diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.zeek b/scripts/base/frameworks/notice/actions/pp-alarms.zeek index 8a26d57ec1..450dbc6872 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.zeek +++ b/scripts/base/frameworks/notice/actions/pp-alarms.zeek @@ -212,7 +212,7 @@ function pretty_print_alarm(out: file, n: Info) return; } - when ( local h1name = lookup_addr(h1) ) + when [out, n, h1, h2, line1, line2, line3] ( local h1name = lookup_addr(h1) ) { if ( h2 == 0.0.0.0 ) { @@ -220,7 +220,7 @@ function pretty_print_alarm(out: file, n: Info) return; } - when ( local h2name = lookup_addr(h2) ) + when [out, n, h1, h2, line1, line2, line3, h1name] ( local h2name = lookup_addr(h2) ) { do_msg(out, n, line1, line2, line3, h1, h1name, h2, h2name); return; @@ -240,7 +240,7 @@ function pretty_print_alarm(out: file, n: Info) return; } - when ( local h2name_ = lookup_addr(h2) ) + when [out, n, h1, h2, line1, line2, line3] ( local h2name_ = lookup_addr(h2) ) { do_msg(out, n, line1, line2, line3, h1, "(dns timeout)", h2, h2name_); return; diff --git a/scripts/base/frameworks/openflow/plugins/ryu.zeek b/scripts/base/frameworks/openflow/plugins/ryu.zeek index 08e8c8d022..ef108e0a6a 100644 --- a/scripts/base/frameworks/openflow/plugins/ryu.zeek +++ b/scripts/base/frameworks/openflow/plugins/ryu.zeek @@ -135,9 +135,9 @@ function ryu_flow_mod(state: OpenFlow::ControllerState, match: ofp_match, flow_m ); # Execute call to Ryu's ReST API - when ( local result = ActiveHTTP::request(request) ) + when [state, match, flow_mod, request] ( local result = ActiveHTTP::request(request) ) { - if(result$code == 200) + if (result$code == 200) event OpenFlow::flow_mod_success(state$_name, match, flow_mod, result$body); else { @@ -165,7 +165,7 @@ function ryu_flow_clear(state: OpenFlow::ControllerState): bool $method="DELETE" ); - when ( local result = ActiveHTTP::request(request) ) + when [request] ( local result = ActiveHTTP::request(request) ) { } diff --git a/scripts/base/frameworks/sumstats/non-cluster.zeek b/scripts/base/frameworks/sumstats/non-cluster.zeek index c905d56e37..3059d78f26 100644 --- a/scripts/base/frameworks/sumstats/non-cluster.zeek +++ b/scripts/base/frameworks/sumstats/non-cluster.zeek @@ -74,7 +74,7 @@ function data_added(ss: SumStat, key: Key, result: Result) function request(ss_name: string): ResultTable { # This only needs to be implemented this way for cluster compatibility. - return when ( T ) + return when [ss_name] ( T ) { if ( ss_name in result_store ) return result_store[ss_name]; @@ -86,7 +86,7 @@ function request(ss_name: string): ResultTable function request_key(ss_name: string, key: Key): Result { # This only needs to be implemented this way for cluster compatibility. - return when ( T ) + return when [ss_name, key] ( T ) { if ( ss_name in result_store && key in result_store[ss_name] ) return result_store[ss_name][key]; diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek index 37a60a1aff..2b610707e3 100644 --- a/scripts/base/protocols/ssl/main.zeek +++ b/scripts/base/protocols/ssl/main.zeek @@ -225,7 +225,7 @@ function log_record(info: Info) } else { - when ( |info$delay_tokens| == 0 ) + when [info] ( |info$delay_tokens| == 0 ) { log_record(info); } diff --git a/scripts/base/utils/active-http.zeek b/scripts/base/utils/active-http.zeek index 5d820b2f82..ed0210ccb6 100644 --- a/scripts/base/utils/active-http.zeek +++ b/scripts/base/utils/active-http.zeek @@ -98,7 +98,7 @@ function request(req: Request): ActiveHTTP::Response local cmd = request2curl(req, bodyfile, headersfile); local stdin_data = req?$client_data ? req$client_data : ""; - return when ( local result = Exec::run([$cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile)]) ) + return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run([$cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile)]) ) { # If there is no response line then nothing else will work either. if ( ! (result?$files && headersfile in result$files) ) diff --git a/scripts/base/utils/dir.zeek b/scripts/base/utils/dir.zeek index 678e81d7ed..dacba1ca2a 100644 --- a/scripts/base/utils/dir.zeek +++ b/scripts/base/utils/dir.zeek @@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string], callback: function(fname: string), poll_interval: interval) { - when ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) ) + when [dir, last_files, callback, poll_interval] ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) ) { if ( result$exit_code != 0 ) { diff --git a/scripts/base/utils/exec.zeek b/scripts/base/utils/exec.zeek index 85500bf9c2..7f87bb7bb4 100644 --- a/scripts/base/utils/exec.zeek +++ b/scripts/base/utils/exec.zeek @@ -178,7 +178,7 @@ function run(cmd: Command): Result $want_record=F, $config=config_strings]); - return when ( cmd$uid !in pending_commands ) + return when [cmd] ( cmd$uid !in pending_commands ) { local result = results[cmd$uid]; delete results[cmd$uid]; diff --git a/scripts/policy/frameworks/files/detect-MHR.zeek b/scripts/policy/frameworks/files/detect-MHR.zeek index 52f8dd7355..aa632a778d 100644 --- a/scripts/policy/frameworks/files/detect-MHR.zeek +++ b/scripts/policy/frameworks/files/detect-MHR.zeek @@ -39,7 +39,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo) { local hash_domain = fmt("%s.malware.hash.cymru.com", hash); - when ( local MHR_result = lookup_hostname_txt(hash_domain) ) + when [hash, fi, hash_domain] ( local MHR_result = lookup_hostname_txt(hash_domain) ) { # Data is returned as " " local MHR_answer = split_string1(MHR_result, / /); diff --git a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek index f6ed1a58be..f27477cb2d 100644 --- a/scripts/policy/frameworks/notice/extend-email/hostnames.zeek +++ b/scripts/policy/frameworks/notice/extend-email/hostnames.zeek @@ -33,7 +33,7 @@ hook notice(n: Notice::Info) &priority=-1 if ( n?$src ) { add n$email_delay_tokens["hostnames-src"]; - when ( local src_name = lookup_addr(n$src) ) + when [n, uid, output] ( local src_name = lookup_addr(n$src) ) { output = string_cat("orig/src hostname: ", src_name, "\n"); tmp_notice_storage[uid]$email_body_sections += output; @@ -43,7 +43,7 @@ hook notice(n: Notice::Info) &priority=-1 if ( n?$dst ) { add n$email_delay_tokens["hostnames-dst"]; - when ( local dst_name = lookup_addr(n$dst) ) + when [n, uid, output] ( local dst_name = lookup_addr(n$dst) ) { output = string_cat("resp/dst hostname: ", dst_name, "\n"); tmp_notice_storage[uid]$email_body_sections += output; diff --git a/scripts/policy/frameworks/software/vulnerable.zeek b/scripts/policy/frameworks/software/vulnerable.zeek index b8d8c43a12..40e48ffc40 100644 --- a/scripts/policy/frameworks/software/vulnerable.zeek +++ b/scripts/policy/frameworks/software/vulnerable.zeek @@ -82,7 +82,7 @@ event grab_vulnerable_versions(i: count) return; } - when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) ) + when [i] ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) ) { local parts = split_string1(result, /\x09/); if ( |parts| != 2 ) #failure or end of list! diff --git a/scripts/policy/protocols/conn/known-hosts.zeek b/scripts/policy/protocols/conn/known-hosts.zeek index 279fa11917..4bd123abdd 100644 --- a/scripts/policy/protocols/conn/known-hosts.zeek +++ b/scripts/policy/protocols/conn/known-hosts.zeek @@ -77,7 +77,7 @@ event Known::host_found(info: HostsInfo) if ( ! Known::use_host_store ) return; - when ( local r = Broker::put_unique(Known::host_store$store, info$host, + when [info] ( local r = Broker::put_unique(Known::host_store$store, info$host, T, Known::host_store_expiry) ) { if ( r$status == Broker::SUCCESS ) diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek index 313c49b940..a073d4d92a 100644 --- a/scripts/policy/protocols/conn/known-services.zeek +++ b/scripts/policy/protocols/conn/known-services.zeek @@ -123,7 +123,7 @@ event service_info_commit(info: ServicesInfo) { local key = AddrPortServTriplet($host = info$host, $p = info$port_num, $serv = s); - when ( local r = Broker::put_unique(Known::service_store$store, key, + when [info, s, key] ( local r = Broker::put_unique(Known::service_store$store, key, T, Known::service_store_expiry) ) { if ( r$status == Broker::SUCCESS ) diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.zeek b/scripts/policy/protocols/ssh/interesting-hostnames.zeek index db80d7c6ac..2270b049e5 100644 --- a/scripts/policy/protocols/ssh/interesting-hostnames.zeek +++ b/scripts/policy/protocols/ssh/interesting-hostnames.zeek @@ -29,7 +29,7 @@ export { function check_ssh_hostname(id: conn_id, uid: string, host: addr) { - when ( local hostname = lookup_addr(host) ) + when [id, uid, host] ( local hostname = lookup_addr(host) ) { if ( interesting_hostnames in hostname ) { diff --git a/scripts/policy/protocols/ssl/known-certs.zeek b/scripts/policy/protocols/ssl/known-certs.zeek index 35fbcf0f7b..cd4fa23ccd 100644 --- a/scripts/policy/protocols/ssl/known-certs.zeek +++ b/scripts/policy/protocols/ssl/known-certs.zeek @@ -89,7 +89,7 @@ event Known::cert_found(info: CertsInfo, hash: string) local key = AddrCertHashPair($host = info$host, $hash = hash); - when ( local r = Broker::put_unique(Known::cert_store$store, key, + when [info, key] ( local r = Broker::put_unique(Known::cert_store$store, key, T, Known::cert_store_expiry) ) { if ( r$status == Broker::SUCCESS ) diff --git a/scripts/policy/protocols/ssl/notary.zeek b/scripts/policy/protocols/ssl/notary.zeek index 67f8734d41..0fc7f07c03 100644 --- a/scripts/policy/protocols/ssl/notary.zeek +++ b/scripts/policy/protocols/ssl/notary.zeek @@ -63,7 +63,7 @@ event ssl_established(c: connection) &priority=3 if ( waits_already ) return; - when ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) ) + when [digest] ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) ) { notary_cache[digest] = [];