Merge remote-tracking branch 'origin/master' into topic/bernhard/localnet

2025-10-04 23:58:20 +00:00 · 2011-12-03 20:15:05 -08:00 · 2011-12-03 20:15:05 -08:00 · 949ec6897a
commit 949ec6897a
parent a68e6b9fa4 ab1ac72d4b
40 changed files with 448 additions and 240 deletions
--- a/47
+++ b/47
@ -1,4 +1,51 @@
 2.0-beta-88 | 2011-12-02 17:00:58 -0800
  * Teach LogWriterAscii to use BRO_LOG_SUFFIX environemt variable.
    Addresses #704. (Jon Siwek)
  * Fix double-free of DNS_Mgr_Request object. Addresses #661.
  * Add a remote_log_peer event which comes with an event_peer record
    parameter. Addresses #493. (Jon Siwek)
  * Remove example redef of SMTP::entity_excerpt_len from local.bro.
    Fixes error emitted when loading local.bro in bare mode. (Jon
    Siwek)
  * Add missing doc targets to top Makefile; remove old doc/Makefile.
    Fixes #705. (Jon Siwek)
  * Turn some globals into constants. Addresses #633. (Seth Hall)
  * Rearrange packet filter and DPD documentation. (Jon Siwek)
 2.0-beta-72 | 2011-11-30 20:16:09 -0800
  * Fine-tuning the Sphinx layout to better match www. (Jon Siwek and
    Robin Sommer)
 2.0-beta-69 | 2011-11-29 16:55:31 -0800
  * Fixing ASCII logger to escape the unset-field place holder if
    written out literally. (Robin Sommer)
 2.0-beta-68 | 2011-11-29 15:23:12 -0800
  * Lots of documentation polishing. (Jon Siwek)
  * Teach Broxygen the ".. bro:see::" directive. (Jon Siwek)
  * Teach Broxygen :bro:see: role for referencing any identifier in
    the Bro domain. (Jon Siwek)
  * Teach Broxygen to generate an index of Bro notices. (Jon Siwek)
  * Fix order of include directories. (Jon Siwek)
  * Catch if logged vectors do not contain only atomic types.
    (Bernhard Amann)
 2.0-beta-47 | 2011-11-16 08:24:33 -0800
  * Catch if logged sets do not contain only atomic types. (Bernhard
--- a/12
+++ b/12
@ -29,6 +29,18 @@ doc: configured
 docclean: configured
 	$(MAKE) -C $(BUILD) $@
 restdoc: configured
 	$(MAKE) -C $(BUILD) $@
 restclean: configured
 	$(MAKE) -C $(BUILD) $@
 broxygen: configured
 	$(MAKE) -C $(BUILD) $@
 broxygenclean: configured
 	$(MAKE) -C $(BUILD) $@
 dist:
 	@rm -rf $(VERSION_FULL) $(VERSION_FULL).tgz
 	@rm -rf $(VERSION_MIN) $(VERSION_MIN).tgz
--- a/2
+++ b/2
@ -1 +1 @@
-2.0-beta-47
+2.0-beta-88
--- a/aux/bro-aux
+++ b/aux/bro-aux
@ -1 +1 @@
-Subproject commit 7ea5837b4ba8403731ca4a9875616c0ab501342f
+Subproject commit 4d387ce660468b44df99d4c87d6016ae4ed2fdc4
--- a/aux/broctl
+++ b/aux/broctl
@ -1 +1 @@
-Subproject commit 6771d28af299f025a701e67f51311513af1cbc22
+Subproject commit be772bbada79b106db33fb9de5f56fa71226adc5
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@ -60,16 +60,16 @@ add_custom_target(broxygen
 # The "sphinxclean" target removes just the Sphinx input/output directories
 # from the build directory.
-add_custom_target(broxygen-clean
+add_custom_target(broxygenclean
                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
                          ${DOC_SOURCE_WORKDIR}
                  COMMAND "${CMAKE_COMMAND}" -E remove_directory
                          ${DOC_OUTPUT_DIR}
                  VERBATIM)
-add_dependencies(broxygen broxygen-clean restdoc)
+add_dependencies(broxygen broxygenclean restdoc)
 add_custom_target(doc)
 add_custom_target(docclean)
 add_dependencies(doc broxygen)
-add_dependencies(docclean broxygen-clean restclean)
+add_dependencies(docclean broxygenclean restclean)
--- a/doc/Makefile
+++ b/doc/Makefile
@ -1,7 +0,0 @@
 all:
 	test -d html || mkdir html
 	for i in *.rst; do echo "$$i ..."; ./bin/rst2html.py $$i >html/`echo $$i | sed 's/rst$$/html/g'`; done
 clean:
 	rm -rf html
--- a/doc/README
+++ b/doc/README
@ -15,8 +15,9 @@ which adds some reST directives and roles that aid in generating useful
 index entries and cross-references.  Other extensions can be added in
 a similar fashion.
-Either the ``make doc`` or ``make broxygen`` can be used to locally
+Either the ``make doc`` or ``make broxygen`` targets in the top-level
-render the reST files into HTML.  Those targets depend on:
+Makefile can be used to locally render the reST files into HTML.
 Those targets depend on:
 * Python interpreter >= 2.5
 * `Sphinx <http://sphinx.pocoo.org/>`_ >= 1.0.1
--- a/doc/_static/broxygen-extra.css
+++ b/doc/_static/broxygen-extra.css
@ -1,3 +1,15 @@
 .highlight {
    background-color: #ffffff;
 }
 h1 {
    font-weight: bold;
    font-size: 32px;
 	line-height:32px;
    text-align: center;
    padding-top: 3px;
    margin-bottom: 30px;
    font-family: Palatino,'Palatino Linotype',Georgia,serif;;
    color: #000;
    border-bottom: 0px;
 }
--- a/doc/_static/logo-bro.png
+++ b/doc/_static/logo-bro.png
--- a/doc/_templates/layout.html
+++ b/doc/_templates/layout.html
@ -2,21 +2,97 @@
 {% block extrahead %}
 <link rel="stylesheet" type="text/css" href="http://www.bro-ids.org/css/bro-ids.css" />
 <link rel="stylesheet" type="text/css" href="http://www.bro-ids.org/css/960.css" />
 <link rel="stylesheet" type="text/css" href="http://www.bro-ids.org/css/pygments.css" />
 <link rel="stylesheet" type="text/css" href="{{ pathto('_static/broxygen-extra.css', 1) }}"></script>
 <script type="text/javascript" src="{{ pathto('_static/download.js', 1) }}"></script>
 {% endblock %}
 {% block header %}
-<iframe src="http://www.bro-ids.org/frames/header.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+<iframe src="http://www.bro-ids.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}
 {% block relbar2 %}{% endblock %}
 {% block relbar1 %}{% endblock %}
 {% block content %}
        <div id="bro-main" class="clearfix">
            <div class="container_12">
                <div class="grid_9">
                    <div>
                         {{ relbar() }}
                    </div>
                    <div class="body">
                        {% block body %}
                        {% endblock %}
                    </div>
                </div>
                <!-- Sidebar -->
                <div class="grid_3 omega">
                    <div>
                        <img id="logo" src="{{pathto('_static/logo-bro.png', 1)}}" alt="Logo" />
                    </div>
                    <br />
                    <div class="widget sidebar-toc">
                        <h3 class="widgettitle">
                            Table of Contents
                        </h3>
                        <p>
                            <ul>{{toc}}</ul>
                        </p>
                    </div>
                    {% if next %}
                    <div class="widget">
                        <h3 class="widgettitle">
                            Next Page
                        </h3>
                        <p>
                            <a href="{{ next.link|e }}">{{ next.title }}</a>
                        </p>
                    </div>
                    {% endif %}
                    {% if prev %}
                    <div class="widget">
                        <h3 class="widgettitle">
                            Previous Page
                        </h3>
                        <p>
                            <a href="{{ prev.link|e }}">{{ prev.title }}</a>
                        </p>
                    </div>
                    {% endif %}
                </div>
            </div>
            <div class="container_12">
                <div class="grid_12 alpha omega">
                    <div class="center">
                        <small>
                            Copyright {{ copyright }}.
                            Last updated on {{ last_updated }}.
                            Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> {{ sphinx_version }}.
                        </small>
                    </div>
                </div>
            </div>
        </div>
 {% endblock %}
 {% block footer %}
 {{ super() }}
 <iframe src="http://www.bro-ids.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}
--- a/doc/bin/rst2html.py
+++ b/doc/bin/rst2html.py
@ -1,62 +0,0 @@
 #!/usr/bin/env python
 #
 # Derived from docutils standard rst2html.py.
 #
 # $Id: rst2html.py 4564 2006-05-21 20:44:42Z wiemann $
 # Author: David Goodger <goodger@python.org>
 # Copyright: This module has been placed in the public domain.
 #
 #
 # Extension: we add to dummy directorives "code" and "console" to be
 # compatible with Bro's web site setup.
 try:
    import locale
    locale.setlocale(locale.LC_ALL, '')
 except:
    pass
 import textwrap
 from docutils.core import publish_cmdline, default_description
 from docutils import nodes
 from docutils.parsers.rst import directives, Directive
 from docutils.parsers.rst.directives.body import LineBlock
 class Literal(Directive):
    #max_line_length = 68
    max_line_length = 0
    required_arguments = 0
    optional_arguments = 1
    final_argument_whitespace = True
    has_content = True
    def wrapped_content(self):
        content = []
        if Literal.max_line_length:
            for line in self.content:
                content += textwrap.wrap(line, Literal.max_line_length, subsequent_indent="      ")
        else:
            content = self.content
        return u'\n'.join(content)
    def run(self):
        self.assert_has_content()
        content = self.wrapped_content()
        literal = nodes.literal_block(content, content)
        return [literal]
 directives.register_directive('code', Literal)
 directives.register_directive('console', Literal)
 description = ('Generates (X)HTML documents from standalone reStructuredText '
               'sources.  ' + default_description)
 publish_cmdline(writer_name='html', description=description)
--- a/doc/conf.py.in
+++ b/doc/conf.py.in
@ -90,44 +90,20 @@ pygments_style = 'sphinx'
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-html_theme = 'default'
+html_theme = 'basic'
 html_last_updated_fmt = '%B %d, %Y'
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
-html_theme_options = {
+html_theme_options = { }
 "rightsidebar": "true",
 "stickysidebar": "false",
 "externalrefs": "false",
 "footerbgcolor": "#333",
 "footertextcolor": "#ddd",
 "sidebarbgcolor": "#ffffff",
 #"sidebarbtncolor": "",
 "sidebartextcolor": "#333",
 "sidebarlinkcolor": "#2a85a7",
 "relbarbgcolor": "#ffffff",
 "relbartextcolor": "#333",
 "relbarlinkcolor": "#2a85a7",
 "bgcolor": "#ffffff",
 "textcolor": "#333",
 "linkcolor": "#2a85a7",
 "visitedlinkcolor": "#2a85a7",
 "headbgcolor": "#f0f0f0",
 "headtextcolor": "#000",
 "headlinkcolor": "#2a85a7",
 "codebgcolor": "#FFFAE2",
 #"codetextcolor": "",
 "bodyfont": "Arial, Helvetica, sans-serif",
 "headfont": "Palatino,'Palatino Linotype',Georgia,serif",
 }
 # Add any paths that contain custom themes here, relative to this directory.
 #html_theme_path = []
 # The name for this set of Sphinx documents.  If None, it defaults to
-# "<project> v<release> documentation".
+# "<project> v<release> Documentation".
 #html_title = None
 # A shorter title for the navigation bar.  Default is the same as html_title.
--- a/doc/index.rst
+++ b/doc/index.rst
@ -1,9 +1,11 @@
 .. Bro documentation master file
 =================
 Bro Documentation
 =================
-Documentation for version: |version|
+Guides
 ------
 .. toctree::
   :maxdepth: 1
@ -40,7 +42,6 @@ Script Reference
 .. toctree::
   :maxdepth: 1
   scripts/common
   scripts/builtins
   scripts/bifs
   scripts/packages
--- a/doc/notice.rst
+++ b/doc/notice.rst
@ -29,17 +29,18 @@ definitions of what constitutes an attack or even a compromise differ quite a
 bit between environments, and activity deemed malicious at one site might be
 fully acceptable at another.
-Whenever one of Bro's analysis scripts sees something potentially interesting
+Whenever one of Bro's analysis scripts sees something potentially
-it flags the situation by calling the ``NOTICE`` function and giving it a
+interesting it flags the situation by calling the :bro:see:`NOTICE`
-single ``Notice::Info`` record. A Notice has a ``Notice::Type``, which
+function and giving it a single :bro:see:`Notice::Info` record. A Notice
-reflects the kind of activity that has been seen, and it is usually also
+has a :bro:see:`Notice::Type`, which reflects the kind of activity that
-augmented with further context about the situation. 
+has been seen, and it is usually also augmented with further context
 about the situation.
 More information about raising notices can be found in the `Raising Notices`_
 section.
 Once a notice is raised, it can have any number of actions applied to it by
-the ``Notice::policy`` set which is described in the `Notice Policy`_
+the :bro:see:`Notice::policy` set which is described in the `Notice Policy`_
 section below. Such actions can be to send a mail to the configured
 address(es) or to simply ignore the notice. Currently, the following actions
 are defined:
@ -52,20 +53,20 @@ are defined:
      - Description
    * - Notice::ACTION_LOG
-      - Write the notice to the ``Notice::LOG`` logging stream.
+      - Write the notice to the :bro:see:`Notice::LOG` logging stream.
    * - Notice::ACTION_ALARM
-      - Log into the ``Notice::ALARM_LOG`` stream which will rotate
+      - Log into the :bro:see:`Notice::ALARM_LOG` stream which will rotate
        hourly and email the contents to the email address or addresses
-        defined in the ``Notice::mail_dest`` variable.
+        defined in the :bro:see:`Notice::mail_dest` variable.
    * - Notice::ACTION_EMAIL
      - Send the notice in an email to the email address or addresses given in
-        the ``Notice::mail_dest`` variable.
+        the :bro:see:`Notice::mail_dest` variable.
    * - Notice::ACTION_PAGE
      - Send an email to the email address or addresses given in the
-        ``Notice::mail_page_dest`` variable.
+        :bro:see:`Notice::mail_page_dest` variable.
    * - Notice::ACTION_NO_SUPPRESS
      - This action will disable the built in notice suppression for the
@ -82,15 +83,17 @@ Processing Notices
 Notice Policy
 *************
-The predefined set ``Notice::policy`` provides the mechanism for applying
+The predefined set :bro:see:`Notice::policy` provides the mechanism for
-actions and other behavior modifications to notices. Each entry of
+applying actions and other behavior modifications to notices. Each entry
-``Notice::policy`` is a record of the type ``Notice::PolicyItem`` which
+of :bro:see:`Notice::policy` is a record of the type
-defines a condition to be matched against all raised notices and one or more
+:bro:see:`Notice::PolicyItem` which defines a condition to be matched
-of a variety of behavior modifiers. The notice policy is defined by adding any
+against all raised notices and one or more of a variety of behavior
-number of ``Notice::PolicyItem`` records to the ``Notice::policy`` set.
+modifiers. The notice policy is defined by adding any number of
 :bro:see:`Notice::PolicyItem` records to the :bro:see:`Notice::policy`
 set.
 Here's a simple example which tells Bro to send an email for all notices of
-type ``SSH::Login`` if the server is 10.0.0.1:
+type :bro:see:`SSH::Login` if the server is 10.0.0.1:
 .. code:: bro
@ -113,11 +116,11 @@ flexibility due to having access to Bro's full programming language.
 Predicate Field
 ^^^^^^^^^^^^^^^
-The ``Notice::PolicyItem`` record type has a field name ``$pred`` which
+The :bro:see:`Notice::PolicyItem` record type has a field name ``$pred``
-defines the entry's condition in the form of a predicate written as a Bro
+which defines the entry's condition in the form of a predicate written
-function. The function is passed the notice as a ``Notice::Info`` record and
+as a Bro function. The function is passed the notice as a
-it returns a boolean value indicating if the entry is applicable to that
+:bro:see:`Notice::Info` record and it returns a boolean value indicating
-particular notice.
+if the entry is applicable to that particular notice.
 .. note::
@ -125,14 +128,14 @@ particular notice.
    (``T``) since an implicit false (``F``) value would never be used.
 Bro evaluates the predicates of each entry in the order defined by the
-``$priority`` field in ``Notice::PolicyItem`` records. The valid values are
+``$priority`` field in :bro:see:`Notice::PolicyItem` records. The valid
-0-10 with 10 being earliest evaluated. If ``$priority`` is omitted, the
+values are 0-10 with 10 being earliest evaluated. If ``$priority`` is
-default priority is 5.
+omitted, the default priority is 5.
 Behavior Modification Fields
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-There are a set of fields in the ``Notice::PolicyItem`` record type that
+There are a set of fields in the :bro:see:`Notice::PolicyItem` record type that
 indicate ways that either the notice or notice processing should be modified
 if the predicate field (``$pred``) evaluated to true (``T``). Those fields are
 explained in more detail in the following table.
@ -146,8 +149,8 @@ explained in more detail in the following table.
      - Example
    * - ``$action=<Notice::Action>``
-      - Each Notice::PolicyItem can have a single action applied to the notice
+      - Each :bro:see:`Notice::PolicyItem` can have a single action
-        with this field.
+        applied to the notice with this field.
      - ``$action = Notice::ACTION_EMAIL``
    * - ``$suppress_for=<interval>`` 
@ -162,9 +165,9 @@ explained in more detail in the following table.
      - This field can be used for modification of the notice policy
        evaluation. To stop processing of notice policy items before
        evaluating all of them, set this field to ``T`` and make the ``$pred``
-        field return ``T``. ``Notice::PolicyItem`` records defined at a higher
+        field return ``T``. :bro:see:`Notice::PolicyItem` records defined at
-        priority as defined by the ``$priority`` field will still be evaluated
+        a higher priority as defined by the ``$priority`` field will still be
-        but those at a lower priority won't.
+        evaluated but those at a lower priority won't.
      - ``$halt = T``
@ -186,11 +189,11 @@ Notice Policy Shortcuts
 Although the notice framework provides a great deal of flexibility and
 configurability there are many times that the full expressiveness isn't needed
 and actually becomes a hindrance to achieving results. The framework provides
-a default ``Notice::policy`` suite as a way of giving users the
+a default :bro:see:`Notice::policy` suite as a way of giving users the
 shortcuts to easily apply many common actions to notices.
 These are implemented as sets and tables indexed with a
-``Notice::Type`` enum value. The following table shows and describes
+:bro:see:`Notice::Type` enum value. The following table shows and describes
 all of the variables available for shortcut configuration of the notice
 framework.
@ -201,40 +204,44 @@ framework.
    * - Variable name
      - Description
-    * - Notice::ignored_types
+    * - :bro:see:`Notice::ignored_types`
-      - Adding a ``Notice::Type`` to this set results in the notice
+      - Adding a :bro:see:`Notice::Type` to this set results in the notice
        being ignored. It won't have any other action applied to it, not even
-        ``Notice::ACTION_LOG``.
+        :bro:see:`Notice::ACTION_LOG`.
-    * - Notice::emailed_types
+    * - :bro:see:`Notice::emailed_types`
-      - Adding a ``Notice::Type`` to this set results in
+      - Adding a :bro:see:`Notice::Type` to this set results in
-        ``Notice::ACTION_EMAIL`` being applied to the notices of that type.
+        :bro:see:`Notice::ACTION_EMAIL` being applied to the notices of
        that type.
-    * - Notice::alarmed_types
+    * - :bro:see:`Notice::alarmed_types`
-      - Adding a Notice::Type to this set results in
+      - Adding a :bro:see:`Notice::Type` to this set results in
-        ``Notice::ACTION_ALARM`` being applied to the notices of that type.
+        :bro:see:`Notice::ACTION_ALARM` being applied to the notices of
        that type.
-    * - Notice::not_suppressed_types
+    * - :bro:see:`Notice::not_suppressed_types`
-      - Adding a ``Notice::Type`` to this set results in that notice no longer
+      - Adding a :bro:see:`Notice::Type` to this set results in that notice
-        undergoing the normal notice suppression that would take place. Be
+        no longer undergoes the normal notice suppression that would
-        careful when using this in production it could result in a dramatic
+        take place. Be careful when using this in production it could
-        increase in the number of notices being processed.
+        result in a dramatic increase in the number of notices being
        processed.
-    * - Notice::type_suppression_intervals
+    * - :bro:see:`Notice::type_suppression_intervals`
-      - This is a table indexed on ``Notice::Type`` and yielding an interval.
+      - This is a table indexed on :bro:see:`Notice::Type` and yielding an
-        It can be used as an easy way to extend the default suppression
+        interval.  It can be used as an easy way to extend the default
-        interval for an entire ``Notice::Type`` without having to create a
+        suppression interval for an entire :bro:see:`Notice::Type`
-        whole ``Notice::policy`` entry and setting the ``$suppress_for``
+        without having to create a whole :bro:see:`Notice::policy` entry
-        field.
+        and setting the ``$suppress_for`` field.
 Raising Notices
 ---------------
-A script should raise a notice for any occurrence that a user may want to be
+A script should raise a notice for any occurrence that a user may want
-notified about or take action on. For example, whenever the base SSH analysis
+to be notified about or take action on. For example, whenever the base
-scripts sees an SSH session where it is heuristically guessed to be a
+SSH analysis scripts sees an SSH session where it is heuristically
-successful login, it raises a Notice of the type ``SSH::Login``. The code in
+guessed to be a successful login, it raises a Notice of the type
-the base SSH analysis script looks like this:
+:bro:see:`SSH::Login`. The code in the base SSH analysis script looks
 like this:
 .. code:: bro
@ -242,10 +249,10 @@ the base SSH analysis script looks like this:
            $msg="Heuristically detected successful SSH login.",
            $conn=c]);
-``NOTICE`` is a normal function in the global namespace which wraps a function
+:bro:see:`NOTICE` is a normal function in the global namespace which
-within the ``Notice`` namespace. It takes a single argument of the
+wraps a function within the ``Notice`` namespace. It takes a single
-``Notice::Info`` record type. The most common fields used when raising notices
+argument of the :bro:see:`Notice::Info` record type. The most common
-are described in the following table:
+fields used when raising notices are described in the following table:
 .. list-table::
    :widths: 32 40
@ -295,9 +302,10 @@ are described in the following table:
    * - ``$suppress_for``
      - This field can be set if there is a natural suppression interval for
-        the notice that may be different than the default value. The value set
+        the notice that may be different than the default value. The
-        to this field can also be modified by a user's ``Notice::policy`` so
+        value set to this field can also be modified by a user's
-        the value is not set permanently and unchangeably.
+        :bro:see:`Notice::policy` so the value is not set permanently
        and unchangeably.
 When writing Bro scripts which raise notices, some thought should be given to
 what the notice represents and what data should be provided to give a consumer
@ -325,7 +333,7 @@ The notice framework supports suppression for notices if the author of the
 script that is generating the notice has indicated to the notice framework how
 to identify notices that are intrinsically the same. Identification of these
 "intrinsically duplicate" notices is implemented with an optional field in
-``Notice::Info`` records named ``$identifier`` which is a simple string.
+:bro:see:`Notice::Info` records named ``$identifier`` which is a simple string.
 If the ``$identifier`` and ``$type`` fields are the same for two notices, the
 notice framework actually considers them to be the same thing and can use that
 information to suppress duplicates for a configurable period of time.
@ -337,12 +345,13 @@ information to suppress duplicates for a configurable period of time.
    could be completely legitimate usage if no notices could ever be
    considered to be duplicates.
-The ``$identifier`` field is typically comprised of several pieces of data
+The ``$identifier`` field is typically comprised of several pieces of
-related to the notice that when combined represent a unique instance of that
+data related to the notice that when combined represent a unique
-notice. Here is an example of the script
+instance of that notice. Here is an example of the script
-``policy/protocols/ssl/validate-certs.bro`` raising a notice for session
+:doc:`scripts/policy/protocols/ssl/validate-certs` raising a notice
-negotiations where the certificate or certificate chain did not validate
+for session negotiations where the certificate or certificate chain did
-successfully against the available certificate authority certificates.
+not validate successfully against the available certificate authority
 certificates.
 .. code:: bro
@ -369,7 +378,7 @@ it's assumed that the script author who is raising the notice understands the
 full problem set and edge cases of the notice which may not be readily
 apparent to users. If users don't want the suppression to take place or simply
 want a different interval, they can always modify it with the
-``Notice::policy``.
+:bro:see:`Notice::policy`.
 Extending Notice Framework
--- a/doc/scripts/README
+++ b/doc/scripts/README
@ -1,6 +1,6 @@
 This directory contains scripts and templates that can be used to automate
 the generation of Bro script documentation.  Several build targets are defined
-by CMake:
+by CMake and available in the top-level Makefile:
 ``restdoc``
--- a/doc/scripts/common.rst
+++ b/doc/scripts/common.rst
@ -1,19 +0,0 @@
 Common Documentation
 ====================
 .. _common_port_analysis_doc:
 Port Analysis
 -------------
 TODO: add some stuff here
 .. _common_packet_filter_doc:
 Packet Filter
 -------------
 TODO: add some stuff here
 .. note:: Filters are only relevant when dynamic protocol detection (DPD)
          is explicitly turned off (Bro release 1.6 enabled DPD by default).
--- a/doc/scripts/index.rst
+++ b/doc/scripts/index.rst
@ -1,7 +1,7 @@
 .. This is a stub doc to which broxygen appends during the build process
-Index of All Bro Scripts
+Index of All Individual Bro Scripts
-========================
+===================================
 .. toctree::
   :maxdepth: 1
--- a/scripts/base/frameworks/communication/main.bro
+++ b/scripts/base/frameworks/communication/main.bro
@ -130,6 +130,13 @@ event remote_log(level: count, src: count, msg: string)
 	do_script_log_common(level, src, msg);
 	}
 # This is a core generated event.
 event remote_log_peer(p: event_peer, level: count, src: count, msg: string)
 	{
 	local rmsg = fmt("[#%d/%s:%d] %s", p$id, p$host, p$p, msg);
 	do_script_log_common(level, src, rmsg);
 	}
 function do_script_log(p: event_peer, msg: string)
 	{
 	do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, msg);
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -65,11 +65,11 @@ redef capture_filters += {
 	["netbios-ns"] = "udp port 137", 
 };
-global dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp } &redef;
+const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
 redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
-global dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp } &redef;
+const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp };
-global dns_tcp_ports = { 53/tcp } &redef;
+const dns_tcp_ports = { 53/tcp };
 redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
 redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
--- a/scripts/base/protocols/irc/main.bro
+++ b/scripts/base/protocols/irc/main.bro
@ -41,7 +41,7 @@ redef capture_filters += { ["irc-6668"] = "port 6668" };
 redef capture_filters += { ["irc-6669"] = "port 6669" };
 # DPD configuration.
-global irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp } &redef;
+const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
 redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
 redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@ -62,11 +62,3 @@ redef signature_files += "frameworks/signatures/detect-windows-shells.sig";
@load protocols/http/detect-MHR
 # Detect SQL injection attacks
@load protocols/http/detect-sqli
 # Uncomment this redef if you want to extract SMTP MIME entities for 
 # some file types.  The numbers given indicate how many bytes to extract for
 # the various mime types.
 redef SMTP::entity_excerpt_len += {
 #	["text/plain"] = 1024,
 #	["text/html"] = 1024,
 };
--- a/src/BroDoc.cc
+++ b/src/BroDoc.cc
@ -215,14 +215,16 @@ void BroDoc::WriteDocFile() const
 	if ( ! port_analysis.empty() )
 		{
 		WriteSectionHeading("Port Analysis", '-');
-		WriteToDoc(":ref:`More Information <common_port_analysis_doc>`\n\n");
+		WriteToDoc("Loading this script makes the following changes to "
 		           ":bro:see:`dpd_config`.\n\n");
 		WriteStringList("%s", port_analysis);
 		}
 	if ( ! packet_filter.empty() )
 		{
 		WriteSectionHeading("Packet Filter", '-');
-		WriteToDoc(":ref:`More Information <common_packet_filter_doc>`\n\n");
+		WriteToDoc("Loading this script makes the following changes to "
 		           ":bro:see:`capture_filters`.\n\n");
 		WriteToDoc("Filters added::\n\n");
 		WriteToDoc("%s\n", packet_filter.c_str());
 		}
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -1,4 +1,5 @@
-include_directories(${CMAKE_CURRENT_SOURCE_DIR}
+include_directories(BEFORE
                    ${CMAKE_CURRENT_SOURCE_DIR}
                    ${CMAKE_CURRENT_BINARY_DIR}
 )
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@ -595,8 +595,6 @@ void DNS_Mgr::Resolve()
 				}
 			else
 				--num_pending;
 			delete dr;
 			}
 		}
--- a/src/LogMgr.cc
+++ b/src/LogMgr.cc
@ -159,7 +159,7 @@ bool LogVal::IsCompatibleType(BroType* t, bool atomic_only)
 		if ( atomic_only )
 			return false;
-		return IsCompatibleType(t->AsVectorType()->YieldType());
+		return IsCompatibleType(t->AsVectorType()->YieldType(), true);
 		}
 	default:
--- a/src/LogWriterAscii.cc
+++ b/src/LogWriterAscii.cc
@ -88,7 +88,7 @@ bool LogWriterAscii::DoInit(string path, int num_fields,
 	if ( output_to_stdout )
 		path = "/dev/stdout";
-	fname = IsSpecial(path) ? path : path + ".log";
+	fname = IsSpecial(path) ? path : path + "." + LogExt();
 	if ( ! (file = fopen(fname.c_str(), "w")) )
 		{
@ -200,10 +200,33 @@ bool LogWriterAscii::DoWriteOne(ODesc* desc, LogVal* val, const LogField* field)
 	case TYPE_FUNC:
 		{
 		int size = val->val.string_val->size();
-		if ( size )
+		const char* data = val->val.string_val->data();
-			desc->AddN(val->val.string_val->data(), val->val.string_val->size());
+
-		else
+		if ( ! size )
 			{
 			desc->AddN(empty_field, empty_field_len);
 			break;
 			}
 		if ( size == unset_field_len && memcmp(data, unset_field, size) == 0 )
 			{
 			// The value we'd write out would match exactly the
 			// place-holder we use for unset optional fields. We
 			// escape the first character so that the output
 			// won't be ambigious.
 			static const char hex_chars[] = "0123456789abcdef";
 			char hex[6] = "\\x00";
 			hex[2] = hex_chars[((*data) & 0xf0) >> 4];
 			hex[3] = hex_chars[(*data) & 0x0f];
 			desc->AddRaw(hex, 4);
 			++data;
 			--size;
 			}
 		if ( size )
 			desc->AddN(data, size);
 		break;
 		}
@ -297,7 +320,7 @@ bool LogWriterAscii::DoRotate(string rotated_path, double open,
 	fclose(file);
 	file = 0;
-	string nname = rotated_path + ".log";
+	string nname = rotated_path + "." + LogExt();
 	rename(fname.c_str(), nname.c_str());
 	if ( ! FinishedRotation(nname, fname, open, close, terminating) )
@ -315,4 +338,9 @@ bool LogWriterAscii::DoSetBuf(bool enabled)
 	return true;
 	}
-
+string LogWriterAscii::LogExt()
 	{
 	const char* ext = getenv("BRO_LOG_SUFFIX");
 	if ( ! ext ) ext = "log";
 	return ext;
 	}
--- a/src/LogWriterAscii.h
+++ b/src/LogWriterAscii.h
@ -13,6 +13,7 @@ public:
 	~LogWriterAscii();
 	static LogWriter* Instantiate()	{ return new LogWriterAscii; }
 	static string LogExt();
 protected:
 	virtual bool DoInit(string path, int num_fields,
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@ -2923,25 +2923,37 @@ void RemoteSerializer::Log(LogLevel level, const char* msg)
 void RemoteSerializer::Log(LogLevel level, const char* msg, Peer* peer,
 				LogSrc src)
 	{
 	if ( peer )
 		{
 		val_list* vl = new val_list();
 		vl->append(peer->val->Ref());
 		vl->append(new Val(level, TYPE_COUNT));
 		vl->append(new Val(src, TYPE_COUNT));
 		vl->append(new StringVal(msg));
 		mgr.QueueEvent(remote_log_peer, vl);
 		}
 	else
 		{
 		val_list* vl = new val_list();
 		vl->append(new Val(level, TYPE_COUNT));
 		vl->append(new Val(src, TYPE_COUNT));
 		vl->append(new StringVal(msg));
 		mgr.QueueEvent(remote_log, vl);
 		}
 #ifdef DEBUG
 	const int BUFSIZE = 1024;
 	char buffer[BUFSIZE];
 	int len = 0;
 	if ( peer )
-		len += snprintf(buffer + len, sizeof(buffer) - len,
+		len += snprintf(buffer + len, sizeof(buffer) - len, "[#%d/%s:%d] ",
-				"[#%d/%s:%d] ", int(peer->id), ip2a(peer->ip),
+		                int(peer->id), ip2a(peer->ip), peer->port);
 				peer->port);
 	len += safe_snprintf(buffer + len, sizeof(buffer) - len, "%s", msg);
 	val_list* vl = new val_list();
 	vl->append(new Val(level, TYPE_COUNT));
 	vl->append(new Val(src, TYPE_COUNT));
 	vl->append(new StringVal(buffer));
 	mgr.QueueEvent(remote_log, vl);
 	DEBUG_COMM(fmt("parent: %.6f %s", current_time(), buffer));
 #endif
 	}
 void RemoteSerializer::RaiseEvent(EventHandlerPtr event, Peer* peer,
--- a/src/event.bif
+++ b/src/event.bif
@ -444,6 +444,29 @@ event remote_state_inconsistency%(operation: string, id: string,
 # Generated for communication log message.
 event remote_log%(level: count, src: count, msg: string%);
 ## Generated for communication log messages. While this event is
 ## intended primarily for use by Bro's communication framework, it can also trigger
 ## additional code if helpful.  This event is equivalent to
 ## :bro:see:`remote_log` except the message is with respect to a certain peer.
 ##
 ## p: A record describing the remote peer.
 ##
 ## level: The log level, which is either :bro:enum:`REMOTE_LOG_INFO` or
 ##        :bro:enum:`REMOTE_LOG_ERROR`.
 ##
 ## src: The component of the comminication system that logged the message.
 ##      Currently, this will be one of :bro:enum:`REMOTE_SRC_CHILD` (Bro's
 ##      child process), :bro:enum:`REMOTE_SRC_PARENT` (Bro's main process), or
 ##      :bro:enum:`REMOTE_SRC_SCRIPT` (the script level).
 ##
 ## msg: The message logged.
 ##
 ## .. bro:see:: remote_capture_filter remote_connection_closed remote_connection_error
 ##    remote_connection_established remote_connection_handshake_done
 ##    remote_event_registered  remote_pong remote_state_access_performed
 ##    remote_state_inconsistency print_hook remote_log
 event remote_log_peer%(p: event_peer, level: count, src: count, msg: string%);
 # Generated when a remote peer has answered to our ping.
 event remote_pong%(p: event_peer, seq: count,
 			d1: interval, d2: interval, d3: interval%);
--- a/src/main.cc
+++ b/src/main.cc
@ -48,6 +48,7 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #include "ConnCompressor.h"
 #include "DPM.h"
 #include "BroDoc.h"
 #include "LogWriterAscii.h"
 #include "binpac_bro.h"
@ -196,6 +197,7 @@ void usage()
 	fprintf(stderr, "    $BRO_PREFIXES                  | prefix list (%s)\n", bro_prefixes());
 	fprintf(stderr, "    $BRO_DNS_FAKE                  | disable DNS lookups (%s)\n", bro_dns_fake());
 	fprintf(stderr, "    $BRO_SEED_FILE                 | file to load seeds from (not set)\n");
 	fprintf(stderr, "    $BRO_LOG_SUFFIX                | ASCII log file extension (.%s)\n", LogWriterAscii::LogExt().c_str());
 	exit(1);
 	}
--- a/testing/btest/Baseline/core.dns-init/output
+++ b/testing/btest/Baseline/core.dns-init/output
--- a/testing/btest/Baseline/doc.autogen-reST-example/example.rst
+++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst
@ -281,7 +281,7 @@ Redefinitions
 Port Analysis
 -------------
-:ref:`More Information <common_port_analysis_doc>`
+Loading this script makes the following changes to :bro:see:`dpd_config`.
 SSL::
@ -292,7 +292,7 @@ SSL::
 Packet Filter
 -------------
-:ref:`More Information <common_packet_filter_doc>`
+Loading this script makes the following changes to :bro:see:`capture_filters`.
 Filters added::
--- a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
@ -0,0 +1,16 @@
 #separator \x09
 #path	communication
 #fields	ts	peer	src_name	connected_peer_desc	connected_peer_addr	connected_peer_port	level	message
 #types	time	string	string	string	addr	port	string	string
 1322788789.351248	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] added peer
 1322788789.354851	bro	child	-	-	-	info	[#1/127.0.0.1:47757] connected
 1322788789.354956	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer connected
 1322788789.354956	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: version
 1322788789.355429	bro	script	-	-	-	info	connection established
 1322788789.355429	bro	script	-	-	-	info	requesting events matching /^?(NOTHING)$?/
 1322788789.355429	bro	script	-	-	-	info	accepting state
 1322788789.355967	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: handshake
 1322788789.355967	bro	parent	-	-	-	info	warning: no events to request
 1322788789.355967	bro	parent	-	-	-	info	terminating...
 1322788789.355967	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer_description is bro
 1322788789.355967	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] closing connection
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-notset-str/test.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-escape-notset-str/test.log
@ -0,0 +1,5 @@
 #separator \x09
 #path	test
 #fields	x	y	z
 #types	string	string	string
 \x2d	-	-
--- a/testing/btest/core/dns-init.bro
+++ b/testing/btest/core/dns-init.bro
@ -0,0 +1,9 @@
 # We once had a bug where DNS lookups at init time lead to an immediate crash. 
 #
 # @TEST-EXEC: bro %INPUT >output 2>&1
 # @TEST-EXEC: btest-diff output
 const foo: set[addr] = {
     google.com
 };
--- a/testing/btest/core/leaks/dns.bro
+++ b/testing/btest/core/leaks/dns.bro
@ -4,6 +4,10 @@
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -m -r $TRACES/wikipedia.trace %INPUT
 const foo: set[addr] = {
     google.com
 };
 # Add the state tracking information variable to the connection record
 event connection_established(c: connection)
--- a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
+++ b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
@ -0,0 +1,37 @@
 # 
 # @TEST-EXEC: btest-bg-run receiver bro -b ../receiver.bro
 # @TEST-EXEC: btest-bg-run sender   bro -b ../sender.bro
 # @TEST-EXEC: btest-bg-wait -k 2
 #
 # Don't diff the receiver log just because port is always going to change
 # @TEST-EXEC: egrep -v 'pid|socket buffer size' sender/communication.log >send.log
 # @TEST-EXEC: btest-diff send.log
@TEST-START-FILE sender.bro
@load base/frameworks/communication/main
 redef Communication::nodes += {
    ["foo"] = [$host = 127.0.0.1, $events = /NOTHING/, $connect=T]
 };
 event remote_connection_established(p: event_peer)
 	{
 	terminate_communication();
 	terminate();
 	}
@TEST-END-FILE
 #############
@TEST-START-FILE receiver.bro
@load frameworks/communication/listen
 event remote_connection_closed(p: event_peer)
 	{
 	terminate();
 	}
@TEST-END-FILE
--- a/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-escape-notset-str.bro
@ -0,0 +1,23 @@
 #
 # @TEST-EXEC: bro -b %INPUT 
 # @TEST-EXEC: btest-diff test.log
 module Test;
 export {
 	redef enum Log::ID += { LOG };
 	type Log: record {
 		x: string &optional;
 		y: string &optional;
 		z: string &optional;
 	} &log;
 }
 event bro_init()
 {
 	Log::create_stream(Test::LOG, [$columns=Log]);
 	Log::write(Test::LOG, [$x=LogAscii::unset_field, $z=""]);
 }
--- a/testing/btest/scripts/base/frameworks/logging/env-ext.test
+++ b/testing/btest/scripts/base/frameworks/logging/env-ext.test
@ -0,0 +1,2 @@
 # @TEST-EXEC: BRO_LOG_SUFFIX=txt bro -r $TRACES/wikipedia.trace
 # @TEST-EXEC: test -f conn.txt
		`@ -1 +1 @@`
			`Subproject commit 7ea5837b4ba8403731ca4a9875616c0ab501342f`				`Subproject commit 4d387ce660468b44df99d4c87d6016ae4ed2fdc4`
		`@ -1 +1 @@`
			`Subproject commit 6771d28af299f025a701e67f51311513af1cbc22`				`Subproject commit be772bbada79b106db33fb9de5f56fa71226adc5`
		`@ -0,0 +1,2 @@`
							`# @TEST-EXEC: BRO_LOG_SUFFIX=txt bro -r $TRACES/wikipedia.trace`
							`# @TEST-EXEC: test -f conn.txt`