update uses of "when" in base scripts to include captures

scripts/base/frameworks/notice/actions/pp-alarms.zeek

@@ -212,7 +212,7 @@ function pretty_print_alarm(out: file, n: Info)
 		return;
 		}
 
-	when ( local h1name = lookup_addr(h1) )
+	when [out, n, h1, h2, line1, line2, line3] ( local h1name = lookup_addr(h1) )
 		{
 		if ( h2 == 0.0.0.0 )
 			{
@@ -220,7 +220,7 @@ function pretty_print_alarm(out: file, n: Info)
 			return;
 			}
 
-		when ( local h2name = lookup_addr(h2) )
+		when [out, n, h1, h2, line1, line2, line3, h1name] ( local h2name = lookup_addr(h2) )
 			{
 			do_msg(out, n, line1, line2, line3, h1, h1name, h2, h2name);
 			return;
@@ -240,7 +240,7 @@ function pretty_print_alarm(out: file, n: Info)
 			return;
 			}
 
-		when ( local h2name_ = lookup_addr(h2) )
+		when [out, n, h1, h2, line1, line2, line3] ( local h2name_ = lookup_addr(h2) )
 			{
 			do_msg(out, n, line1, line2, line3, h1,  "(dns timeout)", h2, h2name_);
 			return;

scripts/base/frameworks/openflow/plugins/ryu.zeek

@@ -135,9 +135,9 @@ function ryu_flow_mod(state: OpenFlow::ControllerState, match: ofp_match, flow_m
 	);
 
 	# Execute call to Ryu's ReST API
-	when ( local result = ActiveHTTP::request(request) )
+	when [state, match, flow_mod, request] ( local result = ActiveHTTP::request(request) )
 		{
-		if(result$code == 200)
+		if (result$code == 200)
 			event OpenFlow::flow_mod_success(state$_name, match, flow_mod, result$body);
 		else
 			{
@@ -165,7 +165,7 @@ function ryu_flow_clear(state: OpenFlow::ControllerState): bool
 		$method="DELETE"
 	);
 
-	when ( local result = ActiveHTTP::request(request) )
+	when [request] ( local result = ActiveHTTP::request(request) )
 		{
 		}
 

scripts/base/frameworks/sumstats/non-cluster.zeek

@@ -74,7 +74,7 @@ function data_added(ss: SumStat, key: Key, result: Result)
 function request(ss_name: string): ResultTable
 	{
 	# This only needs to be implemented this way for cluster compatibility.
-	return when ( T )
+	return when [ss_name] ( T )
 		{
 		if ( ss_name in result_store )
 			return result_store[ss_name];
@@ -86,7 +86,7 @@ function request(ss_name: string): ResultTable
 function request_key(ss_name: string, key: Key): Result
 	{
 	# This only needs to be implemented this way for cluster compatibility.
-	return when ( T )
+	return when [ss_name, key] ( T )
 		{
 		if ( ss_name in result_store && key in result_store[ss_name] )
 			return result_store[ss_name][key];

scripts/base/protocols/ssl/main.zeek

@@ -225,7 +225,7 @@ function log_record(info: Info)
 		}
 	else
 		{
-		when ( |info$delay_tokens| == 0 )
+		when [info] ( |info$delay_tokens| == 0 )
 			{
 			log_record(info);
 			}

scripts/base/utils/active-http.zeek

@@ -98,7 +98,7 @@ function request(req: Request): ActiveHTTP::Response
 	local cmd = request2curl(req, bodyfile, headersfile);
 	local stdin_data = req?$client_data ? req$client_data : "";
 
-	return when ( local result = Exec::run([$cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile)]) )
+	return when [req, resp, cmd, stdin_data, bodyfile, headersfile] ( local result = Exec::run([$cmd=cmd, $stdin=stdin_data, $read_files=set(bodyfile, headersfile)]) )
 		{
 		# If there is no response line then nothing else will work either.
 		if ( ! (result?$files && headersfile in result$files) )

scripts/base/utils/dir.zeek

@@ -28,7 +28,7 @@ event Dir::monitor_ev(dir: string, last_files: set[string],
                       callback: function(fname: string),
                       poll_interval: interval)
 	{
-	when ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) )
+	when [dir, last_files, callback, poll_interval] ( local result = Exec::run([$cmd=fmt("ls -1 %s/", safe_shell_quote(dir))]) )
 		{
 		if ( result$exit_code != 0 )
 			{

scripts/base/utils/exec.zeek

@@ -178,7 +178,7 @@ function run(cmd: Command): Result
 	                  $want_record=F,
 	                  $config=config_strings]);
 
-	return when ( cmd$uid !in pending_commands )
+	return when [cmd] ( cmd$uid !in pending_commands )
 		{
 		local result = results[cmd$uid];
 		delete results[cmd$uid];

scripts/policy/frameworks/files/detect-MHR.zeek

@@ -39,7 +39,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
 	{
 	local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
 
-	when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+	when [hash, fi, hash_domain] ( local MHR_result = lookup_hostname_txt(hash_domain) )
 		{
 		# Data is returned as "<dateFirstDetected> <detectionRate>"
 		local MHR_answer = split_string1(MHR_result, / /);

scripts/policy/frameworks/notice/extend-email/hostnames.zeek

@@ -33,7 +33,7 @@ hook notice(n: Notice::Info) &priority=-1
 	if ( n?$src )
 		{
 		add n$email_delay_tokens["hostnames-src"];
-		when ( local src_name = lookup_addr(n$src) )
+		when [n, uid, output] ( local src_name = lookup_addr(n$src) )
 			{
 			output = string_cat("orig/src hostname: ", src_name, "\n");
 			tmp_notice_storage[uid]$email_body_sections += output;
@@ -43,7 +43,7 @@ hook notice(n: Notice::Info) &priority=-1
 	if ( n?$dst )
 		{
 		add n$email_delay_tokens["hostnames-dst"];
-		when ( local dst_name = lookup_addr(n$dst) )
+		when [n, uid, output] ( local dst_name = lookup_addr(n$dst) )
 			{
 			output = string_cat("resp/dst hostname: ", dst_name, "\n");
 			tmp_notice_storage[uid]$email_body_sections += output;

scripts/policy/frameworks/software/vulnerable.zeek

@@ -82,7 +82,7 @@ event grab_vulnerable_versions(i: count)
 		return;
 		}
 
-	when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) )
+	when [i] ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) )
 		{
 		local parts = split_string1(result, /\x09/);
 		if ( |parts| != 2 ) #failure or end of list!

scripts/policy/protocols/conn/known-hosts.zeek

@@ -77,7 +77,7 @@ event Known::host_found(info: HostsInfo)
 	if ( ! Known::use_host_store )
 		return;
 
-	when ( local r = Broker::put_unique(Known::host_store$store, info$host,
+	when [info] ( local r = Broker::put_unique(Known::host_store$store, info$host,
 	                                    T, Known::host_store_expiry) )
 		{
 		if ( r$status == Broker::SUCCESS )

scripts/policy/protocols/conn/known-services.zeek

@@ -123,7 +123,7 @@ event service_info_commit(info: ServicesInfo)
 		{
 		local key = AddrPortServTriplet($host = info$host, $p = info$port_num, $serv = s);
 
-		when ( local r = Broker::put_unique(Known::service_store$store, key,
+		when [info, s, key] ( local r = Broker::put_unique(Known::service_store$store, key,
 		                                    T, Known::service_store_expiry) )
 			{
 			if ( r$status == Broker::SUCCESS )

scripts/policy/protocols/ssh/interesting-hostnames.zeek

@@ -29,7 +29,7 @@ export {
 
 function check_ssh_hostname(id: conn_id, uid: string, host: addr)
 	{
-	when ( local hostname = lookup_addr(host) )
+	when [id, uid, host] ( local hostname = lookup_addr(host) )
 		{
 		if ( interesting_hostnames in hostname )
 			{

scripts/policy/protocols/ssl/known-certs.zeek

@@ -89,7 +89,7 @@ event Known::cert_found(info: CertsInfo, hash: string)
 
 	local key = AddrCertHashPair($host = info$host, $hash = hash);
 
-	when ( local r = Broker::put_unique(Known::cert_store$store, key,
+	when [info, key] ( local r = Broker::put_unique(Known::cert_store$store, key,
 	                                    T, Known::cert_store_expiry) )
 		{
 		if ( r$status == Broker::SUCCESS )

scripts/policy/protocols/ssl/notary.zeek

@@ -63,7 +63,7 @@ event ssl_established(c: connection) &priority=3
 	if ( waits_already )
 		return;
 
-	when ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) )
+	when [digest] ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) )
 		{
 		notary_cache[digest] = [];