Fix typos and formatting in the policy/protocols docs

Also updated a test related to these changes, and adjusted line numbers.

doc/scripting/index.rst

@@ -1222,7 +1222,7 @@ from the connection relative to the behavior that has been observed by
 Bro.  
 
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssl/expiring-certs.bro
-   :lines: 59-62
+   :lines: 60-63
 
 In the :doc:`/scripts/policy/protocols/ssl/expiring-certs` script
 which identifies when SSL certificates are set to expire and raises

scripts/policy/protocols/conn/known-hosts.bro

@@ -15,8 +15,8 @@ export {
 	type HostsInfo: record {
 		## The timestamp at which the host was detected.
 		ts:      time &log;
-		## The address that was detected originating or responding to a TCP 
-		## connection.
+		## The address that was detected originating or responding to a
+		## TCP connection.
 		host:    addr &log;
 	};
 	

scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro

@@ -7,7 +7,7 @@ module Known;
 
 export {
 	redef record DevicesInfo += {
-		## The value of the DHCP host name option, if seen
+		## The value of the DHCP host name option, if seen.
 		dhcp_host_name:	string		&log &optional;
 	};
 }

scripts/policy/protocols/dns/detect-external-names.bro

@@ -10,9 +10,9 @@ module DNS;
 
 export {
 	redef enum Notice::Type += { 
-		## Raised when a non-local name is found to be pointing at a local host.
-		## :bro:id:`Site::local_zones` variable **must** be set appropriately 
-		## for this detection.
+		## Raised when a non-local name is found to be pointing at a
+		## local host.  The :bro:id:`Site::local_zones` variable
+		## **must** be set appropriately for this detection.
 		External_Name,
 		};
 }

scripts/policy/protocols/ftp/detect-bruteforcing.bro

@@ -1,5 +1,5 @@
-##! FTP brute-forcing detector, triggering when too  many rejected usernames or
-##! failed passwords have occured from a single address.
+##! FTP brute-forcing detector, triggering when too many rejected usernames or
+##! failed passwords have occurred from a single address.
 
 @load base/protocols/ftp
 @load base/frameworks/sumstats
@@ -10,8 +10,8 @@ module FTP;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates a host bruteforcing FTP logins by watching for too many
-		## rejected usernames or failed passwords.
+		## Indicates a host bruteforcing FTP logins by watching for too
+		## many rejected usernames or failed passwords.
 		Bruteforcing
 	};
 

scripts/policy/protocols/http/detect-sqli.bro

@@ -8,10 +8,12 @@ module HTTP;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates that a host performing SQL injection attacks was detected.
+		## Indicates that a host performing SQL injection attacks was
+		## detected.
 		SQL_Injection_Attacker,
-		## Indicates that a host was seen to have SQL injection attacks against
-		## it.  This is tracked by IP address as opposed to hostname.
+		## Indicates that a host was seen to have SQL injection attacks
+		## against it.  This is tracked by IP address as opposed to
+		## hostname.
 		SQL_Injection_Victim,
 	};
 
@@ -19,9 +21,11 @@ export {
 		## Indicator of a URI based SQL injection attack.
 		URI_SQLI,
 		## Indicator of client body based SQL injection attack.  This is
-		## typically the body content of a POST request. Not implemented yet.
+		## typically the body content of a POST request. Not implemented
+		## yet.
 		POST_SQLI,
-		## Indicator of a cookie based SQL injection attack. Not implemented yet.
+		## Indicator of a cookie based SQL injection attack. Not
+		## implemented yet.
 		COOKIE_SQLI,
 	};
 

scripts/policy/protocols/http/header-names.bro

@@ -8,12 +8,12 @@ module HTTP;
 
 export {
 	redef record Info += {
-		## The vector of HTTP header names sent by the client.  No header 
-		## values are included here, just the header names.
+		## The vector of HTTP header names sent by the client.  No
+		## header values are included here, just the header names.
 		client_header_names:  vector of string &log &optional;
 		
-		## The vector of HTTP header names sent by the server.  No header 
-		## values are included here, just the header names.
+		## The vector of HTTP header names sent by the server.  No
+		## header values are included here, just the header names.
 		server_header_names:  vector of string &log &optional;
 	};
 	

scripts/policy/protocols/http/var-extraction-cookies.bro

@@ -1,4 +1,4 @@
-##! Extracts and logs variables names from cookies sent by clients.
+##! Extracts and logs variable names from cookies sent by clients.
 
 @load base/protocols/http/main
 @load base/protocols/http/utils

scripts/policy/protocols/http/var-extraction-uri.bro

@@ -1,4 +1,4 @@
-##! Extracts and log variables from the requested URI in the default HTTP 
+##! Extracts and logs variables from the requested URI in the default HTTP 
 ##! logging stream.
 
 @load base/protocols/http

scripts/policy/protocols/modbus/track-memmap.bro

@@ -15,9 +15,9 @@ export {
 	const track_memmap: Host = ALL_HOSTS &redef;
 
 	type MemmapInfo: record {
-		## Timestamp for the detected register change
+		## Timestamp for the detected register change.
 		ts:        time     &log;
-		## Unique ID for the connection
+		## Unique ID for the connection.
 		uid:       string   &log;
 		## Connection ID.
 		id:        conn_id  &log;
@@ -27,7 +27,8 @@ export {
 		old_val:   count    &log;
 		## The new value stored in the register.
 		new_val:   count    &log;
-		## The time delta between when the 'old_val' and 'new_val' were seen.
+		## The time delta between when the *old_val* and *new_val* were
+		## seen.
 		delta:     interval &log;
 	};
 
@@ -42,8 +43,8 @@ export {
 	## The memory map of slaves is tracked with this variable.
 	global device_registers: table[addr] of Registers;
 
-	## This event is generated every time a register is seen to be different than
-	## it was previously seen to be.
+	## This event is generated every time a register is seen to be different
+	## than it was previously seen to be.
 	global changed_register: event(c: connection, register: count, old_val: count, new_val: count, delta: interval);
 }
 

scripts/policy/protocols/smtp/detect-suspicious-orig.bro

@@ -8,8 +8,8 @@ export {
 		Suspicious_Origination
 	};
 
-	## Places where it's suspicious for mail to originate from represented as
-	## all-capital, two character country codes (e.x. US).  It requires 
+	## Places where it's suspicious for mail to originate from represented
+	## as all-capital, two character country codes (e.g., US).  It requires 
 	## libGeoIP support built in.
 	const suspicious_origination_countries: set[string] = {} &redef;
 	const suspicious_origination_networks: set[subnet] = {} &redef;

scripts/policy/protocols/smtp/software.bro

@@ -5,7 +5,7 @@
 ##! TODO:
 ##!
 ##! * Find some heuristic to determine if email was sent through 
-##!   a MS Exhange webmail interface as opposed to a desktop client.
+##!   a MS Exchange webmail interface as opposed to a desktop client.
 
 @load base/frameworks/software/main
 @load base/protocols/smtp/main
@@ -20,19 +20,19 @@ export {
 	};
 	
 	redef record Info += {
-		## Boolean indicator of if the message was sent through a webmail 
-		## interface.
+		## Boolean indicator of if the message was sent through a
+		## webmail interface.
 		is_webmail: bool &log &default=F;
 	};
 	
-	## Assuming that local mail servers are more trustworthy with the headers 
-	## they insert into messages envelopes, this default makes Bro not attempt
-	## to detect software in inbound message bodies.  If mail coming in from
-	## external addresses gives incorrect data in the Received headers, it 
-	## could populate your SOFTWARE logging stream with incorrect data.
-	## If you would like to detect mail clients for incoming messages 
-	## (network traffic originating from a non-local address), set this
-	## variable to EXTERNAL_HOSTS or ALL_HOSTS.
+	## Assuming that local mail servers are more trustworthy with the
+	## headers they insert into message envelopes, this default makes Bro
+	## not attempt to detect software in inbound message bodies.  If mail
+	## coming in from external addresses gives incorrect data in
+	## the Received headers, it could populate your SOFTWARE logging stream
+	## with incorrect data.  If you would like to detect mail clients for
+	## incoming messages (network traffic originating from a non-local
+	## address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
 	const detect_clients_in_messages_from = LOCAL_HOSTS &redef;
 	
 	## A regular expression to match USER-AGENT-like headers to find if a 

scripts/policy/protocols/ssh/detect-bruteforcing.bro

@@ -11,12 +11,12 @@ module SSH;
 export {
 	redef enum Notice::Type += {
 		## Indicates that a host has been identified as crossing the
-		## :bro:id:`SSH::password_guesses_limit` threshold with heuristically
-		## determined failed logins.
+		## :bro:id:`SSH::password_guesses_limit` threshold with
+		## heuristically determined failed logins.
 		Password_Guessing,
-		## Indicates that a host previously identified as a "password guesser"
-		## has now had a heuristically successful login attempt.  This is not
-		## currently implemented.
+		## Indicates that a host previously identified as a "password
+		## guesser" has now had a heuristically successful login
+		## attempt.  This is not currently implemented.
 		Login_By_Password_Guesser,
 	};
 
@@ -29,8 +29,8 @@ export {
 	## guessing passwords.
 	const password_guesses_limit: double = 30 &redef;
 
-	## The amount of time to remember presumed non-successful logins to build
-	## model of a password guesser.
+	## The amount of time to remember presumed non-successful logins to
+	## build a model of a password guesser.
 	const guessing_timeout = 30 mins &redef;
 
 	## This value can be used to exclude hosts or entire networks from being

scripts/policy/protocols/ssh/geo-data.bro

@@ -7,14 +7,15 @@ module SSH;
 
 export {
 	redef enum Notice::Type += {
-		## If an SSH login is seen to or from a "watched" country based on the
-		## :bro:id:`SSH::watched_countries` variable then this notice will
-		## be generated.
+		## If an SSH login is seen to or from a "watched" country based
+		## on the :bro:id:`SSH::watched_countries` variable then this
+		## notice will be generated.
 		Watched_Country_Login,
 	};
 	
 	redef record Info += {
-		## Add geographic data related to the "remote" host of the connection.
+		## Add geographic data related to the "remote" host of the
+		## connection.
 		remote_location: geo_location &log &optional;
 	};
 	

scripts/policy/protocols/ssh/interesting-hostnames.bro

@@ -10,8 +10,8 @@ module SSH;
 
 export {
 	redef enum Notice::Type += {
-		## Generated if a login originates or responds with a host where the 
-		## reverse hostname lookup resolves to a name matched by the 
+		## Generated if a login originates or responds with a host where
+		## the reverse hostname lookup resolves to a name matched by the
 		## :bro:id:`SSH::interesting_hostnames` regular expression.
 		Interesting_Hostname_Login,
 	};

scripts/policy/protocols/ssl/expiring-certs.bro

@@ -12,13 +12,14 @@ module SSL;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates that a certificate's NotValidAfter date has lapsed and
-		## the certificate is now invalid.
+		## Indicates that a certificate's NotValidAfter date has lapsed
+		## and the certificate is now invalid.
 		Certificate_Expired,
 		## Indicates that a certificate is going to expire within 
 		## :bro:id:`SSL::notify_when_cert_expiring_in`.
 		Certificate_Expires_Soon,
-		## Indicates that a certificate's NotValidBefore date is future dated.
+		## Indicates that a certificate's NotValidBefore date is future
+		## dated.
 		Certificate_Not_Valid_Yet,
 	};
 	
@@ -29,8 +30,8 @@ export {
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
 	const notify_certs_expiration = LOCAL_HOSTS &redef;
 	
-	## The time before a certificate is going to expire that you would like to
-	## start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
+	## The time before a certificate is going to expire that you would like
+	## to start receiving :bro:enum:`SSL::Certificate_Expires_Soon` notices.
 	const notify_when_cert_expiring_in = 30days &redef;
 }
 

scripts/policy/protocols/ssl/extract-certs-pem.bro

@@ -5,8 +5,8 @@
 ##! .. note::
 ##!
 ##!     - It doesn't work well on a cluster because each worker will write its
-##!       own certificate files and no duplicate checking is done across
-##!       clusters so each node would log each certificate.
+##!       own certificate files and no duplicate checking is done across the
+##!       cluster so each node would log each certificate.
 ##!
 
 @load base/protocols/ssl
@@ -18,7 +18,7 @@ module SSL;
 export {
 	## Control if host certificates offered by the defined hosts
 	## will be written to the PEM certificates file.
-	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	const extract_certs_pem = LOCAL_HOSTS &redef;
 }
 

scripts/policy/protocols/ssl/known-certs.bro

@@ -1,4 +1,5 @@
-##! Log information about certificates while attempting to avoid duplicate logging.
+##! Log information about certificates while attempting to avoid duplicate
+##! logging.
 
 @load base/utils/directions-and-hosts
 @load base/protocols/ssl
@@ -26,7 +27,7 @@ export {
 	};
 	
 	## The certificates whose existence should be logged and tracked.
-	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	const cert_tracking = LOCAL_HOSTS &redef;
 	
 	## The set of all known certificates to store for preventing duplicate 

scripts/policy/protocols/ssl/validate-certs.bro

@@ -8,8 +8,9 @@ module SSL;
 
 export {
 	redef enum Notice::Type += {
-		## This notice indicates that the result of validating the certificate
-		## along with it's full certificate chain was invalid.
+		## This notice indicates that the result of validating the
+		## certificate along with its full certificate chain was
+		## invalid.
 		Invalid_Server_Cert
 	};
 	
@@ -18,9 +19,9 @@ export {
 		validation_status: string &log &optional;
 	};
 	
-	## MD5 hash values for recently validated certs along with the validation
-	## status message are kept in this table to avoid constant validation 
-	## everytime the same certificate is seen.
+	## MD5 hash values for recently validated certs along with the
+	## validation status message are kept in this table to avoid constant
+	## validation every time the same certificate is seen.
 	global recently_validated_certs: table[string] of string = table() 
 		&read_expire=5mins &synchronized &redef;
 }

testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/output

@@ -14,8 +14,8 @@ module SSH;
 
 export {
 	redef enum Notice::Type += {
-		## Generated if a login originates or responds with a host where the 
-		## reverse hostname lookup resolves to a name matched by the 
+		## Generated if a login originates or responds with a host where
+		## the reverse hostname lookup resolves to a name matched by the
 		## :bro:id:`SSH::interesting_hostnames` regular expression.
 		Interesting_Hostname_Login,
 	};

testing/btest/doc/sphinx/include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest

@@ -14,8 +14,8 @@ module SSH;
 
 export {
 	redef enum Notice::Type += {
-		## Generated if a login originates or responds with a host where the 
-		## reverse hostname lookup resolves to a name matched by the 
+		## Generated if a login originates or responds with a host where
+		## the reverse hostname lookup resolves to a name matched by the
 		## :bro:id:`SSH::interesting_hostnames` regular expression.
 		Interesting_Hostname_Login,
 	};