\/f4m\//
+}
+
+# .ini style files
+signature file-ini {
+	file-mime "text/ini", 20
+	file-magic /^(\xef\xbb\xbf|\xff\xfe|\xfe\xff)?[\x00\x0d\x0a[:blank:]]*\[[^\x0d\x0a]+\][[:blank:]\x00]*[\x0d\x0a]/
 }
 
 # Microsoft LNK files
@@ -90,6 +96,41 @@ signature file-lnk {
 	file-magic /^\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x10\x00\x00\x00\x46/
 }
 
+# Microsoft Registry policies
+signature file-pol {
+	file-mime "application/vnd.ms-pol", 49
+	file-magic /^PReg/
+}
+
+# Old style Windows registry file
+signature file-reg {
+	file-mime "application/vnd.ms-reg", 49
+	file-magic /^REGEDIT4/
+}
+
+# Newer Windows registry file
+signature file-reg-utf16 {
+	file-mime "application/vnd.ms-reg", 49
+	file-magic /^\xFF\xFEW\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00R\x00e\x00g\x00i\x00s\x00t\x00r\x00y\x00 \x00E\x00d\x00i\x00t\x00o\x00r\x00 \x00V\x00e\x00r\x00s\x00i\x00o\x00n\x00 \x005\x00\.\x000\x000/
+}
+
+# Microsoft Registry format (typically DESKTOP.DAT)
+signature file-regf {
+	file-mime "application vnd.ms-regf", 49
+	file-magic /^\x72\x65\x67\x66/
+}
+
+# Microsoft Outlook PST files
+signature file-pst {
+	file-mime "application/vnd.ms-outlook", 49
+	file-magic /!BDN......[\x0e\x0f\x15\x17][\x00-\x02]/
+}
+
+signature file-afpinfo {
+	file-mime "application/vnd.apple-afpinfo"
+	file-magic /^AFP/
+}
+
 signature file-jar {
 	file-mime "application/java-archive", 100
 	file-magic /^PK\x03\x04.{1,200}\x14\x00..META-INF\/MANIFEST\.MF/

scripts/base/frameworks/intel/main.bro

@@ -81,23 +81,34 @@ export {
 		## The type of data that the indicator represents.
 		indicator_type:  Type          &log &optional;
 
-		## If the indicator type was :bro:enum:`Intel::ADDR`, then this 
+		## If the indicator type was :bro:enum:`Intel::ADDR`, then this
 		## field will be present.
 		host:            addr          &optional;
 
 		## Where the data was discovered.
 		where:           Where         &log;
-		
+
 		## The name of the node where the match was discovered.
 		node:            string        &optional &log;
 
-		## If the data was discovered within a connection, the 
+		## If the data was discovered within a connection, the
 		## connection record should go here to give context to the data.
 		conn:            connection    &optional;
 
+		## If the data was discovered within a connection, the
+		## connection uid should go here to give context to the data.
+		## If the *conn* field is provided, this will be automatically
+		## filled out.
+		uid:             string        &optional;
+
 		## If the data was discovered within a file, the file record
 		## should go here to provide context to the data.
 		f:               fa_file       &optional;
+
+		## If the data was discovered within a file, the file uid should
+		## go here to provide context to the data. If the *f* field is
+		## provided, this will be automatically filled out.
+		fuid:            string        &optional;
 	};
 
 	## Record used for the logging framework representing a positive
@@ -116,7 +127,8 @@ export {
 		## If a file was associated with this intelligence hit,
 		## this is the uid for the file.
 		fuid:           string   &log &optional;
-		## A mime type if the intelligence hit is related to a file.  
+
+		## A mime type if the intelligence hit is related to a file.
 		## If the $f field is provided this will be automatically filled
 		## out.
 		file_mime_type: string   &log &optional;
@@ -296,15 +308,14 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 
 	if ( s?$f )
 		{
+		s$fuid = s$f$id;
+
 		if ( s$f?$conns && |s$f$conns| == 1 )
 			{
 			for ( cid in s$f$conns )
 				s$conn = s$f$conns[cid];
 			}
 
-		if ( ! info?$fuid )
-			info$fuid = s$f$id;
-
 		if ( ! info?$file_mime_type && s$f?$info && s$f$info?$mime_type )
 			info$file_mime_type = s$f$info$mime_type;
 
@@ -312,12 +323,18 @@ event Intel::match(s: Seen, items: set[Item]) &priority=5
 			info$file_desc = Files::describe(s$f);
 		}
 
+	if ( s?$fuid )
+		info$fuid = s$fuid;
+
 	if ( s?$conn )
 		{
-		info$uid = s$conn$uid;
+		s$uid = s$conn$uid;
 		info$id  = s$conn$id;
 		}
 
+	if ( s?$uid )
+		info$uid = s$uid;
+
 	for ( item in items )
 		{
 		add info$sources[item$meta$source];

scripts/base/frameworks/netcontrol/main.bro

@@ -23,20 +23,20 @@ export {
 	# ###  Generic functions and events.
 	# ###
 
-	# Activates a plugin.
-	#
-	# p: The plugin to acticate.
-	#
-	# priority: The higher the priority, the earlier this plugin will be checked
-	# whether it supports an operation, relative to other plugins.
+	## Activates a plugin.
+	##
+	## p: The plugin to acticate.
+	##
+	## priority: The higher the priority, the earlier this plugin will be checked
+	##           whether it supports an operation, relative to other plugins.
 	global activate: function(p: PluginState, priority: int);
 
-	# Event that is used to initialize plugins. Place all plugin initialization
-	# related functionality in this event.
+	## Event that is used to initialize plugins. Place all plugin initialization
+	## related functionality in this event.
 	global NetControl::init: event();
 
-	# Event that is raised once all plugins activated in ``NetControl::init`` have finished
-	# their initialization.
+	## Event that is raised once all plugins activated in ``NetControl::init``
+	## have finished their initialization.
 	global NetControl::init_done: event();
 
 	# ###
@@ -109,21 +109,24 @@ export {
 	##
 	## r: The rule to install.
 	##
-	## Returns: If succesful, returns an ID string unique to the rule that can later
-	## be used to refer to it. If unsuccessful, returns an empty string. The ID is also
-	## assigned to ``r$id``. Note that "successful" means "a plugin knew how to handle
-	## the rule", it doesn't necessarily mean that it was indeed successfully put in
-	## place, because that might happen asynchronously and thus fail only later.
+	## Returns: If succesful, returns an ID string unique to the rule that can
+	##          later be used to refer to it. If unsuccessful, returns an empty
+	##          string. The ID is also assigned to ``r$id``. Note that
+	##          "successful" means "a plugin knew how to handle the rule", it
+	##          doesn't necessarily mean that it was indeed successfully put in
+	##          place, because that might happen asynchronously and thus fail
+	##          only later.
 	global add_rule: function(r: Rule) : string;
 
 	## Removes a rule.
 	##
-	## id: The rule to remove, specified as the ID returned by :bro:id:`add_rule` .
+	## id: The rule to remove, specified as the ID returned by :bro:id:`NetControl::add_rule`.
 	##
-	## Returns: True if succesful, the relevant plugin indicated that it knew how
-	## to handle the removal. Note that again "success" means the plugin accepted the
-	## removal. They might still fail to put it into effect, as that  might happen
-	## asynchronously and thus go wrong at that point.
+	## Returns: True if succesful, the relevant plugin indicated that it knew
+	##          how to handle the removal. Note that again "success" means the
+	##          plugin accepted the removal. They might still fail to put it
+	##          into effect, as that might happen asynchronously and thus go
+	##          wrong at that point.
 	global remove_rule: function(id: string) : bool;
 
 	## Searches all rules affecting a certain IP address.
@@ -156,7 +159,7 @@ export {
 	## r: The rule now removed.
 	##
 	## p: The state for the plugin that had the rule in place and now
-	## removed it.
+	##    removed it.
 	##
 	## msg: An optional informational message by the plugin.
 	global rule_removed: event(r: Rule, p: PluginState, msg: string &default="");
@@ -168,7 +171,7 @@ export {
 	## i: Additional flow information, if supported by the protocol.
 	##
 	## p: The state for the plugin that had the rule in place and now
-	## removed it.
+	##    removed it.
 	##
 	## msg: An optional informational message by the plugin.
 	global rule_timeout: event(r: Rule, i: FlowInfo, p: PluginState);

scripts/base/frameworks/netcontrol/plugins/acld.bro

@@ -227,7 +227,7 @@ function acld_add_rule_fun(p: PluginState, r: Rule) : bool
 	if ( ar$command == "" )
 		return F;
 
-	BrokerComm::event(p$acld_config$acld_topic, BrokerComm::event_args(acld_add_rule, p$acld_id, r, ar));
+	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_add_rule, p$acld_id, r, ar));
 	return T;
 	}
 
@@ -242,18 +242,18 @@ function acld_remove_rule_fun(p: PluginState, r: Rule) : bool
 	else
 		return F;
 
-	BrokerComm::event(p$acld_config$acld_topic, BrokerComm::event_args(acld_remove_rule, p$acld_id, r, ar));
+	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_remove_rule, p$acld_id, r, ar));
 	return T;
 	}
 
 function acld_init(p: PluginState)
 	{
-	BrokerComm::enable();
-	BrokerComm::connect(cat(p$acld_config$acld_host), p$acld_config$acld_port, 1sec);
-	BrokerComm::subscribe_to_events(p$acld_config$acld_topic);
+	Broker::enable();
+	Broker::connect(cat(p$acld_config$acld_host), p$acld_config$acld_port, 1sec);
+	Broker::subscribe_to_events(p$acld_config$acld_topic);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
 	{
 	if ( [peer_port, peer_address] !in netcontrol_acld_peers )
 		# ok, this one was none of ours...

scripts/base/frameworks/netcontrol/plugins/broker.bro

@@ -96,24 +96,24 @@ function broker_name(p: PluginState) : string
 
 function broker_add_rule_fun(p: PluginState, r: Rule) : bool
 	{
-	BrokerComm::event(p$broker_topic, BrokerComm::event_args(broker_add_rule, p$broker_id, r));
+	Broker::send_event(p$broker_topic, Broker::event_args(broker_add_rule, p$broker_id, r));
 	return T;
 	}
 
 function broker_remove_rule_fun(p: PluginState, r: Rule) : bool
 	{
-	BrokerComm::event(p$broker_topic, BrokerComm::event_args(broker_remove_rule, p$broker_id, r));
+	Broker::send_event(p$broker_topic, Broker::event_args(broker_remove_rule, p$broker_id, r));
 	return T;
 	}
 
 function broker_init(p: PluginState)
 	{
-	BrokerComm::enable();
-	BrokerComm::connect(cat(p$broker_host), p$broker_port, 1sec);
-	BrokerComm::subscribe_to_events(p$broker_topic);
+	Broker::enable();
+	Broker::connect(cat(p$broker_host), p$broker_port, 1sec);
+	Broker::subscribe_to_events(p$broker_topic);
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
 	{
 	if ( [peer_port, peer_address] !in netcontrol_broker_peers )
 		return;

scripts/base/frameworks/netcontrol/plugins/debug.bro

@@ -11,7 +11,7 @@ export {
 	## plugin simply logs the operations it receives.
 	##
 	## do_something: If true, the plugin will claim it supports all operations; if
-	## false, it will indicate it doesn't support any.
+	##               false, it will indicate it doesn't support any.
 	global create_debug: function(do_something: bool) : PluginState;
 }
 

scripts/base/frameworks/netcontrol/types.bro

@@ -14,7 +14,7 @@ export {
 		MAC,		##< Activity involving a MAC address.
 	};
 
-	## Type of a :bro:id:`Flow` for defining a flow.
+	## Type for defining a flow.
 	type Flow: record {
 		src_h: subnet &optional;	##< The source IP address/subnet.
 		src_p: port &optional;	##< The source port number.
@@ -27,10 +27,10 @@ export {
 	## Type defining the enity an :bro:id:`Rule` is operating on.
 	type Entity: record {
 		ty: EntityType;			##< Type of entity.
-		conn: conn_id &optional;	##< Used with :bro:id:`CONNECTION` .
-		flow: Flow &optional;	##< Used with :bro:id:`FLOW` .
-		ip: subnet &optional;		##< Used with bro:id:`ADDRESS`; can specifiy a CIDR subnet.
-		mac: string &optional;		##< Used with :bro:id:`MAC`.
+		conn: conn_id &optional;	##< Used with :bro:enum:`NetControl::CONNECTION`.
+		flow: Flow &optional;	##< Used with :bro:enum:`NetControl::FLOW`.
+		ip: subnet &optional;		##< Used with :bro:enum:`NetControl::ADDRESS` to specifiy a CIDR subnet.
+		mac: string &optional;		##< Used with :bro:enum:`NetControl::MAC`.
 	};
 
 	## Target of :bro:id:`Rule` action.
@@ -68,7 +68,7 @@ export {
 		WHITELIST,
 	};
 
-	## Type of a :bro:id:`FlowMod` for defining a flow modification action.
+	## Type for defining a flow modification action.
 	type FlowMod: record {
 		src_h: addr &optional;	##< The source IP address.
 		src_p: count &optional;	##< The source port number.
@@ -90,8 +90,8 @@ export {
 		priority: int &default=default_priority;	##< Priority if multiple rules match an entity (larger value is higher priority).
 		location: string &optional;	##< Optional string describing where/what installed the rule.
 
-		out_port: count &optional;		##< Argument for bro:id:`REDIRECT` rules.
-		mod: FlowMod &optional; ##< Argument for :bro:id:`MODIFY` rules.
+		out_port: count &optional;		##< Argument for :bro:enum:`NetControl::REDIRECT` rules.
+		mod: FlowMod &optional; ##< Argument for :bro:enum:`NetControl::MODIFY` rules.
 
 		id: string &default="";		##< Internally determined unique ID for this rule. Will be set when added.
 		cid: count &default=0;		##< Internally determined unique numeric ID for this rule. Set when added.

scripts/base/frameworks/notice/main.bro

@@ -44,6 +44,7 @@ export {
 		ACTION_ALARM,
 	};
 
+	## Type that represents a set of actions.
 	type ActionSet: set[Notice::Action];
 
 	## The notice framework is able to do automatic notice suppression by
@@ -52,6 +53,7 @@ export {
 	## suppression.
 	const default_suppression_interval = 1hrs &redef;
 
+	## The record type that is used for representing and logging notices.
 	type Info: record {
 		## An absolute time indicating when the notice occurred,
 		## defaults to the current network time.

scripts/base/frameworks/openflow/plugins/broker.bro

@@ -47,26 +47,26 @@ function broker_describe(state: ControllerState): string
 
 function broker_flow_mod_fun(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
 	{
-	BrokerComm::event(state$broker_topic, BrokerComm::event_args(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
+	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
 
 	return T;
 	}
 
 function broker_flow_clear_fun(state: OpenFlow::ControllerState): bool
 	{
-	BrokerComm::event(state$broker_topic, BrokerComm::event_args(broker_flow_clear, state$_name, state$broker_dpid));
+	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_clear, state$_name, state$broker_dpid));
 
 	return T;
 	}
 
 function broker_init(state: OpenFlow::ControllerState)
 	{
-	BrokerComm::enable();
-	BrokerComm::connect(cat(state$broker_host), state$broker_port, 1sec);
-	BrokerComm::subscribe_to_events(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
+	Broker::enable();
+	Broker::connect(cat(state$broker_host), state$broker_port, 1sec);
+	Broker::subscribe_to_events(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
 	}
 
-event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
 	{
 	if ( [peer_port, peer_address] !in broker_peers )
 		# ok, this one was none of ours...

scripts/base/frameworks/packet-filter/netstats.bro

@@ -18,7 +18,7 @@ export {
 
 event net_stats_update(last_stat: NetStats)
 	{
-	local ns = net_stats();
+	local ns = get_net_stats();
 	local new_dropped = ns$pkts_dropped - last_stat$pkts_dropped;
 	if ( new_dropped > 0 )
 		{
@@ -38,5 +38,5 @@ event bro_init()
 	# Since this currently only calculates packet drops, let's skip the stats
 	# collection if reading traces.
 	if ( ! reading_traces() )
-		schedule stats_collection_interval { net_stats_update(net_stats()) };
+		schedule stats_collection_interval { net_stats_update(get_net_stats()) };
 	}

scripts/base/frameworks/sumstats/main.bro

@@ -5,7 +5,8 @@
 module SumStats;
 
 export {
-	## The various calculations are all defined as plugins.
+	## Type to represent the calculations that are available.  The calculations
+	## are all defined as plugins.
 	type Calculation: enum {
 		PLACEHOLDER
 	};
@@ -39,6 +40,7 @@ export {
 		str:  string &optional;
 	};
 
+	## Represents a reducer.
 	type Reducer: record {
 		## Observation stream identifier for the reducer
 		## to attach to.
@@ -56,7 +58,7 @@ export {
 		normalize_key:  function(key: SumStats::Key): Key &optional;
 	};
 
-	## Value calculated for an observation stream fed into a reducer.
+	## Result calculated for an observation stream fed into a reducer.
 	## Most of the fields are added by plugins.
 	type ResultVal: record {
 		## The time when the first observation was added to
@@ -71,14 +73,15 @@ export {
 		num:    count &default=0;
 	};
 
-	## Type to store results for multiple reducers.
+	## Type to store a table of results for multiple reducers indexed by
+	## observation stream identifier.
 	type Result: table[string] of ResultVal;
 
 	## Type to store a table of sumstats results indexed by keys.
 	type ResultTable: table[Key] of Result;
 
-	## SumStats represent an aggregation of reducers along with
-	## mechanisms to handle various situations like the epoch ending
+	## Represents a SumStat, which consists of an aggregation of reducers along
+	## with mechanisms to handle various situations like the epoch ending
 	## or thresholds being crossed.
 	##
 	## It's best to not access any global state outside
@@ -101,21 +104,28 @@ export {
 		## The reducers for the SumStat.
 		reducers:           set[Reducer];
 
-		## Provide a function to calculate a value from the
-		## :bro:see:`SumStats::Result` structure which will be used
-		## for thresholding.
-		## This is required if a *threshold* value is given.
+		## A function that will be called once for each observation in order
+		## to calculate a value from the :bro:see:`SumStats::Result` structure
+		## which will be used for thresholding.
+		## This function is required if a *threshold* value or
+		## a *threshold_series* is given.
 		threshold_val:      function(key: SumStats::Key, result: SumStats::Result): double &optional;
 
-		## The threshold value for calling the
-		## *threshold_crossed* callback.
+		## The threshold value for calling the *threshold_crossed* callback.
+		## If you need more than one threshold value, then use
+		## *threshold_series* instead.
 		threshold:          double            &optional;
 
-		## A series of thresholds for calling the
-		## *threshold_crossed* callback.
+		## A series of thresholds for calling the *threshold_crossed*
+		## callback.  These thresholds must be listed in ascending order,
+		## because a threshold is not checked until the preceding one has
+		## been crossed.
 		threshold_series:   vector of double  &optional;
 
 		## A callback that is called when a threshold is crossed.
+		## A threshold is crossed when the value returned from *threshold_val*
+		## is greater than or equal to the threshold value, but only the first
+		## time this happens within an epoch.
 		threshold_crossed:  function(key: SumStats::Key, result: SumStats::Result) &optional;
 
 		## A callback that receives each of the results at the
@@ -130,6 +140,8 @@ export {
 	};
 
 	## Create a summary statistic.
+	##
+	## ss: The SumStat to create.
 	global create: function(ss: SumStats::SumStat);
 
 	## Add data into an observation stream. This should be

scripts/base/frameworks/sumstats/plugins/average.bro

@@ -1,3 +1,5 @@
+##! Calculate the average.
+
 @load ../main
 
 module SumStats;
@@ -9,7 +11,7 @@ export {
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this calculates the average of all values.
+		## For numeric data, this is the average of all values.
 		average: double &optional;
 	};
 }

scripts/base/frameworks/sumstats/plugins/hll_unique.bro

@@ -1,3 +1,5 @@
+##! Calculate the number of unique values (using the HyperLogLog algorithm).
+
 @load base/frameworks/sumstats
 
 module SumStats;

scripts/base/frameworks/sumstats/plugins/last.bro

@@ -1,3 +1,5 @@
+##! Keep the last X observations.
+
 @load base/frameworks/sumstats
 @load base/utils/queue
 

scripts/base/frameworks/sumstats/plugins/max.bro

@@ -1,3 +1,5 @@
+##! Find the maximum value.
+
 @load ../main
 
 module SumStats;
@@ -9,7 +11,7 @@ export {
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this tracks the maximum value given.
+		## For numeric data, this tracks the maximum value.
 		max: double &optional;
 	};
 }

scripts/base/frameworks/sumstats/plugins/min.bro

@@ -1,3 +1,5 @@
+##! Find the minimum value.
+
 @load ../main
 
 module SumStats;
@@ -9,7 +11,7 @@ export {
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this tracks the minimum value given.
+		## For numeric data, this tracks the minimum value.
 		min: double &optional;
 	};
 }

scripts/base/frameworks/sumstats/plugins/sample.bro

@@ -1,3 +1,5 @@
+##! Keep a random sample of values.
+
 @load base/frameworks/sumstats/main
 
 module SumStats;
@@ -10,7 +12,7 @@ export {
 	};
 
 	redef record Reducer += {
-		## A number of sample Observations to collect.
+		## The number of sample Observations to collect.
 		num_samples: count &default=0;
 	};
 

scripts/base/frameworks/sumstats/plugins/std-dev.bro

@@ -1,3 +1,5 @@
+##! Calculate the standard deviation.
+
 @load ./variance
 @load ../main
 
@@ -5,7 +7,7 @@ module SumStats;
 
 export {
 	redef enum Calculation += {
-		## Find the standard deviation of the values.
+		## Calculate the standard deviation of the values.
 		STD_DEV
 	};
 

scripts/base/frameworks/sumstats/plugins/sum.bro

@@ -1,11 +1,13 @@
+##! Calculate the sum.
+
 @load ../main
 
 module SumStats;
 
 export {
 	redef enum Calculation += {
-		## Sums the values given.  For string values,
-		## this will be the number of strings given.
+		## Calculate the sum of the values.  For string values,
+		## this will be the number of strings.
 		SUM
 	};
 

scripts/base/frameworks/sumstats/plugins/topk.bro

@@ -1,3 +1,5 @@
+##! Keep the top-k (i.e., most frequently occurring) observations.
+
 @load base/frameworks/sumstats
 
 module SumStats;
@@ -9,10 +11,13 @@ export {
 	};
 
 	redef enum Calculation += {
+		## Keep a top-k list of values.
 		TOPK
 	};
 
 	redef record ResultVal += {
+		## A handle which can be passed to some built-in functions to get
+		## the top-k results.
 		topk: opaque of topk &optional;
 	};
 

scripts/base/frameworks/sumstats/plugins/unique.bro

@@ -1,10 +1,12 @@
+##! Calculate the number of unique values.
+
 @load ../main
 
 module SumStats;
 
 export {
 	redef record Reducer += {
-		## Maximum number of unique elements to store.
+		## Maximum number of unique values to store.
 		unique_max: count &optional;
 	};
 
@@ -15,7 +17,7 @@ export {
 
 	redef record ResultVal += {
 		## If cardinality is being tracked, the number of unique
-		## items is tracked here.
+		## values is tracked here.
 		unique: count &default=0;
 	};
 }

scripts/base/frameworks/sumstats/plugins/variance.bro

@@ -1,3 +1,5 @@
+##! Calculate the variance.
+
 @load ./average
 @load ../main
 
@@ -5,12 +7,12 @@ module SumStats;
 
 export {
 	redef enum Calculation += {
-		## Find the variance of the values.
+		## Calculate the variance of the values.
 		VARIANCE
 	};
 
 	redef record ResultVal += {
-		## For numeric data, this calculates the variance.
+		## For numeric data, this is the variance.
 		variance: double &optional;
 	};
 }