Merge branch 'master' into topic/jsiwek/coverity

2025-10-02 14:48:21 +00:00 · 2013-09-23 14:55:46 -05:00 · 2013-09-23 14:55:46 -05:00 · 9c2a3124e0
commit 9c2a3124e0
parent 1750e351c4 6e71c97bfe
21 changed files with 423 additions and 3428 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -1,24 +1,24 @@
 [submodule "aux/bro-aux"]
 	path = aux/bro-aux
-	url = ../bro-aux
+	url = git://git.bro.org/bro-aux
 [submodule "aux/binpac"]
 	path = aux/binpac
-	url = ../binpac
+	url = git://git.bro.org/binpac
 [submodule "aux/broccoli"]
 	path = aux/broccoli
-	url = ../broccoli
+	url = git://git.bro.org/broccoli
 [submodule "aux/broctl"]
 	path = aux/broctl
-	url = ../broctl
+	url = git://git.bro.org/broctl
 [submodule "aux/btest"]
 	path = aux/btest
-	url = ../btest
+	url = git://git.bro.org/btest
 [submodule "cmake"]
 	path = cmake
-	url = ../cmake
+	url = git://git.bro.org/cmake
 [submodule "magic"]
 	path = magic
-	url = ../bromagic
+	url = git://git.bro.org/bromagic
 [submodule "src/3rdparty"]
 	path = src/3rdparty
-	url = ../bro-3rdparty
+	url = git://git.bro.org/bro-3rdparty
--- a/3152
+++ b/3152
--- a/14
+++ b/14
@ -44,13 +44,14 @@ broxygenclean: configured
 dist:
 	@rm -rf $(VERSION_FULL) $(VERSION_FULL).tgz
 	@rm -rf $(VERSION_MIN) $(VERSION_MIN).tgz
-	@mkdir $(VERSION_FULL)
+	@git clone --recursive . $(VERSION_FULL) >/dev/null 2>&1
-	@tar --exclude=$(VERSION_FULL)* --exclude=$(VERSION_MIN)* --exclude=.git -cf - . | ( cd $(VERSION_FULL) && tar -xpf - )
+	@find $(VERSION_FULL) -name .git\* | xargs rm -rf
 	@( cd $(VERSION_FULL) && cp -R ../.git . && git reset -q --hard HEAD && git clean -xdfq && rm -rf .git )
 	@tar -czf $(VERSION_FULL).tgz $(VERSION_FULL) && echo Package: $(VERSION_FULL).tgz && rm -rf $(VERSION_FULL)
-	@$(HAVE_MODULES) && mkdir $(VERSION_MIN) || exit 0
+	@$(HAVE_MODULES) && git clone . $(VERSION_MIN) >/dev/null 2>&1 || exit 0
-	@$(HAVE_MODULES) && tar --exclude=$(VERSION_FULL)* --exclude=$(VERSION_MIN)* --exclude=.git `git submodule | awk '{print "--exclude="$$2}' | grep -v cmake | tr '\n' ' '` -cf - . | ( cd $(VERSION_MIN) && tar -xpf - ) || exit 0
+	@$(HAVE_MODULES) && (cd $(VERSION_MIN) && git submodule update --init cmake >/dev/null 2>&1) || exit 0
-	@$(HAVE_MODULES) && ( cd $(VERSION_MIN) && cp -R ../.git . && git reset -q --hard HEAD && git clean -xdfq && rm -rf .git ) || exit 0
+	@$(HAVE_MODULES) && (cd $(VERSION_MIN) && git submodule update --init src/3rdparty >/dev/null 2>&1) || exit 0
 	@$(HAVE_MODULES) && (cd $(VERSION_MIN) && git submodule update --init magic >/dev/null 2>&1) || exit 0
 	@$(HAVE_MODULES) && find $(VERSION_MIN) -name .git\* | xargs rm -rf || exit 0
 	@$(HAVE_MODULES) && tar -czf $(VERSION_MIN).tgz $(VERSION_MIN) && echo Package: $(VERSION_MIN).tgz && rm -rf $(VERSION_MIN) || exit 0
 bindist:
@ -65,6 +66,7 @@ test:
 test-all: test
 	test -d aux/broctl && ( cd aux/broctl && make test )
 	test -d aux/btest  && ( cd aux/btest && make test )
 configured:
 	@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
--- a/334
+++ b/334
@ -1,53 +1,147 @@
 This document summarizes the most important changes in the current Bro
-release. For a complete list of changes, see the ``CHANGES`` file
+release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
-their own CHANGES.)
+their own ``CHANGES``.)
-Bro 2.2 (Work In Progress)
+Bro 2.2 Beta
-==========================
+============
 New Functionality
 -----------------
 - A new file analysis framework moves most of the processing of file
  content from script-land into the core, where it belongs. See
  ``doc/file-analysis.rst``, or the online documentation, for more
  information.
  Much of this is an internal change, but the framework also comes
  with the following user-visible functionality (some of that was
  already available before but is done differently, and more
  efficiently, now):
      - HTTP:
        * Identify MIME type of messages.
        * Extract messages to disk.
        * Compute MD5 for messages.
      - SMTP:
        * Identify MIME type of messages.
        * Extract messages to disk.
        * Compute MD5 for messages.
        * Provide access to start of entity data.
      - FTP data transfers:
        * Identify MIME types of data.
        * Record to disk.
      - IRC DCC transfers: Record to disk.
      - Support for analyzing data transfered via HTTP range requests.
      - A binary input reader interfaces the input framework with the
        file analysis, allowing to inject files on disk into Bro's
        content processing.
 - A new framework for computing a wide array of summary statistics,
  such as counters and thresholds checks, standard deviation and mean,
  set cardinality, top K, and more. The framework operates in
  real-time, independent of the underlying data, and can aggregate
  information from many independent monitoring points (including
  clusters). It provides a transparent, easy-to-use user interface,
  and can optionally deploy a set of probabilistic data structures for
  memory-efficient operation. The framework is located in 
  ``scripts/base/frameworks/sumstats``.
  A number of new applications now ship with Bro that are built on top
  of the summary statistics framework:
    * Scan detection: Detectors for port and address scans. See
      ``policy/misc/scan.bro`` (these scan detectors used to exist in
      Bro versions <2.0; it's now back, but quite different).
    * Tracerouter detector: ``policy/misc/detect-traceroute.bro``
    * Web application detection/measurement:
      ``policy/misc/app-stats/*``
    * FTP and SSH brute-forcing detector:
      ``policy/protocols/ftp/detect-bruteforcing.bro``,
      ``policy/protocols/ssh/detect-bruteforcing.bro``
    * HTTP-based SQL injection detector:
      ``policy/protocols/http/detect-sqli.bro`` (existed before, but
      now ported to the new framework)
 - GridFTP support. This is an extension to the standard FTP analyzer
  and includes:
      - An analyzer for the GSI mechanism of GSSAPI FTP AUTH method.
        GSI authentication involves an encoded TLS/SSL handshake over
        the FTP control session. For FTP sessions that attempt GSI
        authentication, the ``service`` field of the connection log
        will include ``gridftp`` (as well as also ``ftp`` and
        ``ssl``).
      - An example of a GridFTP data channel detection script. It
        relies on the heuristics of GridFTP data channels commonly
        default to SSL mutual authentication with a NULL bulk cipher
        and that they usually transfer large datasets (default
        threshold of script is 1 GB). For identified GridFTP data
        channels, the ``services`` fields of the connection log will
        include ``gridftp-data``.
 - Modbus and DNP3 support. Script-level support is only basic at this
  point but see ``src/analyzer/protocol/{modbus,dnp3}/events.bif``, or
  the online documentation, for the events Bro generates. For Modbus,
  there are also some example policies in
  ``policy/protocols/modbus/*``.
 - The documentation now includes a new introduction to writing Bro
  scripts. See ``doc/scripting/index.rst`` or, much better, the online
  version. There's also the beginning of a chapter on "Using Bro" in
  ``doc/using/index.rst``.
 - GPRS Tunnelling Protocol (GTPv1) decapsulation.
- GridFTP support. TODO: Extend.
+- The scripting language now provide "hooks", a new flavor of
  functions that share characteristics of both standard functions and
  events. They are like events in that multiple bodies can be defined
  for the same hook identifier. They are more like functions in the
  way they are invoked/called, because, unlike events, their execution
  is immediate and they do not get scheduled through an event queue.
  Also, a unique feature of a hook is that a given hook handler body
  can short-circuit the execution of remaining hook handlers simply by
  exiting from the body as a result of a ``break`` statement (as
  opposed to a ``return`` or just reaching the end of the body). See
  ``doc/scripts/builtins.rst``, or the online documentation, for more
  informatin.
- Modbus support. TODO: Extend.
+- Bro's language now has a working ``switch`` statement that generally
  behaves like C-style switches (except that case labels can be
  comprised of multiple literal constants delimited by commas).  Only
  atomic types are allowed for now.  Case label bodies that don't
  execute a ``return`` or ``break`` statement will fall through to
  subsequent cases. A ``default`` case label is supported.
- DNP3 support. TODO: Extend.
+- Bro's language now has a new set of types ``opaque of X``. Opaque
 - ssl.log now also records the subject client and issuer certificates.
 - Hooks: TODO: Briefly summarize the documention from
  doc/scripts/builtins.rst here.
 - The ASCII writer can now output CSV files on a per filter basis.
 - Bro's language now has a working "switch" statement that generally
  behaves like C-style switches except case labels can be comprised of
  multiple literal constants delimited by commas.  Only atomic types
  are allowed for now.  Case label bodies that don't execute a
  "return" or "break" statement will fall through to subsequent cases.
  A default case label is allowed.
 - Bro's language now has a new set of types "opaque of X". Opaque
  values can be passed around like other values but they can only be
  manipulated with BiF functions, not with other operators. Currently,
-  the following opaque types are supported:
+  the following opaque types are supported::
-        - opaque of md5
+        opaque of md5
-        - opaque of sha1
+        opaque of sha1
-        - opaque of sha256
+        opaque of sha256
-        - opaquey of entropy.
+        opaque of cardinality
        opaque of topk
        opaque of bloomfilter
-  They go along with the corrsponding BiF functions md5_*, sha1_*,
+  These go along with the corrsponding BiF functions ``md5_*``,
-  sha256_*, and entropy_*, respectively. Note that these functions
+  ``sha1_*``, ``sha256_*``, ``entropy_*``, etc. . Note that where
-  have changed their signatures to work with opaques types rather
+  these functions existed before, they have changed their signatures
-  than global state as it was before.
+  to work with opaques types rather than global state.
- The scripting language now supports a constructing sets, tables,
+- The scripting language now supports constructing sets, tables,
  vectors, and records by name::
        type MyRecordType: record {
@ -61,57 +155,33 @@ New Functionality
        global s = MySet([$c=1], [$c=2]);
 - Strings now support the subscript operator to extract individual
-  characters and substrings (e.g., s[4], s[1,5]). The index expression
+  characters and substrings (e.g., ``s[4]``, ``s[1,5]``). The index
-  can take up to two indices for the start and end index of the
+  expression can take up to two indices for the start and end index of
-  substring to return (e.g. "mystring[1,3]").
+  the substring to return (e.g. ``mystring[1,3]``).
- Functions now support default parameters, e.g.:
+- Functions now support default parameters, e.g.::
-        global foo: function(s: string, t: string &default="abc", u: count &default=0);
+      global foo: function(s: string, t: string &default="abc", u: count &default=0);
- Scripts can now use two new "magic constants" @DIR and @FILENAME
+- Scripts can now use two new "magic constants" ``@DIR`` and
-  that expand to the directory path of the current script and just the
+  ``@FILENAME`` that expand to the directory path of the current
-  script file name without path, respectively. (Jon Siwek)
+  script and just the script file name without path, respectively.
- The new file analysis framework moves most of the processing of file
+- ``ssl.log`` now also records the subject client and issuer
-  content from script-land into the core, where it belongs. See
+  certificates.
  doc/file-analysis.rst for more information.
-  Much of this is an internal change, but the framework also comes
+- The ASCII writer can now output CSV files on a per filter basis.
  with the following user-visibible functionality (some of that was
  already available before, but done differently):
-  [TODO: Update with changes from 984e9793db56.]
+- New SQLite reader and writer plugins for the logging framework allow
  to read/write persistent data from on disk SQLite databases.
-      - A binary input reader interfaces the input framework with file
+- A new packet filter framework supports BPF-based load-balancing,
        analysis, allowing to inject files on disk into Bro's
        processing.
      - Supports for analyzing data transfereed via HTTP range
        requests.
      - HTTP:
        * Identify MIME type of message.
        * Extract message to disk.
        * Compute MD5 for messages.
      - SMTP:
        * Identify MIME type of message.
        * Extract message to disk.
        * Compute MD5 for messages.
        * Provide access to start of entity data.
      - FTP data transfers: Identify MIME type; record to disk.
      - IRC DCC transfers: Record to disk.
 - New packet filter framework supports BPF-based load-balancing,
  shunting, and sampling; plus plugin support to customize filters
  dynamically.
 - Bro now provides Bloom filters of two kinds: basic Bloom filters
  supporting membership tests, and counting Bloom filters that track
-  the frequency of elements. The corresponding functions are:
+  the frequency of elements. The corresponding functions are::
    bloomfilter_basic_init(fp: double, capacity: count, name: string &default=""): opaque of bloomfilter
    bloomfilter_basic_init2(k: count, cells: count, name: string &default=""): opaque of bloomfilter
@ -121,10 +191,11 @@ New Functionality
    bloomfilter_merge(bf1: opaque of bloomfilter, bf2: opaque of bloomfilter): opaque of bloomfilter
    bloomfilter_clear(bf: opaque of bloomfilter)
-  See <INSERT LINK> for full documentation.
+  See ``src/probabilistic/bloom-filter.bif``, or the online
  documentation, for full documentation.
 - Bro now provides a probabilistic data structure for computing
-  "top k" elements. The corresponding functions are:
+  "top k" elements. The corresponding functions are::
    topk_init(size: count): opaque of topk
    topk_add(handle: opaque of topk, value: any)
@ -136,73 +207,82 @@ New Functionality
    topk_merge(handle1: opaque of topk, handle2: opaque of topk)
    topk_merge_prune(handle1: opaque of topk, handle2: opaque of topk)
-  See <INSERT LINK> for full documentation.
+  See ``src/probabilistic/top-k.bif``, or the online documentation,
  for full documentation.
- base/utils/exec.bro provides a module to start external processes
+- Bro now provides a probabilistic data structure for computing set
-  asynchronously and retrieve their output on termination.
+  cardinality, using the HyperLogLog algorithm.  The corresponding
-  base/utils/dir.bro uses it to monitor a directory for changes, and
+  functions are::
  base/utils/active-http.bro for providing an interface for querying
  remote web servers.
- Summary statistics framework. [Extend]
+    hll_cardinality_init(err: double, confidence: double): opaque of cardinality
    hll_cardinality_add(handle: opaque of cardinality, elem: any): bool
    hll_cardinality_merge_into(handle1: opaque of cardinality, handle2: opaque of cardinality): bool
    hll_cardinality_estimate(handle: opaque of cardinality): double
    hll_cardinality_copy(handle: opaque of cardinality): opaque of cardinality
- A number of new applications build on top of the summary statistics
+  See ``src/probabilistic/cardinality-counter.bif``, or the online
-  framework:
+  documentation, for full documentation.
-    * Scan detection: Detectors for port and address scans return. See
+- ``base/utils/exec.bro`` provides a module to start external
-      policy/misc/scan.bro.
+  processes asynchronously and retrieve their output on termination.
  ``base/utils/dir.bro`` uses it to monitor a directory for changes,
  and ``base/utils/active-http.bro`` for providing an interface for
  querying remote web servers.
-    * Tracerouter detector: policy/misc/detect-traceroute
+- BroControl can now pin Bro processes to CPUs on supported platforms:
  To use CPU pinning, a new per-node option ``pin_cpus`` can be
  specified in node.cfg if the OS is either Linux or FreeBSD.
-    * Web application detection/measurement: policy/misc/app-metrics.bro
+- BroControl comes with its own test-suite now. ``make test`` in
  ``aux/broctl`` will run it.
-    * FTP brute-forcing detector: policy/protocols/ftp/detect-bruteforcing.bro
+In addition to these, Bro 2.2 comes with a large set of smaller
-
+extensions, tweaks, and fixes across the whole code base, including
-    * HTTP-based SQL injection detector: policy/protocols/http/detect-sqli.bro
+most submodules.
      (existed before, but now ported to the new framework)
    * SSH brute-forcing detector feeding the intelligence framework:
      policy/protocols/ssh/detect-bruteforcing.bro
 Changed Functionality
 ---------------------
- We removed the following, already deprecated, functionality:
+- The interface to extracting content from application-layer protocols
  (including HTTP, SMTP, FTP) has changed significantly due to the
  introduction of the new file analysis framework (see above).
 - Removed the following, already deprecated, functionality:
    * Scripting language:
-        - &disable_print_hook attribute.
+        - ``&disable_print_hook attribute``.
    * BiF functions:
-        - parse_dotted_addr(), dump_config(),
+        - ``parse_dotted_addr()``, ``dump_config()``,
-          make_connection_persistent(), generate_idmef(),
+          ``make_connection_persistent()``, ``generate_idmef()``,
-          split_complete()
+          ``split_complete()``
-        - md5_*, sha1_*, sha256_*, and entropy_* have all changed
+        - ``md5_*``, ``sha1_*``, ``sha256_*``, and ``entropy_*`` have
-          their signatures to work with opaque types (see above).
+          all changed their signatures to work with opaque types (see
          above).
 - Removed a now unused argument from ``do_split`` helper function.
- Removed a now unused argument from "do_split" helper function.
+- ``this`` is no longer a reserved keyword.
- "this" is no longer a reserved keyword.
+- The Input Framework's ``update_finished`` event has been renamed to
-
+  ``end_of_data``. It will now not only fire after table-reads have
- The Input Framework's update_finished event has been renamed to
+  been completed, but also after the last event of a whole-file-read
-  end_of_data. It will now not only fire after table-reads have been
+  (or whole-db-read, etc.).
  completed, but also after the last event of a whole-file-read (or
  whole-db-read, etc.).
 - Renamed the option defining the frequency of alarm summary mails to
-  'Logging::default_alarm_mail_interval'. When using BroControl, the
+  ``Logging::default_alarm_mail_interval``. When using BroControl, the
  value can now be set with the new broctl.cfg option
-  "MailAlarmsInterval".
+  ``MailAlarmsInterval``.
- We have completely reworded the "notice_policy" mechanism. It now no
+- We have completely rewritten the ``notice_policy`` mechanism. It now
-  linger uses a record of policy items but a "hook", a new language
+  no longer uses a record of policy items but a ``hook``, a new
-  element that's roughly equivalent to a function with multiple
+  language element that's roughly equivalent to a function with
-  bodies. The documentation [TODO: insert link] describes how to use
+  multiple bodies (see above). For existing code, the two main changes
-  the new notice policy. For existing code, the two main changes are:
+  are:
-    - What used to be a "redef" of "Notice::policy" now becomes a hook
+    - What used to be a ``redef`` of ``Notice::policy`` now becomes a
-      implementation. Example:
+      hook implementation. Example:
      Old::
@ -221,9 +301,9 @@ Changed Functionality
                add n$actions[Notice::ACTION_EMAIL];
            }
-    - notice() is now likewise a hook, no longer an event. If you have
+    - notice() is now likewise a hook, no longer an event. If you
-      handlers for that event, you'll likely just need to change the
+      have handlers for that event, you'll likely just need to change
-      type accordingly. Example:
+      the type accordingly. Example:
      Old::
@ -233,17 +313,17 @@ Changed Functionality
        hook notice(n: Notice::Info) { ... }
- The notice_policy.log is gone. That's a result of the new notice
+- The ``notice_policy.log`` is gone. That's a result of the new notice
  policy setup.
- Removed the byte_len() and length() bif functions. Use the ``|...|``
+- Removed the ``byte_len()`` and ``length()`` bif functions. Use the
-  operator instead.
+  ``|...|`` operator instead.
- The SSH::Login notice has been superseded by an corresponding
+- The ``SSH::Login`` notice has been superseded by an corresponding
-  intelligence framework observation (SSH::SUCCESSFUL_LOGIN).
+  intelligence framework observation (``SSH::SUCCESSFUL_LOGIN``).
- PacketFilter::all_packets has been replaced with
+- ``PacketFilter::all_packets`` has been replaced with
-  PacketFilter::enable_auto_protocol_capture_filters.
+  ``PacketFilter::enable_auto_protocol_capture_filters``.
 - We removed the BitTorrent DPD signatures pending further updates to
  that analyzer.
--- a/2
+++ b/2
@ -1 +1 @@
-2.1-1368
+2.1-1387
--- a/aux/binpac
+++ b/aux/binpac
@ -1 +1 @@
-Subproject commit eeb19daacc9f12bc4e7c885fa70e71f856a90b1f
+Subproject commit 3c29b917e59e8d8200f669d3d9729d36c34b9245
--- a/aux/bro-aux
+++ b/aux/bro-aux
@ -1 +1 @@
-Subproject commit eb24e628648c7d7b931bdb57d38ab32c28296e72
+Subproject commit ee2d64928edc38b10e508bd577a22f52b024c992
--- a/aux/broccoli
+++ b/aux/broccoli
@ -1 +1 @@
-Subproject commit 5bcee430700f714b19a9e794de75cb42408c9ecf
+Subproject commit c0d5345bf25d25f6965f3201048344687bacc860
--- a/aux/broctl
+++ b/aux/broctl
@ -1 +1 @@
-Subproject commit a4912816d7a50c882fa537dbeadac13449ca3716
+Subproject commit 3582f494de247784fc7634b319ddf99aef44b6e1
--- a/aux/btest
+++ b/aux/btest
@ -1 +1 @@
-Subproject commit 3918bd9f5f99863faec2501e5bc7839ffb17bdc9
+Subproject commit 6e940b73152a14ae63a4405f6a4bc23cf6cbeec1
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@ -10,13 +10,6 @@ Writing Bro Scripts
 Understanding Bro Scripts
 =========================
 .. todo::
    The MHR integration has changed significantly since the text was
    written. We need to update it, however I'm actually not sure this
    script is a good introductory example anymore unfortunately.
    -Robin
 Bro includes an event-driven scripting language that provides
 the primary means for an organization to extend and customize Bro's
 functionality. Virtually all of the output generated by Bro
@ -33,96 +26,109 @@ are invalid.  This entire process is setup by telling Bro that should
 it see a server or client issue an SSL ``HELLO`` message, we want to know
 about the information about that connection.
-It's often the easiest to understand Bro's scripting language by
+It's often easiest to understand Bro's scripting language by
 looking at a complete script and breaking it down into its
 identifiable components.  In this example, we'll take a look at how
-Bro queries the `Team Cymru Malware hash registry
+Bro checks the SHA1 hash of various files extracted from network traffic
-<http://www.team-cymru.org/Services/MHR/>`_ for downloads via
+against the `Team Cymru Malware hash registry
-HTTP. Part of the Team Cymru Malware Hash registry includes the
+<http://www.team-cymru.org/Services/MHR/>`_.  Part of the Team Cymru Malware
-ability to do a host lookup on a domain with the format
+Hash registry includes the ability to do a host lookup on a domain with the format
-``MALWARE_HASH.malware.hash.cymru.com`` where ``MALWARE_HASH`` is the MD5 or
+``<MALWARE_HASH>.malware.hash.cymru.com`` where ``<MALWARE_HASH>`` is the SHA1 hash of a file.
-SHA1 hash of a file.  Team Cymru also populates the TXT record of
+Team Cymru also populates the TXT record of their DNS responses with both a "first seen"
-their DNS responses with both a "last seen" timestamp and a numerical
+timestamp and a numerical "detection rate".  The important aspect to understand is Bro already
-"detection rate".  The important aspect to understand is Bro already
+generating hashes for files via the Files framework, but it is the
-generates hashes for files it can parse from HTTP streams, but the
+script ``detect-MHR.bro`` that is responsible for generating the
-script ``detect-MHR.bro`` is responsible for generating the
+appropriate DNS lookup, parsing the response, and generating a notice if appropriate.
 appropriate DNS lookup and parsing the response.
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-Visually, there are three distinct sections of the script.  A base
+Visually, there are three distinct sections of the script.  First, there is a base
-level with no indentation followed by an indented and formatted
+level with no indentation where libraries are included in the script through ``@load``
-section explaining the custom variables being provided (``export``) and another
+and a namespace is defined with ``module``.  This is followed by an indented and formatted
-indented and formatted section describing the instructions for a
+section explaining the custom variables being provided (``export``) as part of the script's namespace.
-specific event (``event log_http``).  Don't get discouraged if you don't
+Finally there is a second indented and formatted section describing the instructions to take for a
 specific event (``event file_hash``).  Don't get discouraged if you don't
 understand every section of the script; we'll cover the basics of the
 script and much more in following sections.
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 7-11
+   :lines: 4-6
 Lines 7 and 8 of the script process the ``__load__.bro`` script in the
 respective directories being loaded.  The ``@load`` directives are
 often considered good practice or even just good manners when writing
-Bro scripts to make sure they can be
+Bro scripts to make sure they can be used on their own. While it's unlikely that in a
 used on their own. While it's unlikely that in a
 full production deployment of Bro these additional resources wouldn't
 already be loaded, it's not a bad habit to try to get into as you get
 more experienced with Bro scripting.  If you're just starting out,
-this level of granularity might not be entirely necessary though.  
+this level of granularity might not be entirely necessary.  The ``@load`` directives
 are ensuring the Files framework, the Notice framework and the script to hash all files has
 been loaded by Bro.
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 12-24
+   :lines: 10-31
 The export section redefines an enumerable constant that describes the
-type of notice we will generate with the logging framework.  Bro
+type of notice we will generate with the Notice framework.  Bro
-allows for redefinable constants, which at first, might seem
+allows for re-definable constants, which at first, might seem
 counter-intuitive.  We'll get more in-depth with constants in a later
 chapter, for now, think of them as variables that can only be altered
 before Bro starts running.  The notice type listed allows for the use
 of the :bro:id:`NOTICE` function to generate notices of type
-``Malware_Hash_Registry_Match`` as done in the next section.  Notices
+``TeamCymruMalwareHashRegistry::Match`` as done in the next section.  Notices
 allow Bro to generate some kind of extra notification beyond its
 default log types.  Often times, this extra notification comes in the
-form of an email generated and sent to a pre-configured address.  
+form of an email generated and sent to a preconfigured address, but can be altered
 depending on the needs of the deployment.  The export section is finished off with
 the definition of two constants that list the kind of files we want to match against and
 the minimum percentage of detection threshold in which we are interested.
 Up until this point, the script has merely done some basic setup.  With the next section,
 the script starts to define instructions to take in a given event.
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/frameworks/files/detect-MHR.bro
-   :lines: 26-44
+   :lines: 33-57
 The workhorse of the script is contained in the event handler for
-``log_http``.  The ``log_http`` event is defined as an event-hook in
+``file_hash``.  The ``file_hash`` event is defined in the
-the :doc:`/scripts/base/protocols/http/main` script and allows scripts
+:doc:`/scripts/base/bif/plugins/Bro_FileHash.events.bif.bro` script and allows scripts to access
-to handle a connection as it is being passed to the logging framework.
+the information associated with a file for which Bro's file analysis framework has
-The event handler is passed an :bro:type:`HTTP::Info` data structure
+generated a hash.  The event handler is passed the file itself as ``f``, the type of digest
-which will be referred to as ``rec`` in body of the event handler.
+algorithm used as ``kind`` and the hash generated as ``hash``.
-An ``if`` statement is used to check for the existence of a data structure
+On line 35, an ``if`` statement is used to check for the correct type of hash, in this case
-named ``md5`` nested within the ``rec`` data structure.  Bro uses the ``$`` as
+a SHA1 hash.  It also checks for a mime type we've defined as being of interest as defined in the
-a deference operator and as such, and it is employed in this script to
+constant ``match_file_types``.  The comparison is made against the expression ``f$mime_type``, which uses
-check if ``rec$md5`` is present by including the ``?`` operator within the
+the ``$`` dereference operator to check the value ``mime_type`` inside the variable ``f``.  Once both
-path.  If the ``rec`` data structure includes a nested data structure
+values resolve to true, a local variable is defined to hold a string comprised of the SHA1 hash concatenated
-named ``md5``, the statement is processed as true and a local variable
+with ``.malware.hash.cymru.com``; this value will be the domain queried in the malware hash registry.
 named ``hash_domain`` is provisioned and given a format string based on
 the contents of ``rec$md5`` to produce a valid DNS lookup.  
 The rest of the script is contained within a ``when`` block.  In
 short, a ``when`` block is used when Bro needs to perform asynchronous
-actions, such a DNS lookup, to ensure that performance isn't effected.
+actions, such as a DNS lookup, to ensure that performance isn't effected.
 The ``when`` block performs a DNS TXT lookup and stores the result
 in the local variable ``MHR_result``.  Effectively, processing for
 this event continues and upon receipt of the values returned by
 :bro:id:`lookup_hostname_txt`, the ``when`` block is executed.  The
-``when`` block splits the string returned into two seperate values and
+``when`` block splits the string returned into a portion for the date on which
-checks to ensure an expected format.  If the format is invalid, the
+the malware was first detected and the detection rate by splitting on an text space
-script assumes that the hash wasn't found in the respository and
+and storing the values returned in a local table variable.  In line 42, if the table
-processing is concluded.  If the format is as expected and the
+returned by ``split1`` has two entries, indicating a successful split, we store the detection
-detection rate is above the threshold set by ``MHR_threshold``, two
+date in ``mhr_first_detect`` and the rate in ``mhr_detect_rate`` on lines 45 and 45 respectively
-new local variables are created and used in the notice issued by
+using the appropriate conversion functions.  From this point on, Bro knows it has seen a file
-:bro:id:`NOTICE`.
+transmitted which has a hash that has been seen by the Team Cymru Malware Hash Registry, the rest
 of the script is dedicated to producing a notice.
-In approximately 15 lines of actual code, Bro provides an amazing
+On line 47, the detection time is processed into a string representation and stored in
 ``readable_first_detected``.  The script then compares the detection rate against the
 ``notice_threshold`` that was defined on line 30.  If the detection rate is high enough, the script
 creates a concise description of the notice on line 50, a possible URL to check the sample against
 virustotal.com's database, and makes the call to :bro:id:`NOTICE` to hand the relevant information
 off to the Notice framework.
 In approximately 25 lines of code, Bro provides an amazing
 utility that would be incredibly difficult to implement and deploy
-with other products.  In truth, claiming that Bro does this in 15
+with other products.  In truth, claiming that Bro does this in 25
 lines is a misdirection; there is a truly massive number of things
 going on behind-the-scenes in Bro, but it is the inclusion of the
 scripting language that gives analysts access to those underlying
@ -168,7 +174,7 @@ the event, and a concise explanation of the functions use.
   :lines: 29-54
 Above is a segment of the documentation for the event
-:bro:id:`dns_request` (and the preceeding link points to the
+:bro:id:`dns_request` (and the preceding link points to the
 documentation generated out of that).  It's organized such that the
 documentation, commentary, and list of arguments precede the actual
 event definition used by Bro.  As Bro detects DNS requests being
@ -197,13 +203,8 @@ such, there are events defined for the primary parts of the connection
 life-cycle as you'll see from the small selection of
 connection-related events below.  
 .. todo::
   Update the line numbers, this isn't pulling in the right events
   anymore but I don't know which ones it were.
 .. btest-include:: ${BRO_SRC_ROOT}/build/scripts/base/bif/event.bif.bro
-   :lines: 135-138,154,204-208,218,255-256,266,335-340,351
+   :lines: 69-72,88,106-109,129,132-137,148
 Of the events listed, the event that will give us the best insight
 into the connection record data type will be
@ -245,7 +246,7 @@ information gleaned from the analysis of a connection as a complete
 unit.  To break down this collection of information, you will have to
 make use of use Bro's field delimiter ``$``.  For example, the
 originating host is referenced by ``c$id$orig_h`` which if given a
-narritive relates to ``orig_h`` which is a member of ``id`` which is
+narrative relates to ``orig_h`` which is a member of ``id`` which is
 a member of the data structure referred to as ``c`` that was passed
 into the event handler." Given that the responder port
 (``c$id$resp_p``) is ``53/tcp``, it's likely that Bro's base DNS scripts
@ -343,7 +344,7 @@ Constants
 Bro also makes use of constants, which are denoted by the ``const``
 keyword.  Unlike globals, constants can only be set or altered at
 parse time if the ``&redef`` attribute has been used.  Afterwards (in
-runtime) the constants are unalterable.  In most cases, redefinable
+runtime) the constants are unalterable.  In most cases, re-definable
 constants are used in Bro scripts as containers for configuration
 options.  For example, the configuration option to log password
 decrypted from HTTP streams is stored in
@ -359,7 +360,7 @@ following line to our ``site/local.bro`` file before firing up Bro.
 .. btest-include:: ${DOC_ROOT}/scripting/data_type_const_simple.bro
-While the idea of a redefinable constant might be odd, the constraint
+While the idea of a re-definable constant might be odd, the constraint
 that constants can only be altered at parse-time remains even with the
 ``&redef`` attribute.  In the code snippet below, a table of strings
 indexed by ports is declared as a constant before two values are added
@ -417,7 +418,7 @@ The table below shows the atomic types used in Bro, of which the
 first four should seem familiar if you have some scripting experience,
 while the remaining six are less common in other languages. It should
 come as no surprise that a scripting language for a Network Security
-Monitoring platform has a fairly robust set of network centric data
+Monitoring platform has a fairly robust set of network-centric data
 types and taking note of them here may well save you a late night of
 reinventing the wheel.  
@ -479,7 +480,7 @@ the ``for`` loop, the next element is chosen.  Since sets are not an
 ordered data type, you cannot guarantee the order of the elements as
 the ``for`` loop processes.
-To test for membership in a set the ``in`` statment can be combined
+To test for membership in a set the ``in`` statement can be combined
 with an ``if`` statement to return a true or false value.  If the
 exact element in the condition is already in the set, the condition
 returns true and the body executes.  The ``in`` statement can also be
@ -546,7 +547,7 @@ iterate over, say, the directors; we have to iterate with the exact
 format as the keys themselves.  In this case, we need squared brackets
 surrounding four temporary variables to act as a collection for our
 iteration.  While this is a contrived example, we could easily have
-had keys containin IP addresses (``addr``), ports (``port``) and even a ``string``
+had keys containing IP addresses (``addr``), ports (``port``) and even a ``string``
 calculated as the result of a reverse hostname lookup.
 .. btest-include:: ${DOC_ROOT}/scripting/data_struct_table_complex.bro
@ -647,7 +648,7 @@ subnet
 ~~~~~~
 Bro has full support for CIDR notation subnets as a base data type. 
-There is no need to manage the IP and the subnet mask as two seperate
+There is no need to manage the IP and the subnet mask as two separate
 entities when you can provide the same information in CIDR notation in
 your scripts.  The following example below uses a Bro script to
 determine if a series of IP addresses are within a set of subnets
@ -807,7 +808,7 @@ composite type.  We have, in fact, already encountered a a complex
 example of the ``record`` data type in the earlier sections, the
 :bro:type:`connection` record passed to many events. Another one,
 :bro:type:`Conn::Info`, which corresponds to the fields logged into
-``conn.log``, is shown by the exerpt below.
+``conn.log``, is shown by the excerpt below.
 .. btest-include:: ${BRO_SRC_ROOT}/scripts/base/protocols/conn/main.bro
   :lines: 10-12,16,17,19,21,23,25,28,31,35,37,56,62,68,90,93,97,100,104,108,109,114
@ -818,7 +819,7 @@ definition is within the confines of an export block, what is defined
 is, in fact, ``Conn::Info``.
 The formatting for a declaration of a record type in Bro includes the
-descriptive name of the type being defined and the seperate fields
+descriptive name of the type being defined and the separate fields
 that make up the record.  The individual fields that make up the new
 record are not limited in type or number as long as the name for each
 field is unique.
@ -834,7 +835,7 @@ string, a set of ports, and a count to define a service type.  Also
 included is a function to print each field of a record in a formatted
 fashion and a :bro:id:`bro_init` event handler to show some
 functionality of working with records.  The definitions of the DNS and
-HTTP services are both done inline using squared brackets before being
+HTTP services are both done in-line using squared brackets before being
 passed to the ``print_service`` function.  The ``print_service``
 function makes use of the ``$`` dereference operator to access the
 fields within the newly defined Service record type.  
@ -851,7 +852,7 @@ record.
   @TEST-EXEC: btest-rst-cmd bro ${DOC_ROOT}/scripting/data_struct_record_02.bro
 The example above includes a second record type in which a field is
-used as the data type for a set.  Records can be reapeatedly nested
+used as the data type for a set.  Records can be repeatedly nested
 within other records, their fields reachable through repeated chains
 of the ``$`` dereference operator.  
@ -1128,7 +1129,7 @@ which we will cover shortly.
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
 | policy_items        | set[count]                                                       | &log &optional | Policy items that have been applied    |
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
-| email_body_sections | vector                                                           | &optinal       | Body of the email for email notices.   |
+| email_body_sections | vector                                                           | &optional       | Body of the email for email notices.   |
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
 | email_delay_tokens  | set[string]                                                      | &optional      | Delay functionality for email notices. |
 +---------------------+------------------------------------------------------------------+----------------+----------------------------------------+
@ -1142,7 +1143,7 @@ has been heuristically detected and the originating hostname is one
 that would raise suspicion.  Effectively, the script attempts to
 define a list of hosts from which you would never want to see SSH
 traffic originating, like DNS servers, mail servers, etc.  To
-accomplish this, the script adhere's to the seperation of detection
+accomplish this, the script adheres to the separation of detection
 and reporting by detecting a behavior and raising a notice.  Whether
 or not that notice is acted upon is decided by the local Notice
 Policy, but the script attempts to supply as much information as
@ -1226,7 +1227,7 @@ Bro.
 In the :doc:`/scripts/policy/protocols/ssl/expiring-certs` script
 which identifies when SSL certificates are set to expire and raises
-notices when it crosses a pre-defined threshold, the call to
+notices when it crosses a predefined threshold, the call to
 ``NOTICE`` above also sets the ``$identifier`` entry by concatenating
 the responder IP, port, and the hash of the certificate.  The
 selection of responder IP, port and certificate hash fits perfectly
@ -1262,7 +1263,7 @@ In short, there will be notice policy considerations where a broad
 decision can be made based on the ``Notice::Type`` alone.  To
 facilitate these types of decisions, the Notice Framework supports
 Notice Policy shortcuts.  These shortcuts are implemented through the
-means of a group of data structures that map specific, pre-defined
+means of a group of data structures that map specific, predefined
 details and actions to the effective name of a notice.  Primarily
 implemented as a set or table of enumerables of :bro:type:`Notice::Type`,
 Notice Policy shortcuts can be placed as a single directive in your
@ -1308,5 +1309,3 @@ Notice::emailed_types set while the shortcut below alters the length
 of time for which those notices will be suppressed.
 .. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_02.bro
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -2442,7 +2442,7 @@ RefExpr::RefExpr(Expr* arg_op) : UnaryExpr(EXPR_REF, arg_op)
 	if ( IsError() )
 		return;
-	if ( ! is_assignable(op->Type()) )
+	if ( ! ::is_assignable(op->Type()) )
 		ExprError("illegal assignment target");
 	else
 		SetType(op->Type()->Ref());
--- a/src/input/readers/Raw.cc
+++ b/src/input/readers/Raw.cc
@ -73,15 +73,15 @@ void Raw::DoClose()
 	if ( execute && childpid > 0 && kill(childpid, 0) == 0 )
 		{
-		// kill child process
+		// Kill child process group.
-		kill(childpid, SIGTERM);
+		kill(-childpid, SIGTERM);
 		if ( forcekill )
 			{
 			usleep(200); // 200 msecs should be enough for anyone ;)
 			if ( kill(childpid, 0) == 0 ) // perhaps it is already gone
-				kill(childpid, SIGKILL);
+				kill(-childpid, SIGKILL);
 			}
 		}
 	}
@ -146,6 +146,11 @@ bool Raw::Execute()
 	else if ( childpid == 0 )
 		{
 		// we are the child.
 		// Obtain a process group w/ child's PID.
 		if ( setpgid(0, 0) == -1 )
 			_exit(251);
 		close(pipes[stdout_in]);
 		if ( dup2(pipes[stdout_out], stdout_fileno) == -1 )
 			_exit(252);
@ -180,6 +185,15 @@ bool Raw::Execute()
 	else
 		{
 		// we are the parent
 		// Parent also sets child process group immediately to avoid a race.
 		if ( setpgid(childpid, childpid) == -1 )
 			{
 			char buf[256];
 			strerror_r(errno, buf, sizeof(buf));
 			Warning(Fmt("Could not set child process group: %s", buf));
 			}
 		if ( ! UnlockForkMutex() )
 			return false;
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/output
@ -2,24 +2,20 @@
 -- event.bif.bro
 ## Generated for every new connection. This event is raised with the first
 ## packet of a previously unknown connection. Bro uses a flow-based definition
 ## of "connection" here that includes not only TCP sessions but also UDP and
 ## ICMP flows.
 global new_connection: event(c: connection );
 ## Generated when a TCP connection timed out. This event is raised when
 ## no activity was seen for an interval of at least
 ## :bro:id:`tcp_connection_linger`, and either one endpoint has already
 ## closed the connection or one side never became active.
 global connection_timeout: event(c: connection );
 ## Generated when a connection's internal state is about to be removed from
 ## memory. Bro generates this event reliably once for every connection when it
 ## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
 ## flows.
-##
+global connection_state_remove: event(c: connection );
 ##
 global connection_external: event(c: connection , tag: string );
 ## Generated when a UDP session for a supported protocol has finished. Some of
 ## Bro's application-layer UDP analyzers flag the end of a session by raising
 ## Generated when a connection is seen that is marked as being expected.
 global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
 ##    their specifics differ slightly. Often, however, both will be raised for
 ##    the same connection if some of its data is missing. We should eventually
 ##    merge the two.
 global ack_above_hole: event(c: connection );
 ##
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/output
@ -2,8 +2,6 @@
 -- detect-MHR.bro
-
+@load base/frameworks/files
-module TeamCymruMalwareHashRegistry;
+@load base/frameworks/notice
-
+@load frameworks/files/hash-all-files
 export {
 	redef enum Notice::Type += {
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/output
@ -2,6 +2,8 @@
 -- detect-MHR.bro
 export {
 	redef enum Notice::Type += {
 		## The hash value of a file transferred over HTTP matched in the
 		## malware hash registry.
 		Match
@ -15,3 +17,10 @@
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
 	                         /video\/mp4/ &redef;
 	## The malware hash registry runs each malware sample through several A/V engines.
 	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
 	## sample as malicious. This threshold allows you to require a minimum detection
 	## rate.
 	const notice_threshold = 10 &redef;
 }
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/output
@ -2,13 +2,6 @@
 -- detect-MHR.bro
 	## The malware hash registry runs each malware sample through several A/V engines.
 	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
 	## sample as malicious. This threshold allows you to require a minimum detection
 	## rate.
 	const notice_threshold = 10 &redef;
 }
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
 	if ( kind=="sha1" && match_file_types in f$mime_type )
@ -21,3 +14,16 @@ event file_hash(f: fa_file, kind: string, hash: string)
 			if ( |MHR_answer| == 2 )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
 				local mhr_detect_rate = to_count(MHR_answer[2]);
 				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
 				if ( mhr_detect_rate >= notice_threshold )
 					{
 					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
 					local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
 					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
 					}
 				}
 			}
 		}
 	}
--- a/testing/btest/doc/sphinx/include-scripts_base_bif_event_bif_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_base_bif_event_bif_bro.btest
@ -2,24 +2,20 @@
 -- event.bif.bro
 ## Generated for every new connection. This event is raised with the first
 ## packet of a previously unknown connection. Bro uses a flow-based definition
 ## of "connection" here that includes not only TCP sessions but also UDP and
 ## ICMP flows.
 global new_connection: event(c: connection );
 ## Generated when a TCP connection timed out. This event is raised when
 ## no activity was seen for an interval of at least
 ## :bro:id:`tcp_connection_linger`, and either one endpoint has already
 ## closed the connection or one side never became active.
 global connection_timeout: event(c: connection );
 ## Generated when a connection's internal state is about to be removed from
 ## memory. Bro generates this event reliably once for every connection when it
 ## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
 ## flows.
-##
+global connection_state_remove: event(c: connection );
 ##
 global connection_external: event(c: connection , tag: string );
 ## Generated when a UDP session for a supported protocol has finished. Some of
 ## Bro's application-layer UDP analyzers flag the end of a session by raising
 ## Generated when a connection is seen that is marked as being expected.
 global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
 ##    their specifics differ slightly. Often, however, both will be raised for
 ##    the same connection if some of its data is missing. We should eventually
 ##    merge the two.
 global ack_above_hole: event(c: connection );
 ##
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@2.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@2.btest
@ -2,8 +2,6 @@
 -- detect-MHR.bro
-
+@load base/frameworks/files
-module TeamCymruMalwareHashRegistry;
+@load base/frameworks/notice
-
+@load frameworks/files/hash-all-files
 export {
 	redef enum Notice::Type += {
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest
@ -2,6 +2,8 @@
 -- detect-MHR.bro
 export {
 	redef enum Notice::Type += {
 		## The hash value of a file transferred over HTTP matched in the
 		## malware hash registry.
 		Match
@ -15,3 +17,10 @@
 	                         /application\/x-java-applet/ |
 	                         /application\/jar/ |
 	                         /video\/mp4/ &redef;
 	## The malware hash registry runs each malware sample through several A/V engines.
 	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
 	## sample as malicious. This threshold allows you to require a minimum detection
 	## rate.
 	const notice_threshold = 10 &redef;
 }
--- a/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest
@ -2,13 +2,6 @@
 -- detect-MHR.bro
 	## The malware hash registry runs each malware sample through several A/V engines.
 	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
 	## sample as malicious. This threshold allows you to require a minimum detection
 	## rate.
 	const notice_threshold = 10 &redef;
 }
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
 	if ( kind=="sha1" && match_file_types in f$mime_type )
@ -21,3 +14,16 @@ event file_hash(f: fa_file, kind: string, hash: string)
 			if ( |MHR_answer| == 2 )
 				{
 				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
 				local mhr_detect_rate = to_count(MHR_answer[2]);
 				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
 				if ( mhr_detect_rate >= notice_threshold )
 					{
 					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
 					local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
 					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
 					}
 				}
 			}
 		}
 	}
		`@ -1 +1 @@`
			`Subproject commit eeb19daacc9f12bc4e7c885fa70e71f856a90b1f`				`Subproject commit 3c29b917e59e8d8200f669d3d9729d36c34b9245`
		`@ -1 +1 @@`
			`Subproject commit eb24e628648c7d7b931bdb57d38ab32c28296e72`				`Subproject commit ee2d64928edc38b10e508bd577a22f52b024c992`
		`@ -1 +1 @@`
			`Subproject commit 5bcee430700f714b19a9e794de75cb42408c9ecf`				`Subproject commit c0d5345bf25d25f6965f3201048344687bacc860`
		`@ -1 +1 @@`
			`Subproject commit a4912816d7a50c882fa537dbeadac13449ca3716`				`Subproject commit 3582f494de247784fc7634b319ddf99aef44b6e1`
		`@ -1 +1 @@`
			`Subproject commit 3918bd9f5f99863faec2501e5bc7839ffb17bdc9`				`Subproject commit 6e940b73152a14ae63a4405f6a4bc23cf6cbeec1`