Merge remote-tracking branch 'origin/master' into topic/johanna/remove-serializer

.gitignore

@@ -1,3 +1,7 @@
 build
 tmp
 *.gcov
+
+# Configuration and build directories for CLion
+.idea
+cmake-build-debug

CHANGES

@@ -1,4 +1,240 @@
 
+2.6-444 | 2019-06-15 19:09:03 -0700
+
+  * Add/rewrite NTP support (Vlad Grigorescu and Mauro Palumbo)
+
+2.6-416 | 2019-06-14 20:57:57 -0700
+
+  * DNS: Add support for SPF response records (Vlad Grigorescu)
+
+2.6-413 | 2019-06-14 19:51:28 -0700
+
+  * GH-406: rename bro.bif to zeek.bif (Jon Siwek, Corelight)
+
+2.6-412 | 2019-06-14 19:26:21 -0700
+
+  * GH-387: update Broker topic names to use "zeek/" prefix (Jon Siwek, Corelight)
+
+  * GH-323: change builtin plugin namespaces to Zeek (Jon Siwek, Corelight)
+
+2.6-408 | 2019-06-13 11:19:50 -0700
+
+  * Fix potential null-dereference in current_time() (Tim Wojtulewicz, Corelight)
+
+  * Add --sanitizers configure script to enable Clang sanitizers (Tim Wojtulewicz, Corelight)
+
+2.6-404 | 2019-06-12 15:10:19 -0700
+
+  * Rename directories from bro to zeek (Daniel Thayer)
+
+    The new default installation prefix is /usr/local/zeek
+
+2.6-400 | 2019-06-07 20:06:33 -0700
+
+  * Adapt bro_plugin CMake macros to use zeek_plugin (Jon Siwek, Corelight)
+
+2.6-399 | 2019-06-07 14:02:18 -0700
+
+  * Update SSL documentation. (Johanna Amann)
+
+  * Support the newer TLS 1.3 key_share extension. (Johanna Amann)
+
+  * Include all data of the server-hello random (Johanna Amann)
+
+    Before we cut the first 4 bytes, which makes it impossible to recognize
+    several newer packets (like the hello retry).
+
+  * Parse TLS 1.3 pre-shared-key extension. (Johanna Amann)
+
+    Adds new events:
+
+    - ssl_extension_pre_shared_key_client_hello
+    - ssl_extension_pre_shared_key_server_hello
+
+2.6-391 | 2019-06-07 17:29:28 +1000
+
+  * GH-209: replace "remote_ip" field of radius.log with "tunnel_client".
+    Also changes type from addr to string. (Jon Siwek, Corelight)
+
+2.6-389 | 2019-06-06 20:02:19 -0700
+
+  * Update plugin unit tests to use --zeek-dist (Jon Siwek, Corelight)
+
+2.6-388 | 2019-06-06 19:48:55 -0700
+
+  * Change default value of peer_description "zeek" (Jon Siwek, Corelight)
+
+2.6-387 | 2019-06-06 18:51:09 -0700
+
+  * Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
+
+2.6-386 | 2019-06-06 17:17:55 -0700
+
+  * Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)
+
+2.6-384 | 2019-06-06 16:49:14 -0700
+
+  * Add new RDP event: rdp_client_security_data (Jeff Atkinson)
+
+2.6-379 | 2019-06-06 11:56:58 -0700
+
+  * Improve sqlite logging unit tests (Jon Siwek, Corelight)
+
+2.6-378 | 2019-06-05 16:23:04 -0700
+
+  * Rename BRO_DEPRECATED macro to ZEEK_DEPRECATED (Jon Siwek, Corelight)
+
+2.6-377 | 2019-06-05 16:15:58 -0700
+
+  * Deprecate functions with "bro" in them. (Jon Siwek, Corelight)
+
+    * "bro_is_terminating" is now "zeek_is_terminating"
+
+    * "bro_version" is now "zeek_version"
+
+    The old functions still exist for now, but are deprecated.
+
+2.6-376 | 2019-06-05 13:29:57 -0700
+
+  * GH-379: move catch-and-release and unified2 scripts to policy/ (Jon Siwek, Corelight)
+
+    These are no longer loaded by default due to the performance impact they
+    cause simply by being loaded (they have event handlers for commonly
+    generated events) and they aren't generally useful enough to justify it.
+
+2.6-375 | 2019-06-04 19:28:06 -0700
+
+  * Simplify threading::Value destructor (Jon Siwek, Corelight)
+
+  * Add pattern support to input framework. (Zeke Medley, Corelight)
+
+2.6-369 | 2019-06-04 17:53:10 -0700
+
+  * GH-155: Improve coercion of expression lists to vector types (Tim Wojtulewicz, Corelight)
+
+  * GH-159: Allow coercion of numeric record field values to other types (Tim Wojtulewicz, Corelight)
+
+  * Allow passing a location to BroObj::Warning and BroObj::Error. (Tim Wojtulewicz, Corelight)
+
+    This allows callers (such as check_and_promote) to pass an expression
+    location to be logged if the location doesn't exist in the value being
+    promoted.
+
+  * Add CLion directories to gitignore (Tim Wojtulewicz, Corelight)
+
+  * Move #define outside of max_type for clarity (Tim Wojtulewicz, Corelight)
+
+2.6-361 | 2019-06-04 10:30:21 -0700
+
+  * GH-293: Protect copy() against reference cycles. (Robin Sommer, Corelight)
+
+    Reference cycles shouldn't occur but there's nothing really preventing
+    people from creating them, so may just as well be safe and deal with
+    them when cloning values.
+
+2.6-359 | 2019-05-31 13:37:17 -0700
+
+  * Remove old documentation reference to rotate_interval (Jon Siwek, Corelight)
+
+2.6-357 | 2019-05-30 10:57:54 -0700
+
+  * Tweak to ASCII reader warning suppression (Christian Kreibich, Corelight)
+
+    Warnings in the ASCII reader so far remained suppressed even
+    when an input file changed. It's helpful to learn about problems
+    in the data when putting in place new data files, so this change
+    maintains the existing warning suppression while processing a file,
+    but re-enables warnings after updates to a file.
+
+2.6-354 | 2019-05-29 09:46:19 -0700
+
+  * Add weird: "RDP_channels_requested_exceeds_max" (Vlad Grigorescu)
+
+2.6-352 | 2019-05-28 17:57:36 -0700
+
+  * Reduce data copying in Broker message processing (Jon Siwek, Corelight)
+
+  * Improve Broker I/O loop integration: less mutex locking (Jon Siwek, Corelight)
+
+    Checking a subscriber for available messages required locking a mutex,
+    but we should never actually need to do that in the main-loop to check
+    for Broker readiness since we can rely on file descriptor polling.
+
+  * Improve processing of broker data store responses (Jon Siwek, Corelight)
+
+    Now retrieves and processes all N available responses at once instead
+    of one-by-one-until-empty.
+
+2.6-345 | 2019-05-28 11:32:16 -0700
+
+  * RDP: Add parsing and logging of channels requested by the client. (Vlad Grigorescu)
+
+    Can determine capabilities requested by the client, as well as attacks such
+    as CVE-2019-0708.
+
+2.6-342 | 2019-05-28 10:48:37 -0700
+
+  * GH-168: Improve type-checking for table/set list assignment. (Zeke Medley and Jon Siwek, Corelight)
+
+2.6-340 | 2019-05-24 18:02:43 -0700
+
+  * Add support for parsing additional DHCP options (Jay Wren)
+
+    The following optional fields were added to the DHCP::Options record:
+
+      - time_offset  (Option 2)
+      - time_servers (Option 4)
+      - name_servers (Option 5)
+      - ntp_servers  (Option 42)
+
+2.6-338 | 2019-05-24 17:06:08 -0700
+
+  * Add input file name to additional ASCII reader warning messages (Christian Kreibich, Corelight)
+
+2.6-336 | 2019-05-24 10:23:20 -0700
+
+  * GH-378: check validity of missing 'val' field in Input::add_table (Jon Siwek, Corelight)
+
+2.6-335 | 2019-05-24 08:58:59 -0700
+
+  * Fix memory leak when no protocol_violation event handler exists (Jon Siwek, Corelight)
+
+2.6-334 | 2019-05-23 20:40:03 -0700
+
+  * Add an internal getenv wrapper function: zeekenv (Jon Siwek, Corelight)
+
+    It maps newer environment variable names starting with ZEEK to the
+    legacy names starting with BRO.
+
+  * Rename all BRO-prefixed environment variables (Daniel Thayer)
+
+    For backward compatibility when reading values, we first check
+    the ZEEK-prefixed value, and if not set, then check the corresponding
+    BRO-prefixed value.
+
+2.6-331 | 2019-05-23 18:03:42 -0700
+
+  * Update broker unit test output. (Jon Siwek, Corelight)
+
+    Due to string representation of Broker vectors changing (they now
+    use parentheses instead of square brackets).
+
+2.6-330 | 2019-05-23 13:04:26 -0700
+
+  * GH-173: Support ranges of values for value_list elements in the signature parser
+    (Tim Wojtulewicz, Corelight)
+
+  * GH-173: Modify the signature parser so ID components can't start with numbers
+    (Tim Wojtulewicz, Corelight)
+
+2.6-327 | 2019-05-23 11:56:11 -0700
+
+  * Remove redundant RecordVal::record_type member (Jon Siwek, Corelight)
+
+2.6-326 | 2019-05-23 10:49:38 -0700
+
+  * Fix parse-time RecordVal tracking containing duplicates (Jon Siwek, Corelight)
+
 2.6-325 | 2019-05-22 23:56:23 -0700
 
   * Add leak-checks for new copy operations (Johanna Amann, Corelight)

CMakeLists.txt

@@ -24,7 +24,7 @@ endif ()
 set(ZEEK_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
 if (NOT ZEEK_SCRIPT_INSTALL_PATH)
     # set the default Zeek script installation path (user did not specify one)
-    set(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_ROOT_DIR}/share/bro)
+    set(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_ROOT_DIR}/share/zeek)
 endif ()
 
 if (NOT ZEEK_MAN_INSTALL_PATH)
@@ -37,18 +37,18 @@ endif ()
 get_filename_component(ZEEK_SCRIPT_INSTALL_PATH ${ZEEK_SCRIPT_INSTALL_PATH}
     ABSOLUTE)
 
-set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/bro/plugins CACHE STRING "Installation path for plugins" FORCE)
+set(BRO_PLUGIN_INSTALL_PATH ${ZEEK_ROOT_DIR}/lib/zeek/plugins CACHE STRING "Installation path for plugins" FORCE)
 
 configure_file(zeek-path-dev.in ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev)
 
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.sh
-     "export BROPATH=`${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
+     "export ZEEKPATH=`${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
-     "export BRO_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
+     "export ZEEK_PLUGIN_PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":${ZEEK_PLUGIN_PATH}\n"
      "export PATH=\"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev.csh
-     "setenv BROPATH `${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
+     "setenv ZEEKPATH `${CMAKE_CURRENT_BINARY_DIR}/zeek-path-dev`\n"
-     "setenv BRO_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":${BRO_PLUGIN_PATH}\n"
+     "setenv ZEEK_PLUGIN_PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":${ZEEK_PLUGIN_PATH}\n"
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
@@ -72,6 +72,40 @@ if(${ENABLE_DEBUG})
     set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
 endif()
 
+if ( NOT BINARY_PACKAGING_MODE )
+    macro(_make_install_dir_symlink _target _link)
+      install(CODE "
+        if ( \"\$ENV{DESTDIR}\" STREQUAL \"\" )
+          if ( EXISTS \"${_target}\" AND NOT EXISTS \"${_link}\" )
+            message(STATUS \"WARNING: installed ${_link} as symlink to ${_target}\")
+            execute_process(COMMAND \"${CMAKE_COMMAND}\" -E create_symlink
+              \"${_target}\" \"${_link}\")
+          endif ()
+        endif ()
+      ")
+    endmacro()
+
+    if ( "${CMAKE_INSTALL_PREFIX}" STREQUAL "/usr/local/zeek" )
+        # If we're installing into the default prefix, check if the
+        # old default prefix already exists and symlink to it.
+        # This is done to help keep custom user configuration/installation
+        # if they're upgrading from a version before Zeek 3.0.
+        _make_install_dir_symlink("/usr/local/bro" "/usr/local/zeek")
+    endif ()
+
+    # Check whether we need to symlink directories used by versions
+    # before Zeek 3.0.
+    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/include/bro" "${CMAKE_INSTALL_PREFIX}/include/zeek")
+    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/share/bro" "${CMAKE_INSTALL_PREFIX}/share/zeek")
+    _make_install_dir_symlink("${CMAKE_INSTALL_PREFIX}/lib/bro" "${CMAKE_INSTALL_PREFIX}/lib/zeek")
+endif ()
+
+if ( SANITIZERS )
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
+    set(CMAKE_LD_FLAGS "${CMAKE_LD_FLAGS} -fsanitize=${SANITIZERS} -fno-omit-frame-pointer")
+endif()
+
 ########################################################################
 ## Dependency Configuration
 
@@ -257,7 +291,7 @@ string(TOLOWER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE_LOWER)
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.h.in
                ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h)
 include_directories(${CMAKE_CURRENT_BINARY_DIR})
-install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/bro)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/zeek-config.h DESTINATION include/zeek)
 
 if ( CAF_ROOT_DIR )
   set(ZEEK_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
@@ -281,7 +315,7 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/zeek-config.in
                ${CMAKE_CURRENT_BINARY_DIR}/zeek-config @ONLY)
 install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/zeek-config DESTINATION bin)
 
-install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/zeek
         USE_SOURCE_PERMISSIONS)
 
 # Install wrapper script for Bro-to-Zeek renaming.
@@ -289,7 +323,7 @@ include(InstallShellScript)
 include(InstallSymlink)
 InstallShellScript("bin" "zeek-wrapper.in" "zeek-wrapper")
 InstallSymlink("${CMAKE_INSTALL_PREFIX}/bin/zeek-wrapper" "${CMAKE_INSTALL_PREFIX}/bin/bro-config")
-InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/bro/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/bro/bro-config.h")
+InstallSymlink("${CMAKE_INSTALL_PREFIX}/include/zeek/zeek-config.h" "${CMAKE_INSTALL_PREFIX}/include/zeek/bro-config.h")
 
 ########################################################################
 ## Recurse on sub-directories

NEWS

@@ -18,6 +18,9 @@ New Functionality
   - dns_NSEC
   - dns_NSEC3
 
+- Added support for parsing and logging DNS SPF resource records.
+  A new ``dns_SPF_reply`` event is also available.
+
 - Zeek's Plugin framework now allows a patch version.  If a patch version is not
   provided, it will default to 0.  To specify this, modify the plugin
   Configuration class in your ``src/Plugin.cc`` and set
@@ -79,6 +82,29 @@ New Functionality
 - The ``/<re>/i`` convenience syntax for case-insensitive patterns is now
   also allowed when specifying patterns used in signature files.
 
+- New RDP functionality.
+
+  - New events:
+    - rdp_client_network_data
+    - rdp_client_security_data
+    - rdp_native_encrypted_data
+
+  - Add a new "client_channels" field to rdp.log based on data parsed from
+    the Client Network Data (TS_UD_CS_NET) packet.  The channel list is also
+    available in the new ``rdp_client_network_data`` event.
+
+- Add parsing support for TLS 1.3 pre-shared key extension.  This info
+  is available in the events: ``ssl_extension_pre_shared_key_client_hello``
+  and ``ssl_extension_pre_shared_key_server_hello``.
+
+- Added/re-wrote support for NTP.
+
+  - Parsing support for modes 1-7, with parsed structures available in
+    the ``ntp_message`` event.
+
+  - An ntp.log is produced by default, containing data extracted from
+    NTP messages with modes 1-5.
+
 Changed Functionality
 ---------------------
 
@@ -101,6 +127,13 @@ Changed Functionality
   installation, installing the newer Zeek version over it will retain that
   file and even symlink the new ``zeekctl.cfg`` to it.
 
+- The default install prefix is now ``/usr/local/zeek`` instead of
+  ``/usr/local/bro``.  If you have an existing installation that used
+  the previous default and are still using the new default when upgrading,
+  we'll crate ``/usr/local/zeek`` as a symlink to ``/usr/local/bro``.
+  Certain subdirectories will also get similar treatment: ``share/bro``,
+  ``include/bro``, and ``lib/bro``.
+
 - ``$prefix/share/bro/site/local.bro`` has been renamed to
   ``local.zeek``.  If you have a ``local.bro`` file from a previous
   installation, possibly with customizations made to it, the new
@@ -212,6 +245,80 @@ Changed Functionality
   in scripts has also been updated to replace Sphinx cross-referencing roles
   and directives like ":bro:see:" with ":zeek:zee:".
 
+- The catch-and-release and unified2 scripts are no longer loaded by
+  default.  Because there was a performance impact simply from loading
+  them and it's unlikely a majority of user make use of their features,
+  they've been moved from the scripts/base/ directory into
+  scripts/policy/ and must be manually loaded to use their
+  functionality.  The "drop" action for the notice framework is likewise
+  moved since it was implemented via catch-and-release.  As a result,
+  the default notice.log no longer contains a "dropped" field.
+
+  If you previously used the catch-and-release functionality add this:
+
+      @load policy/frameworks/netcontrol/catch-and-release
+
+  If you previously used Notice::ACTION_DROP add:
+
+      @load policy/frameworks/notice/actions/drop
+
+  If you previously used the Unified2 file analysis support add:
+
+      @load policy/files/unified2
+
+- The default value of ``peer_description`` has changed from "bro"
+  to "zeek".  This won't effect most users, except for the fact that
+  this value may appear in several log files, so any external plugins
+  that have written unit tests that compare baselines of such log
+  files may need to be updated.
+
+- The "remote_ip" field of "addr" type was removed from radius.log and
+  replaced with a field named "tunnel_client" of "string" type.  The
+  reason for this is that the Tunnel-Client-Endpoint RADIUS attribute
+  this data is derived from may also be a FQDN, not just an IP address.
+
+- The ``ssl_server_hello`` event's ``server_random`` parameter has been
+  changed to always include the full 32-byte field from the
+  ServerHello.  Previously a 4-byte timestamp and 28-byte random data
+  were parsed separately as some TLS protocol versions specified a
+  separate timestamp field as part of the full 32-byte random sequence.
+
+- The namespace used by all the builtin plugins that ship with Zeek have
+  changed to use "Zeek::" instead of "Bro::".
+
+- Any Broker topic names used in scripts shipped with Zeek that
+  previously were prefixed with "bro/" are now prefixed with "zeek/"
+  instead.
+
+  In the case where external applications were using a "bro/" topic
+  to send data into a Bro process, a Zeek process still subscribes
+  to those topics in addition to the equivalently named "zeek/" topic.
+
+  In the case where external applications were using a "bro/" topic
+  to subscribe to remote messages or query data stores, there's no
+  backwards compatibility and external applications must be changed
+  to use the new "zeek/" topic.  The thought is this change will have
+  low impact since most data published under "bro/" topic names is
+  intended for use only as a detail of implementing cluster-enabled
+  versions of various scripts.
+
+  A list of the most relevant/common topic names that could potentially
+  be used in external applications to consume/query remote data that
+  one may need to change:
+
+  - store names
+    - bro/known/services
+    - bro/known/hosts
+    - bro/known/certs
+
+  - cluster nodes
+    - bro/cluster/<node type>
+    - bro/cluster/node/<name>
+    - bro/cluster/nodeid/<id>
+
+  - logging
+    - bro/logs/<stream>
+
 Removed Functionality
 ---------------------
 
@@ -336,6 +443,9 @@ Deprecated Functionality
   such that existing code will not break, but will emit a deprecation
   warning.
 
+- The ``bro_is_terminating`` and ``bro_version`` function are deprecated and
+  replaced by functions named ``zeek_is_terminating`` and ``zeek_version``.
+
 - The ``rotate_file``, ``rotate_file_by_name`` and ``calc_next_rotate`` functions
   were marked as deprecated. These functions were used with the old pre-2.0 logging
   framework and are no longer used. They also were marked as deprecated in their

VERSION

@@ -1 +1 @@
-2.6-325
+2.6-444

aux/bifcl

@@ -1 +1 @@
-Subproject commit bbf503e67cdcddbb13f8e067b0cbb2d874728c4f
+Subproject commit 699ffb13c986aca599b70735b368a515c2149982

aux/binpac

@@ -1 +1 @@
-Subproject commit 6ed824a38ea23dc10ec8bb21f813496719e9f76c
+Subproject commit baabe22a2b8a68fac448e862e1c2acc46f89c5fc

aux/broker

@@ -1 +1 @@
-Subproject commit 0c7a8816fd385af4f633cb7239e3c63e6c88c27e
+Subproject commit d884db29a72ba88c7992e17a253524d1505b8f78

aux/btest

@@ -1 +1 @@
-Subproject commit 6ece47ba6438e7a6db5c7b85a68b3c16f0911871
+Subproject commit 539c2d82534345c62ba9a20c2e98ea5cbdea9c7e

aux/netcontrol-connectors

@@ -1 +1 @@
-Subproject commit e93235aa6e45820af7e23e97627845a7b2b3d919
+Subproject commit 8a6f3f7c506ac483265afc77d3c1b0861db79601

aux/zeek-aux

@@ -1 +1 @@
-Subproject commit 3ecc7b8c348a7b768092dad75e6cb54c6357b9d7
+Subproject commit e0689c1c9565ba7ffcab011e9f22f6a17a67e40a

aux/zeekctl

@@ -1 +1 @@
-Subproject commit a955e66c8b07fd6715c7ed379d0759acc592bb78
+Subproject commit 5efa2d0c29bf52c3c64d5f61e39501a9c7b9dd80

cmake

@@ -1 +1 @@
-Subproject commit 8fb99b7aa9851caae2d938675324661571f8758e
+Subproject commit 58e4eebe3aebd0cf608e51046805a9ab1ffa6c1b

configure

@@ -31,9 +31,9 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            (useful for cross-compiling)
 
   Installation Directories:
-    --prefix=PREFIX        installation directory [/usr/local/bro]
+    --prefix=PREFIX        installation directory [/usr/local/zeek]
     --scriptdir=PATH       root installation directory for Zeek scripts
-                           [PREFIX/share/bro]
+                           [PREFIX/share/zeek]
     --localstatedir=PATH   when using ZeekControl, path to store log files
                            and run-time data (within log/ and spool/ subdirs)
                            [PREFIX]
@@ -58,6 +58,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --disable-perftools    don't try to build with Google Perftools
     --disable-python       don't try to build python bindings for Broker
     --disable-broker-tests don't try to build Broker unit tests
+    --sanitizers=SANITIZERS comma-separated list of Clang sanitizers to enable
 
   Required Packages in Non-Standard Locations:
     --with-openssl=PATH    path to OpenSSL install root
@@ -127,12 +128,12 @@ remove_cache_entry () {
 
 # set defaults
 builddir=build
-prefix=/usr/local/bro
+prefix=/usr/local/zeek
 CMakeCacheEntries=""
 append_cache_entry CMAKE_INSTALL_PREFIX PATH   $prefix
 append_cache_entry ZEEK_ROOT_DIR        PATH   $prefix
 append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/zeekctl
-append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
+append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
 append_cache_entry ZEEK_ETC_INSTALL_DIR PATH   $prefix/etc
 append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
@@ -144,6 +145,7 @@ append_cache_entry INSTALL_ZEEKCTL      BOOL   true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
 append_cache_entry ENABLE_MOBILE_IPV6   BOOL   false
 append_cache_entry DISABLE_PERFTOOLS    BOOL   false
+append_cache_entry SANITIZERS           STRING ""
 
 # parse arguments
 while [ $# -ne 0 ]; do
@@ -216,6 +218,9 @@ while [ $# -ne 0 ]; do
             append_cache_entry ENABLE_PERFTOOLS     BOOL   true
             append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL   true
             ;;
+        --sanitizers=*)
+            append_cache_entry SANITIZERS    STRING    $optarg
+            ;;
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;
@@ -321,7 +326,7 @@ while [ $# -ne 0 ]; do
 done
 
 if [ "$user_set_scriptdir" != "true" ]; then
-    append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
+    append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
 fi
 
 if [ "$user_set_conffilesdir" != "true" ]; then

doc

@@ -1 +1 @@
-Subproject commit e5422eafff850708f4d4ff590e54299ddc97ca42
+Subproject commit 4e00c8d826535d8ee4f93f3256864cf1634ae766

man/zeek.8

@@ -122,31 +122,31 @@ show leaks
 record heap
 .SH ENVIRONMENT
 .TP
-.B BROPATH
+.B ZEEKPATH
 file search path
 .TP
-.B BRO_PLUGIN_PATH
+.B ZEEK_PLUGIN_PATH
 plugin search path
 .TP
-.B BRO_PLUGIN_ACTIVATE
+.B ZEEK_PLUGIN_ACTIVATE
 plugins to always activate
 .TP
-.B BRO_PREFIXES
+.B ZEEK_PREFIXES
 prefix list
 .TP
-.B BRO_DNS_FAKE
+.B ZEEK_DNS_FAKE
 disable DNS lookups
 .TP
-.B BRO_SEED_FILE
+.B ZEEK_SEED_FILE
 file to load seeds from
 .TP
-.B BRO_LOG_SUFFIX
+.B ZEEK_LOG_SUFFIX
 ASCII log file extension
 .TP
-.B BRO_PROFILER_FILE
+.B ZEEK_PROFILER_FILE
 Output file for script execution statistics
 .TP
-.B BRO_DISABLE_BROXYGEN
+.B ZEEK_DISABLE_ZEEKYGEN
 Disable Zeekygen (Broxygen) documentation support
 .SH AUTHOR
 .B zeek

scripts/base/frameworks/broker/main.zeek

@@ -8,7 +8,7 @@ export {
 	const default_port = 9999/tcp &redef;
 
 	## Default interval to retry listening on a port if it's currently in
-	## use already.  Use of the BRO_DEFAULT_LISTEN_RETRY environment variable
+	## use already.  Use of the ZEEK_DEFAULT_LISTEN_RETRY environment variable
 	## (set as a number of seconds) will override this option and also
 	## any values given to :zeek:see:`Broker::listen`.
 	const default_listen_retry = 30sec &redef;
@@ -16,11 +16,11 @@ export {
 	## Default address on which to listen.
 	##
 	## .. zeek:see:: Broker::listen
-	const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
+	const default_listen_address = getenv("ZEEK_DEFAULT_LISTEN_ADDRESS") &redef;
 
 	## Default interval to retry connecting to a peer if it cannot be made to
 	## work initially, or if it ever becomes disconnected.  Use of the
-	## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of
+	## ZEEK_DEFAULT_CONNECT_RETRY environment variable (set as number of
 	## seconds) will override this option and also any values given to
 	## :zeek:see:`Broker::peer`.
 	const default_connect_retry = 30sec &redef;
@@ -70,7 +70,7 @@ export {
 	const log_batch_interval = 1sec &redef;
 
 	## Max number of threads to use for Broker/CAF functionality.  The
-	## BRO_BROKER_MAX_THREADS environment variable overrides this setting.
+	## ZEEK_BROKER_MAX_THREADS environment variable overrides this setting.
 	const max_threads = 1 &redef;
 
 	## Interval of time for under-utilized Broker/CAF threads to sleep
@@ -113,7 +113,7 @@ export {
 
 	## The default topic prefix where logs will be published.  The log's stream
 	## id is appended when writing to a particular stream.
-	const default_log_topic_prefix = "bro/logs/" &redef;
+	const default_log_topic_prefix = "zeek/logs/" &redef;
 
 	## The default implementation for :zeek:see:`Broker::log_topic`.
 	function default_log_topic(id: Log::ID, path: string): string
@@ -235,7 +235,7 @@ export {
 	##
 	## retry: If non-zero, retries listening in regular intervals if the port cannot be
 	##        acquired immediately. 0 disables retries.  If the
-	##        BRO_DEFAULT_LISTEN_RETRY environment variable is set (as number
+	##        ZEEK_DEFAULT_LISTEN_RETRY environment variable is set (as number
 	##        of seconds), it overrides any value given here.
 	##
 	## Returns: the bound port or 0/? on failure.
@@ -253,7 +253,7 @@ export {
 	## retry: an interval at which to retry establishing the
 	##        connection with the remote peer if it cannot be made initially, or
 	##        if it ever becomes disconnected.  If the
-	##        BRO_DEFAULT_CONNECT_RETRY environment variable is set (as number
+	##        ZEEK_DEFAULT_CONNECT_RETRY environment variable is set (as number
 	##        of seconds), it overrides any value given here.
 	##
 	## Returns: true if it's possible to try connecting with the peer and
@@ -379,7 +379,7 @@ function listen(a: string, p: port, retry: interval): port
 
 	if ( bound == 0/tcp )
 		{
-		local e = getenv("BRO_DEFAULT_LISTEN_RETRY");
+		local e = getenv("ZEEK_DEFAULT_LISTEN_RETRY");
 
 		if ( e != "" )
 			retry = double_to_interval(to_double(e));

scripts/base/frameworks/cluster/__load__.zeek

@@ -16,7 +16,7 @@ redef Broker::log_topic = Cluster::rr_log_topic;
 
 # If this script isn't found anywhere, the cluster bombs out.
 # Loading the cluster framework requires that a script by this name exists
-# somewhere in the BROPATH.  The only thing in the file should be the
+# somewhere in the ZEEKPATH.  The only thing in the file should be the
 # cluster definition in the :zeek:id:`Cluster::nodes` variable.
 @load cluster-layout
 

scripts/base/frameworks/cluster/main.zeek

@@ -17,31 +17,31 @@ export {
 
 	## The topic name used for exchanging messages that are relevant to
 	## logger nodes in a cluster.  Used with broker-enabled cluster communication.
-	const logger_topic = "bro/cluster/logger" &redef;
+	const logger_topic = "zeek/cluster/logger" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## manager nodes in a cluster.  Used with broker-enabled cluster communication.
-	const manager_topic = "bro/cluster/manager" &redef;
+	const manager_topic = "zeek/cluster/manager" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## proxy nodes in a cluster.  Used with broker-enabled cluster communication.
-	const proxy_topic = "bro/cluster/proxy" &redef;
+	const proxy_topic = "zeek/cluster/proxy" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## worker nodes in a cluster.  Used with broker-enabled cluster communication.
-	const worker_topic = "bro/cluster/worker" &redef;
+	const worker_topic = "zeek/cluster/worker" &redef;
 
 	## The topic name used for exchanging messages that are relevant to
 	## time machine nodes in a cluster.  Used with broker-enabled cluster communication.
-	const time_machine_topic = "bro/cluster/time_machine" &redef;
+	const time_machine_topic = "zeek/cluster/time_machine" &redef;
 
 	## The topic prefix used for exchanging messages that are relevant to
 	## a named node in a cluster.  Used with broker-enabled cluster communication.
-	const node_topic_prefix = "bro/cluster/node/" &redef;
+	const node_topic_prefix = "zeek/cluster/node/" &redef;
 
 	## The topic prefix used for exchanging messages that are relevant to
 	## a unique node in a cluster.  Used with broker-enabled cluster communication.
-	const nodeid_topic_prefix = "bro/cluster/nodeid/" &redef;
+	const nodeid_topic_prefix = "zeek/cluster/nodeid/" &redef;
 
 	## Name of the node on which master data stores will be created if no other
 	## has already been specified by the user in :zeek:see:`Cluster::stores`.
@@ -192,7 +192,7 @@ export {
 	global worker_count: count = 0;
 
 	## The cluster layout definition.  This should be placed into a filter
-	## named cluster-layout.zeek somewhere in the BROPATH.  It will be
+	## named cluster-layout.zeek somewhere in the ZEEKPATH.  It will be
 	## automatically loaded if the CLUSTER_NODE environment variable is set.
 	## Note that ZeekControl handles all of this automatically.
 	## The table is typically indexed by node names/labels (e.g. "manager"
@@ -210,8 +210,8 @@ export {
 	const node = getenv("CLUSTER_NODE") &redef;
 
 	## Interval for retrying failed connections between cluster nodes.
-	## If set, the BRO_DEFAULT_CONNECT_RETRY (given in number of seconds)
+	## If set, the ZEEK_DEFAULT_CONNECT_RETRY (given in number of seconds)
-	## overrides this option.
+	## environment variable overrides this option.
 	const retry_interval = 1min &redef;
 
 	## When using broker-enabled cluster framework, nodes broadcast this event

scripts/base/frameworks/cluster/pools.zeek

@@ -60,17 +60,17 @@ export {
 
 	## The specification for :zeek:see:`Cluster::proxy_pool`.
 	global proxy_pool_spec: PoolSpec =
-		PoolSpec($topic = "bro/cluster/pool/proxy",
+		PoolSpec($topic = "zeek/cluster/pool/proxy",
 				 $node_type = Cluster::PROXY) &redef;
 
 	## The specification for :zeek:see:`Cluster::worker_pool`.
 	global worker_pool_spec: PoolSpec =
-		PoolSpec($topic = "bro/cluster/pool/worker",
+		PoolSpec($topic = "zeek/cluster/pool/worker",
 				 $node_type = Cluster::WORKER) &redef;
 
 	## The specification for :zeek:see:`Cluster::logger_pool`.
 	global logger_pool_spec: PoolSpec =
-		PoolSpec($topic = "bro/cluster/pool/logger",
+		PoolSpec($topic = "zeek/cluster/pool/logger",
 				 $node_type = Cluster::LOGGER) &redef;
 
 	## A pool containing all the proxy nodes of a cluster.

scripts/base/frameworks/logging/writers/ascii.zeek

@@ -81,7 +81,7 @@ function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool
 	{
 	# If the filename has a ".gz" extension, then keep it.
 	local gz = info$fname[-3:] == ".gz" ? ".gz" : "";
-	local bls = getenv("BRO_LOG_SUFFIX");
+	local bls = getenv("ZEEK_LOG_SUFFIX");
 
 	if ( bls == "" )
 		bls = "log";

scripts/base/frameworks/netcontrol/__load__.zeek

@@ -3,7 +3,6 @@
 @load ./plugins
 @load ./drop
 @load ./shunt
-@load ./catch-and-release
 
 # The cluster framework must be loaded first.
 @load base/frameworks/cluster

scripts/base/frameworks/netcontrol/drop.zeek

@@ -1,9 +1,9 @@
 ##! Implementation of the drop functionality for NetControl.
 
-module NetControl;
-
 @load ./main
 
+module NetControl;
+
 export {
 	redef enum Log::ID += { DROP };
 

scripts/base/frameworks/netcontrol/main.zeek

@@ -10,11 +10,11 @@
 ##! provides convenience functions for a set of common operations. The
 ##! low-level API provides full flexibility.
 
-module NetControl;
-
 @load ./plugin
 @load ./types
 
+module NetControl;
+
 export {
 	## The framework's logging stream identifier.
 	redef enum Log::ID += { LOG };
@@ -889,7 +889,7 @@ function remove_rule_impl(id: string, reason: string) : bool
 function rule_expire_impl(r: Rule, p: PluginState) &priority=-5
 	{
 	# do not emit timeout events on shutdown
-	if ( bro_is_terminating() )
+	if ( zeek_is_terminating() )
 		return;
 
 	if ( r$id !in rules )

scripts/base/frameworks/netcontrol/non-cluster.zeek

@@ -1,7 +1,8 @@
-module NetControl;
 
 @load ./main
 
+module NetControl;
+
 function activate(p: PluginState, priority: int)
 	{
 	activate_impl(p, priority);

scripts/base/frameworks/netcontrol/plugin.zeek

@@ -1,9 +1,9 @@
 ##! This file defines the plugin interface for NetControl.
 
-module NetControl;
-
 @load ./types
 
+module NetControl;
+
 export {
 	## This record keeps the per instance state of a plugin.
 	##

scripts/base/frameworks/netcontrol/plugins/acld.zeek

@@ -1,11 +1,11 @@
 ##! Acld plugin for the netcontrol framework.
 
-module NetControl;
-
 @load ../main
 @load ../plugin
 @load base/frameworks/broker
 
+module NetControl;
+
 export {
 	type AclRule : record {
 		command: string;

scripts/base/frameworks/netcontrol/plugins/broker.zeek

@@ -2,12 +2,12 @@
 ##! used in NetControl on to Broker to allow for easy handling, e.g., of
 ##! command-line scripts.
 
-module NetControl;
-
 @load ../main
 @load ../plugin
 @load base/frameworks/broker
 
+module NetControl;
+
 export {
 	## This record specifies the configuration that is passed to :zeek:see:`NetControl::create_broker`.
 	type BrokerConfig: record {

scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek

@@ -3,10 +3,10 @@
 ##! and can only add/remove filters for addresses, this is quite
 ##! limited in scope at the moment. 
 
-module NetControl;
-
 @load ../plugin
 
+module NetControl;
+
 export {
 	## Instantiates the packetfilter plugin.
 	global create_packetfilter: function() : PluginState;

scripts/base/frameworks/notice/__load__.zeek

@@ -3,7 +3,6 @@
 
 # There should be no overhead imposed by loading notice actions so we
 # load them all.
-@load ./actions/drop
 @load ./actions/email_admin
 @load ./actions/page
 @load ./actions/add-geodata

scripts/base/frameworks/notice/main.zeek

@@ -405,7 +405,7 @@ function email_headers(subject_desc: string, dest: string): string
 		"From: ", mail_from, "\n",
 		"Subject: ", mail_subject_prefix, " ", subject_desc, "\n",
 		"To: ", dest, "\n",
-		"User-Agent: Bro-IDS/", bro_version(), "\n");
+		"User-Agent: Bro-IDS/", zeek_version(), "\n");
 	if ( reply_to != "" )
 		header_text = string_cat(header_text, "Reply-To: ", reply_to, "\n");
 	return header_text;
@@ -552,7 +552,7 @@ function is_being_suppressed(n: Notice::Info): bool
 	}
 
 # Executes a script with all of the notice fields put into the
-# new process' environment as "BRO_ARG_<field>" variables.
+# new process' environment as "ZEEK_ARG_<field>" variables.
 function execute_with_notice(cmd: string, n: Notice::Info)
 	{
 	# TODO: fix system calls

scripts/base/frameworks/openflow/consts.zeek

@@ -11,7 +11,7 @@ const COOKIE_BID_SIZE = 16777216;
 # start at bit 40 (1 << 40)
 const COOKIE_BID_START = 1099511627776;
 # Zeek specific cookie ID shall have the 42 bit set (1 << 42)
-const BRO_COOKIE_ID = 4;
+const ZEEK_COOKIE_ID = 4;
 # 8 bits group identifier
 const COOKIE_GID_SIZE = 256;
 # start at bit 32 (1 << 32)

scripts/base/frameworks/openflow/main.zeek

@@ -198,7 +198,7 @@ function match_conn(id: conn_id, reverse: bool &default=F): ofp_match
 # 42 bit of the cookie set.
 function generate_cookie(cookie: count &default=0): count
 	{
-	local c = BRO_COOKIE_ID * COOKIE_BID_START;
+	local c = ZEEK_COOKIE_ID * COOKIE_BID_START;
 
 	if ( cookie >= COOKIE_UID_SIZE )
 		Reporter::warning(fmt("The given cookie uid '%d' is > 32bit and will be discarded", cookie));
@@ -211,7 +211,7 @@ function generate_cookie(cookie: count &default=0): count
 # local function to check if a given flow_mod cookie is forged from this framework.
 function is_valid_cookie(cookie: count): bool
 	{
-	if ( cookie / COOKIE_BID_START == BRO_COOKIE_ID )
+	if ( cookie / COOKIE_BID_START == ZEEK_COOKIE_ID )
 		return T;
 
 	Reporter::warning(fmt("The given Openflow cookie '%d' is not valid", cookie));
@@ -231,7 +231,7 @@ function get_cookie_gid(cookie: count): count
 	{
 	if( is_valid_cookie(cookie) )
 		return (
-			(cookie	- (COOKIE_BID_START * BRO_COOKIE_ID) -
+			(cookie	- (COOKIE_BID_START * ZEEK_COOKIE_ID) -
 			(cookie - ((cookie / COOKIE_GID_START) * COOKIE_GID_START))) /
 			COOKIE_GID_START
 		);

scripts/base/frameworks/openflow/types.zeek

@@ -89,7 +89,7 @@ export {
 		## Opaque controller-issued identifier.
 		# This is optional in the specification - but let's force
 		# it so we always can identify our flows...
-		cookie: count; # &default=BRO_COOKIE_ID * COOKIE_BID_START;
+		cookie: count; # &default=ZEEK_COOKIE_ID * COOKIE_BID_START;
 		# Flow actions
 		## Table to put the flow in. OFPTT_ALL can be used for delete,
 		## to delete flows from all matching tables.

scripts/base/frameworks/sumstats/non-cluster.zeek

@@ -35,7 +35,7 @@ event SumStats::finish_epoch(ss: SumStat)
 			{
 			local data = result_store[ss$name];
 			local now = network_time();
-			if ( bro_is_terminating() )
+			if ( zeek_is_terminating() )
 				{
 				for ( key, val in data )
 					ss$epoch_result(now, key, val);

scripts/base/init-bare.zeek

@@ -777,7 +777,7 @@ type IPAddrAnonymizationClass: enum {
 
 ## Deprecated.
 ##
-## .. zeek:see:: rotate_file rotate_file_by_name rotate_interval
+## .. zeek:see:: rotate_file rotate_file_by_name
 type rotate_info: record {
 	old_name: string;	##< Original filename.
 	new_name: string;	##< File name after rotation.
@@ -1113,9 +1113,6 @@ const table_expire_delay = 0.01 secs &redef;
 ## Time to wait before timing out a DNS request.
 const dns_session_timeout = 10 sec &redef;
 
-## Time to wait before timing out an NTP request.
-const ntp_session_timeout = 300 sec &redef;
-
 ## Time to wait before timing out an RPC request.
 const rpc_timeout = 24 sec &redef;
 
@@ -1789,7 +1786,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
 };
 
 # Prototypes of Zeek built-in functions.
-@load base/bif/bro.bif
+@load base/bif/zeek.bif
 @load base/bif/stats.bif
 @load base/bif/reporter.bif
 @load base/bif/strings.bif
@@ -1806,7 +1803,11 @@ event net_done(t: time) { done_with_network = T; }
 
 function log_file_name(tag: string): string
 	{
-	local suffix = getenv("BRO_LOG_SUFFIX") == "" ? "log" : getenv("BRO_LOG_SUFFIX");
+	local suffix = getenv("ZEEK_LOG_SUFFIX");
+
+	if ( suffix == "" )
+		suffix = "log";
+
 	return fmt("%s.%s", tag, suffix);
 	}
 
@@ -1839,11 +1840,11 @@ function add_signature_file(sold: string, snew: string): string
 
 ## Signature files to read. Use ``redef signature_files  += "foo.sig"`` to
 ## extend. Signature files added this way will be searched relative to
-## ``BROPATH``.  Using the ``@load-sigs`` directive instead is preferred
+## ``ZEEKPATH``.  Using the ``@load-sigs`` directive instead is preferred
 ## since that can search paths relative to the current script.
 global signature_files = "" &add_func = add_signature_file;
 
-## ``p0f`` fingerprint file to use. Will be searched relative to ``BROPATH``.
+## ``p0f`` fingerprint file to use. Will be searched relative to ``ZEEKPATH``.
 const passive_fingerprint_file = "base/misc/p0f.fp" &redef;
 
 ## Definition of "secondary filters". A secondary filter is a BPF filter given
@@ -2525,26 +2526,6 @@ export {
 	};
 }
 
-module GLOBAL;
-
-## An NTP message.
-##
-## .. zeek:see:: ntp_message
-type ntp_msg: record {
-	id: count;	##< Message ID.
-	code: count;	##< Message code.
-	stratum: count;	##< Stratum.
-	poll: count;	##< Poll.
-	precision: int;	##< Precision.
-	distance: interval;	##< Distance.
-	dispersion: interval;	##< Dispersion.
-	ref_t: time;	##< Reference time.
-	originate_t: time;	##< Originating time.
-	receive_t: time;	##< Receive time.
-	xmit_t: time;	##< Send time.
-};
-
-
 module NTLM;
 
 export {
@@ -3517,6 +3498,20 @@ export {
 
 		## URL to find a proxy.pac for auto proxy config (Option 252)
 		auto_proxy_config: string &optional;
+
+		## The offset of the client's subnet in seconds from UTC. (Option 2)
+		time_offset:     int &optional;
+
+		## A list of :rfc:`868` time servers available to the client.
+		## (Option 4)
+		time_servers:    DHCP::Addrs &optional;
+
+		## A list of IEN 116 name servers available to the client. (Option 5)
+		name_servers:    DHCP::Addrs &optional;
+
+		## A list of IP addresses indicating NTP servers available to the
+		## client. (Option 42)
+		ntp_servers:     DHCP::Addrs &optional;
 	};
 }
 
@@ -4122,6 +4117,10 @@ export {
 		SignatureAlgorithm: count; ##< Signature algorithm number
 	};
 
+	type PSKIdentity: record {
+		identity: string; ##< PSK identity
+		obfuscated_ticket_age: count;
+	};
 
 ## Number of non-DTLS frames that can occur in a DTLS connection before
 ## parsing of the connection is suspended.
@@ -4143,6 +4142,8 @@ module GLOBAL;
 ##    directly and then remove this alias.
 type signature_and_hashalgorithm_vec: vector of SSL::SignatureAndHashAlgorithm;
 
+type psk_identity_vec: vector of SSL::PSKIdentity;
+
 module X509;
 export {
 	type Certificate: record {
@@ -4257,9 +4258,57 @@ export {
 		ec_flags:               RDP::EarlyCapabilityFlags &optional;
 		dig_product_id:         string &optional;
 	};
+
+	## The TS_UD_CS_SEC data block contains security-related information used
+	## to advertise client cryptographic support.
+	type RDP::ClientSecurityData: record {
+		## Cryptographic encryption methods supported by the client and used in
+		## conjunction with Standard RDP Security.  Known flags:
+		##
+		## - 0x00000001: support for 40-bit session encryption keys
+		## - 0x00000002: support for 128-bit session encryption keys
+		## - 0x00000008: support for 56-bit session encryption keys
+		## - 0x00000010: support for FIPS compliant encryption and MAC methods
+		encryption_methods:	count;
+		## Only used in French locale and designates the encryption method.  If
+		## non-zero, then encryption_methods should be set to 0.
+		ext_encryption_methods:	count;
+	};
+
+	## Name and flags for a single channel requested by the client.
+	type RDP::ClientChannelDef: record {
+		## A unique name for the channel
+		name:           string;
+		## Absence of this flag indicates that this channel is
+		## a placeholder and that the server MUST NOT set it up.
+		initialized:    bool;
+		## Unused, must be ignored by the server.
+		encrypt_rdp:    bool;
+		## Unused, must be ignored by the server.
+		encrypt_sc:     bool;
+		## Unused, must be ignored by the server.
+		encrypt_cs:     bool;
+		## Channel data must be sent with high MCS priority.
+		pri_high:       bool;
+		## Channel data must be sent with medium MCS priority.
+		pri_med:        bool;
+		## Channel data must be sent with low MCS priority.
+		pri_low:        bool;
+		## Virtual channel data must be compressed if RDP data is being compressed.
+		compress_rdp:   bool;
+		## Virtual channel data must be compressed.
+		compress:       bool;
+		## Ignored by the server.
+		show_protocol:  bool;
+		## Channel must be persistent across remote control transactions.
+		persistent:     bool;
+	};
+
+	## The list of channels requested by the client.
+	type RDP::ClientChannelList: vector of ClientChannelDef;
 }
 
-@load base/bif/plugins/Bro_SNMP.types.bif
+@load base/bif/plugins/Zeek_SNMP.types.bif
 
 module SNMP;
 export {
@@ -4381,7 +4430,7 @@ export {
 	};
 }
 
-@load base/bif/plugins/Bro_KRB.types.bif
+@load base/bif/plugins/Zeek_KRB.types.bif
 
 module KRB;
 export {
@@ -4693,7 +4742,7 @@ const packet_filter_default = F &redef;
 const sig_max_group_size = 50 &redef;
 
 ## Description transmitted to remote communication peers for identification.
-const peer_description = "bro" &redef;
+const peer_description = "zeek" &redef;
 
 ## The number of IO chunks allowed to be buffered between the child
 ## and parent process of remote communication before Zeek starts dropping
@@ -4903,6 +4952,180 @@ export {
 	const max_frame_size = 65536 &redef;
 }
 
+module NTP;
+export {
+	## NTP standard message as defined in :rfc:`5905` for modes 1-5
+	## This record contains the standard fields used by the NTP protocol
+	## for standard syncronization operations.
+	type NTP::StandardMessage: record {
+		## This value mainly identifies the type of server (primary server,
+		## secondary server, etc.). Possible values, as in :rfc:`5905`, are:
+		##
+		##   * 0 -> unspecified or invalid
+		##   * 1 -> primary server (e.g., equipped with a GPS receiver)
+		##   * 2-15 -> secondary server (via NTP)
+		##   * 16 -> unsynchronized
+		##   * 17-255 -> reserved
+		##
+		## For stratum 0, a *kiss_code* can be given for debugging and
+		## monitoring.
+		stratum:            count;
+		## The maximum interval between successive messages.
+		poll:               interval;
+		## The precision of the system clock.
+		precision:          interval;
+		## Root delay. The total round-trip delay to the reference clock.
+		root_delay:         interval;
+		## Root Dispersion. The total dispersion to the reference clock.
+		root_disp:          interval;
+		## For stratum 0, four-character ASCII string used for debugging and
+		## monitoring. Values are defined in :rfc:`1345`.
+		kiss_code:          string &optional;
+		## Reference ID. For stratum 1, this is the ID assigned to the
+		## reference clock by IANA.
+		## For example: GOES, GPS, GAL, etc. (see :rfc:`5905`)
+		ref_id:             string &optional;
+		## Above stratum 1, when using IPv4, the IP address of the reference
+		## clock.  Note that the NTP protocol did not originally specify a
+		## large enough field to represent IPv6 addresses, so they use
+		## the first four bytes of the MD5 hash of the reference clock's
+		## IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
+		ref_addr:           addr &optional;
+		## Reference timestamp. Time when the system clock was last set or
+		## correct.
+		ref_time:           time;
+		## Origin timestamp. Time at the client when the request departed for
+		## the NTP server.
+		org_time:           time;
+		## Receive timestamp. Time at the server when the request arrived from
+		## the NTP client.
+		rec_time:           time;
+		## Transmit timestamp. Time at the server when the response departed
+		# for the NTP client.
+		xmt_time:           time;
+		## Key used to designate a secret MD5 key.
+		key_id:             count &optional;
+		## MD5 hash computed over the key followed by the NTP packet header and
+		## extension fields.
+		digest:             string &optional;
+		## Number of extension fields (which are not currently parsed).
+		num_exts:           count &default=0;
+	};
+
+	## NTP control message as defined in :rfc:`1119` for mode=6
+	## This record contains the fields used by the NTP protocol
+	## for control operations.
+	type NTP::ControlMessage: record {
+		## An integer specifying the command function. Values currently defined:
+		##
+		## * 1 read status command/response
+		## * 2 read variables command/response
+		## * 3 write variables command/response
+		## * 4 read clock variables command/response
+		## * 5 write clock variables command/response
+		## * 6 set trap address/port command/response
+		## * 7 trap response
+		##
+		## Other values are reserved.
+		op_code:            count;
+		## The response bit. Set to zero for commands, one for responses.
+		resp_bit:           bool;
+		## The error bit. Set to zero for normal response, one for error
+		## response.
+		err_bit:            bool;
+		## The more bit. Set to zero for last fragment, one for all others.
+		more_bit:           bool;
+		## The sequence number of the command or response.
+		sequence:           count;
+		## The current status of the system, peer or clock.
+		#TODO: this can be further parsed internally
+		status:             count;
+		## A 16-bit integer identifying a valid association.
+		association_id:     count;
+		## Message data for the command or response + Authenticator (optional).
+		data:               string &optional;
+		## This is an integer identifying the cryptographic
+		## key used to generate the message-authentication code.
+		key_id:             count &optional;
+		## This is a crypto-checksum computed by the encryption procedure.
+		crypto_checksum:    string &optional;
+	};
+
+	## NTP mode 7 message. Note that this is not defined in any RFC and is
+	## implementation dependent. We used the official implementation from the
+	## `NTP official project <www.ntp.org>`_.  A mode 7 packet is used
+	## exchanging data between an NTP server and a client for purposes other
+	## than time synchronization, e.g.  monitoring, statistics gathering and
+	## configuration.  For details see the documentation from the `NTP official
+	## project <www.ntp.org>`_, code v. ntp-4.2.8p13, in include/ntp_request.h.
+	type NTP::Mode7Message: record {
+		## An implementation-specific code which specifies the
+		## operation to be (which has been) performed and/or the
+		## format and semantics of the data included in the packet.
+		req_code:       count;
+		## The authenticated bit. If set, this packet is authenticated.
+		auth_bit:       bool;
+		## For a multipacket response, contains the sequence
+		## number of this packet.  0 is the first in the sequence,
+		## 127 (or less) is the last.  The More Bit must be set in
+		## all packets but the last.
+		sequence:       count;
+		## The number of the implementation this request code
+		## is defined by.  An implementation number of zero is used
+		## for requst codes/data formats which all implementations
+		## agree on.  Implementation number 255 is reserved (for
+		## extensions, in case we run out).
+		implementation: count;
+		## Must be 0 for a request.  For a response, holds an error
+		## code relating to the request.  If nonzero, the operation
+		## requested wasn't performed.
+		##
+		##   * 0 - no error
+		##   * 1 - incompatible implementation number
+		##   * 2 - unimplemented request code
+		##   * 3 - format error (wrong data items, data size, packet size etc.)
+		##   * 4 - no data available (e.g. request for details on unknown peer)
+		##   * 5 - unknown
+		##   * 6 - unknown
+		##   * 7 - authentication failure (i.e. permission denied)
+		err:            count;
+		## Rest of data
+		data:           string &optional;
+	};
+
+	## NTP message as defined in :rfc:`5905`.  Does include fields for mode 7,
+	## reserved for private use in :rfc:`5905`, but used in some implementation
+	## for commands such as "monlist".
+	type NTP::Message: record {
+		## The NTP version number (1, 2, 3, 4).
+		version:        count;
+		## The NTP mode being used. Possible values are:
+		##
+		##   * 1 - symmetric active
+		##   * 2 - symmetric passive
+		##   * 3 - client
+		##   * 4 - server
+		##   * 5 - broadcast
+		##   * 6 - NTP control message
+		##   * 7 - reserved for private use
+		mode:           count;
+		## If mode 1-5, the standard fields for syncronization operations are
+		## here.  See :rfc:`5905`
+		std_msg:        NTP::StandardMessage &optional;
+		## If mode 6, the fields for control operations are here.
+		## See :rfc:`1119`
+		control_msg:    NTP::ControlMessage &optional;
+		## If mode 7, the fields for extra operations are here.
+		## Note that this is not defined in any RFC
+		## and is implementation dependent. We used the official implementation
+		## from the `NTP official project <www.ntp.org>`_.
+		## A mode 7 packet is used exchanging data between an NTP server
+		## and a client for purposes other than time synchronization, e.g.
+		## monitoring, statistics gathering and configuration.
+		mode7_msg: NTP::Mode7Message &optional;
+	};
+}
+
 module Cluster;
 export {
 	type Cluster::Pool: record {};

scripts/base/init-default.zeek

@@ -56,6 +56,7 @@
 @load base/protocols/modbus
 @load base/protocols/mysql
 @load base/protocols/ntlm
+@load base/protocols/ntp
 @load base/protocols/pop3
 @load base/protocols/radius
 @load base/protocols/rdp
@@ -74,7 +75,6 @@
 @load base/files/pe
 @load base/files/hash
 @load base/files/extract
-@load base/files/unified2
 @load base/files/x509
 
 @load base/misc/find-checksum-offloading

scripts/base/misc/version.zeek

@@ -78,10 +78,10 @@ export {
 	## The format of the number is ABBCC with A being the major version,
 	## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
 	## As an example, Zeek 2.4.1 results in the number 20401
-	const number = Version::parse(bro_version())$version_number;
+	const number = Version::parse(zeek_version())$version_number;
 
 	## `VersionDescription` record pertaining to the currently running version of Zeek.
-	const info = Version::parse(bro_version());
+	const info = Version::parse(zeek_version());
 }
 
 function at_least(version_string: string): bool

scripts/base/protocols/dhcp/main.zeek

@@ -141,7 +141,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
 	# Also, if Zeek is shutting down.
 	if ( (now - info$last_message_ts) > 5sec ||
 	     (now - info$ts) > max_txid_watch_time ||
-	     bro_is_terminating() )
+	     zeek_is_terminating() )
 		{
 		Log::write(LOG, info);
 

scripts/base/protocols/dns/main.zeek

@@ -456,6 +456,21 @@ event dns_TXT_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_v
 	hook DNS::do_reply(c, msg, ans, txt_strings);
 	}
 
+event dns_SPF_reply(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec) &priority=5
+	{
+	local spf_strings: string = "";
+
+	for ( i in strs )
+		{
+		if ( i > 0 )
+			spf_strings += " ";
+
+		spf_strings += fmt("SPF %d %s", |strs[i]|, strs[i]);
+		}
+
+	hook DNS::do_reply(c, msg, ans, spf_strings);
+	}
+
 event dns_AAAA_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priority=5
 	{
 	hook DNS::do_reply(c, msg, ans, fmt("%s", a));

scripts/base/protocols/ntp/__load__.zeek

@@ -0,0 +1,2 @@
+@load ./main
+@load ./consts

scripts/base/protocols/ntp/consts.zeek

@@ -0,0 +1,15 @@
+module NTP;
+
+export {
+	## The descriptions of the NTP mode value, as described
+	## in :rfc:`5905`, Figure 1
+	const modes: table[count] of string = {
+		[1] = "symmetric active",
+		[2] = "symmetric passive",
+		[3] = "client",
+		[4] = "server",
+		[5] = "broadcast server",
+		[6] = "broadcast client",
+		[7] = "reserved",
+	} &default=function(i: count):string { return fmt("unknown-%d", i); } &redef;
+}

scripts/base/protocols/ntp/main.zeek

@@ -0,0 +1,107 @@
+module NTP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:         time	&log;
+		## Unique ID for the connection.
+		uid:        string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:         conn_id &log;
+		## The NTP version number (1, 2, 3, 4).
+		version:    count &log;
+		## The NTP mode being used.
+		mode:       count &log;
+		## The stratum (primary server, secondary server, etc.).
+		stratum:    count &log;
+		## The maximum interval between successive messages.
+		poll:       interval &log;
+		## The precision of the system clock.
+		precision:  interval &log;
+		## Total round-trip delay to the reference clock.
+		root_delay: interval &log;
+		## Total dispersion to the reference clock.
+		root_disp:  interval &log;
+		## For stratum 0, 4 character string used for debugging.
+		## For stratum 1, ID assigned to the reference clock by IANA.
+		## Above stratum 1, when using IPv4, the IP address of the reference
+		## clock.  Note that the NTP protocol did not originally specify a
+		## large enough field to represent IPv6 addresses, so they use
+		## the first four bytes of the MD5 hash of the reference clock's
+		## IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
+		ref_id:     string &log;
+		## Time when the system clock was last set or correct.
+		ref_time:   time &log;
+		## Time at the client when the request departed for the NTP server.
+		org_time:   time &log;
+		## Time at the server when the request arrived from the NTP client.
+		rec_time:   time &log;
+		## Time at the server when the response departed for the NTP client.
+		xmt_time:   time &log;
+		## Number of extension fields (which are not currently parsed).
+		num_exts:   count &default=0 &log;
+	};
+
+	## Event that can be handled to access the NTP record as it is sent on
+	## to the logging framework.
+	global log_ntp: event(rec: Info);
+}
+
+redef record connection += {
+	ntp: Info &optional;
+};
+
+const ports = { 123/udp };
+redef likely_server_ports += { ports };
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
+	{
+	local info: Info;
+	info$ts  = network_time();
+	info$uid = c$uid;
+	info$id  = c$id;
+	info$version = msg$version;
+	info$mode = msg$mode;
+
+	if ( msg$mode < 6 )
+		{
+		info$stratum = msg$std_msg$stratum;
+		info$poll = msg$std_msg$poll;
+		info$precision = msg$std_msg$precision;
+		info$root_delay = msg$std_msg$root_delay;
+		info$root_disp = msg$std_msg$root_disp;
+
+		if ( msg$std_msg?$kiss_code )
+			info$ref_id = msg$std_msg$kiss_code;
+		else if ( msg$std_msg?$ref_id )
+			info$ref_id = msg$std_msg$ref_id;
+		else if ( msg$std_msg?$ref_addr )
+			info$ref_id= cat(msg$std_msg$ref_addr);
+
+		info$ref_time = msg$std_msg$ref_time;
+		info$org_time = msg$std_msg$org_time;
+		info$rec_time = msg$std_msg$rec_time;
+		info$xmt_time = msg$std_msg$xmt_time;
+
+		info$num_exts = msg$std_msg$num_exts;
+		}
+
+	# Copy the present packet info into the connection record
+	# If more ntp packets are sent on the same connection, the newest one
+	# will overwrite the previous
+	c$ntp = info;
+	}
+
+event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
+	{
+	if ( msg$mode < 6 )
+		Log::write(NTP::LOG, c$ntp);
+	}
+
+event zeek_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
+	}

scripts/base/protocols/radius/main.zeek

@@ -24,9 +24,10 @@ export {
 		## and the network access server is not required to honor 
 		## the address.
 		framed_addr  : addr     &log &optional;
-		## Remote IP address, if present.  This is collected
+		## Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,
-		## from the Tunnel-Client-Endpoint attribute.
+		## if present.  This is collected from the Tunnel-Client-Endpoint
-		remote_ip    : addr     &log &optional;
+		## attribute.
+		tunnel_client: string   &log &optional;
 		## Connect info, if present.
 		connect_info : string   &log &optional;
 		## Reply message from the server challenge. This is 
@@ -85,8 +86,8 @@ event radius_message(c: connection, result: RADIUS::Message) &priority=5
 					c$radius$mac = normalize_mac(result$attributes[31][0]);
 
 				# Tunnel-Client-EndPoint (useful for VPNs)
-				if ( ! c$radius?$remote_ip && 66 in result$attributes )
+				if ( ! c$radius?$tunnel_client && 66 in result$attributes )
-					c$radius$remote_ip = to_addr(result$attributes[66][0]);
+					c$radius$tunnel_client = result$attributes[66][0];
 
 				# Connect-Info
 				if ( ! c$radius?$connect_info && 77 in result$attributes )

scripts/base/protocols/rdp/main.zeek

@@ -23,6 +23,8 @@ export {
 		result:                string  &log &optional;
 		## Security protocol chosen by the server.
 		security_protocol:     string &log &optional;
+		## The channels requested by the client
+		client_channels:       vector of string &log &optional;
 
 		## Keyboard layout (language) of the client machine.
 		keyboard_layout:       string  &log &optional;
@@ -189,6 +191,21 @@ event rdp_client_core_data(c: connection, data: RDP::ClientCoreData) &priority=5
 		c$rdp$requested_color_depth = RDP::high_color_depths[data$high_color_depth];
 	}
 
+event rdp_client_network_data(c: connection, channels: ClientChannelList)
+	{
+	set_session(c);
+
+	if ( ! c$rdp?$client_channels )
+		c$rdp$client_channels = vector();
+
+	for ( i in channels )
+		# Remove the NULs at the end
+		c$rdp$client_channels[i] = gsub(channels[i]$name, /\x00+$/, "");
+
+	if ( |channels| > 31 )
+		Reporter::conn_weird("RDP_channels_requested_exceeds_max", c, fmt("%s", |channels|));
+	}
+
 event rdp_gcc_server_create_response(c: connection, result: count) &priority=5
 	{
 	set_session(c);

scripts/policy/frameworks/netcontrol/catch-and-release.zeek

@@ -1,10 +1,9 @@
 ##! Implementation of catch-and-release functionality for NetControl.
 
-module NetControl;
+@load base/frameworks/netcontrol
-
 @load base/frameworks/cluster
-@load ./main
+
-@load ./drop
+module NetControl;
 
 export {
 

scripts/policy/frameworks/notice/actions/drop.zeek

@@ -1,8 +1,9 @@
 ##! This script extends the built in notice code to implement the IP address
 ##! dropping functionality.
 
-@load ../main
+@load base/frameworks/notice/main
 @load base/frameworks/netcontrol
+@load policy/frameworks/netcontrol/catch-and-release
 
 module Notice;
 

scripts/policy/misc/stats.zeek

@@ -99,7 +99,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	local fs = get_file_analysis_stats();
 	local ds = get_dns_stats();
 
-	if ( bro_is_terminating() )
+	if ( zeek_is_terminating() )
 		# No more stats will be written or scheduled when Zeek is
 		# shutting down.
 		return;

scripts/policy/misc/trim-trace-file.zeek

@@ -17,7 +17,7 @@ export {
 
 event TrimTraceFile::go(first_trim: bool)
 	{
-	if ( bro_is_terminating() || trace_output_file == "" )
+	if ( zeek_is_terminating() || trace_output_file == "" )
 		return;
 	
 	if ( ! first_trim )

scripts/policy/protocols/conn/known-hosts.zeek

@@ -36,7 +36,7 @@ export {
 	global host_store: Cluster::StoreInfo;
 
 	## The Broker topic name to use for :zeek:see:`Known::host_store`.
-	const host_store_name = "bro/known/hosts" &redef;
+	const host_store_name = "zeek/known/hosts" &redef;
 
 	## The expiry interval of new entries in :zeek:see:`Known::host_store`.
 	## This also changes the interval at which hosts get logged.

scripts/policy/protocols/conn/known-services.zeek

@@ -48,7 +48,7 @@ export {
 	global service_store: Cluster::StoreInfo;
 
 	## The Broker topic name to use for :zeek:see:`Known::service_store`.
-	const service_store_name = "bro/known/services" &redef;
+	const service_store_name = "zeek/known/services" &redef;
 
 	## The expiry interval of new entries in :zeek:see:`Known::service_store`.
 	## This also changes the interval at which services get logged.

scripts/policy/protocols/ssl/known-certs.zeek

@@ -48,7 +48,7 @@ export {
 	global cert_store: Cluster::StoreInfo;
 
 	## The Broker topic name to use for :zeek:see:`Known::cert_store`.
-	const cert_store_name = "bro/known/certs" &redef;
+	const cert_store_name = "zeek/known/certs" &redef;
 
 	## The expiry interval of new entries in :zeek:see:`Known::cert_store`.
 	## This also changes the interval at which certs get logged.

scripts/test-all-policy.zeek

@@ -31,12 +31,16 @@
 @load frameworks/intel/seen/ssl.zeek
 @load frameworks/intel/seen/where-locations.zeek
 @load frameworks/intel/seen/x509.zeek
+@load frameworks/netcontrol/catch-and-release.zeek
 @load frameworks/files/detect-MHR.zeek
 @load frameworks/files/entropy-test-all-files.zeek
 #@load frameworks/files/extract-all-files.zeek
 @load frameworks/files/hash-all-files.zeek
 @load frameworks/notice/__load__.zeek
+@load frameworks/notice/actions/drop.zeek
 @load frameworks/notice/extend-email/hostnames.zeek
+@load files/unified2/__load__.zeek
+@load files/unified2/main.zeek
 @load files/x509/log-ocsp.zeek
 @load frameworks/packet-filter/shunt.zeek
 @load frameworks/software/version-changes.zeek

src/BroString.cc

@@ -288,7 +288,7 @@ void BroString::ToUpper()
 
 BroString* BroString::GetSubstring(int start, int len) const
 	{
-	// This code used to live in bro.bif's sub_bytes() routine.
+	// This code used to live in zeek.bif's sub_bytes() routine.
 	if ( start < 0 || start > n )
 		return 0;
 

src/Brofiler.cc

@@ -17,7 +17,8 @@ Brofiler::~Brofiler()
 
 bool Brofiler::ReadStats()
 	{
-	char* bf = getenv("BRO_PROFILER_FILE");
+	char* bf = zeekenv("ZEEK_PROFILER_FILE");
+
 	if ( ! bf )
 		return false;
 
@@ -47,14 +48,16 @@ bool Brofiler::ReadStats()
 
 bool Brofiler::WriteStats()
 	{
-	char* bf = getenv("BRO_PROFILER_FILE");
+	char* bf = zeekenv("ZEEK_PROFILER_FILE");
-	if ( ! bf ) return false;
+
+	if ( ! bf )
+		return false;
 
 	SafeDirname dirname{bf};
 
 	if ( ! ensure_intermediate_dirs(dirname.result.data()) )
 		{
-		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
+		reporter->Error("Failed to open ZEEK_PROFILER_FILE destination '%s' for writing", bf);
 		return false;
 		}
 
@@ -69,7 +72,7 @@ bool Brofiler::WriteStats()
 
 		if ( fd == -1 )
 			{
-			reporter->Error("Failed to generate unique file name from BRO_PROFILER_FILE: %s", bf);
+			reporter->Error("Failed to generate unique file name from ZEEK_PROFILER_FILE: %s", bf);
 			return false;
 			}
 		f = fdopen(fd, "w");
@@ -81,7 +84,7 @@ bool Brofiler::WriteStats()
 
 	if ( ! f )
 		{
-		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
+		reporter->Error("Failed to open ZEEK_PROFILER_FILE destination '%s' for writing", bf);
 		return false;
 		}
 

src/Brofiler.h

@@ -17,7 +17,7 @@ public:
 
 	/**
 	 * Imports Bro script Stmt usage information from file pointed to by
-	 * environment variable BRO_PROFILER_FILE.
+	 * environment variable ZEEK_PROFILER_FILE.
 	 *
 	 * @return: true if usage info was read, otherwise false.
 	 */
@@ -26,7 +26,7 @@ public:
 	/**
 	 * Combines usage stats from current run with any read from ReadStats(),
 	 * then writes information to file pointed to by environment variable
-	 * BRO_PROFILER_FILE.  If the value of that env. variable ends with
+	 * ZEEK_PROFILER_FILE.  If the value of that env. variable ends with
 	 * ".XXXXXX" (exactly 6 X's), then it is first passed through mkstemp
 	 * to get a unique file.
 	 *

src/CMakeLists.txt

@@ -103,7 +103,7 @@ set_property(SOURCE scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-comp
 include(BifCl)
 
 set(BIF_SRCS
-    bro.bif
+    zeek.bif
     stats.bif
     event.bif
     const.bif
@@ -415,7 +415,7 @@ install(CODE "
 ")
 
 install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
-        DESTINATION include/bro
+        DESTINATION include/zeek
         FILES_MATCHING
         PATTERN "*.h"
         PATTERN "*.pac"
@@ -423,7 +423,7 @@ install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
 )
 
 install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
-        DESTINATION include/bro
+        DESTINATION include/zeek
         FILES_MATCHING
         PATTERN "*.bif.func_h"
         PATTERN "*.bif.netvar_h"
@@ -432,5 +432,5 @@ install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
 )
 
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h
-        DESTINATION include/bro/3rdparty
+        DESTINATION include/zeek/3rdparty
 )

src/DNS_Mgr.cc

@@ -414,7 +414,7 @@ void DNS_Mgr::Init()
 	// script-layer option to configure the DNS resolver as it may not be
 	// configured to the user's desired address at the time when we need to to
 	// the lookup.
-	auto dns_resolver = getenv("ZEEK_DNS_RESOLVER");
+	auto dns_resolver = zeekenv("ZEEK_DNS_RESOLVER");
 	auto dns_resolver_addr = dns_resolver ? IPAddr(dns_resolver) : IPAddr();
 	char err[NB_DNS_ERRSIZE];
 

src/Expr.cc

@@ -2110,7 +2110,6 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
 	if ( bt1 == TYPE_TABLE && op2->Tag() == EXPR_LIST )
 		{
 		attr_list* attr_copy = 0;
-
 		if ( attrs )
 			{
 			attr_copy = new attr_list(attrs->length());
@@ -2118,11 +2117,23 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
 				attr_copy->append((*attrs)[i]);
 			}
 
+		bool empty_list_assignment = (op2->AsListExpr()->Exprs().length() == 0);
+
 		if ( op1->Type()->IsSet() )
 			op2 = new SetConstructorExpr(op2->AsListExpr(), attr_copy);
 		else
 			op2 = new TableConstructorExpr(op2->AsListExpr(), attr_copy);
 
+		if ( ! empty_list_assignment && ! same_type(op1->Type(), op2->Type()) )
+			{
+			if ( op1->Type()->IsSet() )
+				ExprError("set type mismatch in assignment");
+			else
+				ExprError("table type mismatch in assignment");
+
+			return false;
+			}
+
 		return true;
 		}
 
@@ -2136,7 +2147,7 @@ bool AssignExpr::TypeCheck(attr_list* attrs)
 
 		if ( op2->Tag() == EXPR_LIST )
 			{
-			op2 = new VectorConstructorExpr(op2->AsListExpr());
+			op2 = new VectorConstructorExpr(op2->AsListExpr(), op1->Type());
 			return true;
 			}
 		}
@@ -3520,15 +3531,41 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
 
 			if ( ! same_type(sup_t_i, sub_t_i) )
 				{
-				if ( sup_t_i->Tag() != TYPE_RECORD ||
+				auto is_arithmetic_promotable = [](BroType* sup, BroType* sub) -> bool
-				     sub_t_i->Tag() != TYPE_RECORD ||
-				     ! record_promotion_compatible(sup_t_i->AsRecordType(),
-				                                   sub_t_i->AsRecordType()) )
 					{
-					char buf[512];
+					auto sup_tag = sup->Tag();
-					safe_snprintf(buf, sizeof(buf),
+					auto sub_tag = sub->Tag();
+
+					if ( ! BothArithmetic(sup_tag, sub_tag) )
+						return false;
+
+					if ( sub_tag == TYPE_DOUBLE && IsIntegral(sup_tag) )
+						return false;
+
+					if ( sub_tag == TYPE_INT && sup_tag == TYPE_COUNT )
+						return false;
+
+					return true;
+					};
+
+				auto is_record_promotable = [](BroType* sup, BroType* sub) -> bool
+					{
+					if ( sup->Tag() != TYPE_RECORD )
+						return false;
+
+					if ( sub->Tag() != TYPE_RECORD )
+						return false;
+
+					return record_promotion_compatible(sup->AsRecordType(),
+					                                   sub->AsRecordType());
+					};
+
+				if ( ! is_arithmetic_promotable(sup_t_i, sub_t_i) &&
+				     ! is_record_promotable(sup_t_i, sub_t_i) )
+					{
+					string error_msg = fmt(
 						"type clash for field \"%s\"", sub_r->FieldName(i));
-					Error(buf, sub_t_i);
+					Error(error_msg.c_str(), sub_t_i);
 					SetError();
 					break;
 					}
@@ -3546,11 +3583,9 @@ RecordCoerceExpr::RecordCoerceExpr(Expr* op, RecordType* r)
 				{
 				if ( ! t_r->FieldDecl(i)->FindAttr(ATTR_OPTIONAL) )
 					{
-					char buf[512];
+					string error_msg = fmt(
-					safe_snprintf(buf, sizeof(buf),
+						"non-optional field \"%s\" missing", t_r->FieldName(i));
-					              "non-optional field \"%s\" missing",
+					Error(error_msg.c_str());
-					              t_r->FieldName(i));
-					Error(buf);
 					SetError();
 					break;
 					}
@@ -3638,6 +3673,20 @@ Val* RecordCoerceExpr::Fold(Val* v) const
 					rhs = new_val;
 					}
 				}
+			else if ( BothArithmetic(rhs_type->Tag(), field_type->Tag()) &&
+			          ! same_type(rhs_type, field_type) )
+				{
+				if ( Val* new_val = check_and_promote(rhs, field_type, false, op->GetLocationInfo()) )
+					{
+					// Don't call unref here on rhs because check_and_promote already called it.
+					rhs = new_val;
+					}
+				else
+					{
+					Unref(val);
+					RuntimeError("Failed type conversion");
+					}
+				}
 
 			val->Assign(i, rhs);
 			}

src/Func.cc

@@ -627,13 +627,13 @@ void builtin_error(const char* msg, BroObj* arg)
 		emit(last_call.call);
 	}
 
-#include "bro.bif.func_h"
+#include "zeek.bif.func_h"
 #include "stats.bif.func_h"
 #include "reporter.bif.func_h"
 #include "strings.bif.func_h"
 #include "option.bif.func_h"
 
-#include "bro.bif.func_def"
+#include "zeek.bif.func_def"
 #include "stats.bif.func_def"
 #include "reporter.bif.func_def"
 #include "strings.bif.func_def"
@@ -660,7 +660,7 @@ void init_builtin_funcs()
 
 	var_sizes = internal_type("var_sizes")->AsTableType();
 
-#include "bro.bif.func_init"
+#include "zeek.bif.func_init"
 #include "stats.bif.func_init"
 #include "reporter.bif.func_init"
 #include "strings.bif.func_init"

src/NetVar.cc

@@ -77,7 +77,6 @@ bool udp_content_deliver_all_orig;
 bool udp_content_deliver_all_resp;
 
 double dns_session_timeout;
-double ntp_session_timeout;
 double rpc_timeout;
 
 ListVal* skip_authentication;
@@ -103,8 +102,6 @@ TableType* pm_mappings;
 RecordType* pm_port_request;
 RecordType* pm_callit_request;
 
-RecordType* ntp_msg;
-
 RecordType* geo_location;
 
 RecordType* entropy_test_result;
@@ -360,7 +357,6 @@ void init_net_var()
 		bool(internal_val("udp_content_deliver_all_resp")->AsBool());
 
 	dns_session_timeout = opt_internal_double("dns_session_timeout");
-	ntp_session_timeout = opt_internal_double("ntp_session_timeout");
 	rpc_timeout = opt_internal_double("rpc_timeout");
 
 	watchdog_interval = int(opt_internal_double("watchdog_interval"));
@@ -390,8 +386,6 @@ void init_net_var()
 	pm_port_request = internal_type("pm_port_request")->AsRecordType();
 	pm_callit_request = internal_type("pm_callit_request")->AsRecordType();
 
-	ntp_msg = internal_type("ntp_msg")->AsRecordType();
-
 	geo_location = internal_type("geo_location")->AsRecordType();
 
 	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();

src/NetVar.h

@@ -80,7 +80,6 @@ extern bool udp_content_deliver_all_orig;
 extern bool udp_content_deliver_all_resp;
 
 extern double dns_session_timeout;
-extern double ntp_session_timeout;
 extern double rpc_timeout;
 
 extern ListVal* skip_authentication;
@@ -106,8 +105,6 @@ extern TableType* pm_mappings;
 extern RecordType* pm_port_request;
 extern RecordType* pm_callit_request;
 
-extern RecordType* ntp_msg;
-
 extern RecordType* geo_location;
 
 extern RecordType* entropy_test_result;

src/Obj.cc

@@ -58,21 +58,21 @@ BroObj::~BroObj()
 	delete location;
 	}
 
-void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only) const
+void BroObj::Warn(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
 	{
 	ODesc d;
-	DoMsg(&d, msg, obj2, pinpoint_only);
+	DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
 	reporter->Warning("%s", d.Description());
 	reporter->PopLocation();
 	}
 
-void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only) const
+void BroObj::Error(const char* msg, const BroObj* obj2, int pinpoint_only, const Location* expr_location) const
 	{
 	if ( suppress_errors )
 		return;
 
 	ODesc d;
-	DoMsg(&d, msg, obj2, pinpoint_only);
+	DoMsg(&d, msg, obj2, pinpoint_only, expr_location);
 	reporter->Error("%s", d.Description());
 	reporter->PopLocation();
 	}
@@ -158,7 +158,7 @@ void BroObj::UpdateLocationEndInfo(const Location& end)
 	}
 
 void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
-			int pinpoint_only) const
+			int pinpoint_only, const Location* expr_location) const
 	{
 	d->SetShort();
 
@@ -169,6 +169,8 @@ void BroObj::DoMsg(ODesc* d, const char s1[], const BroObj* obj2,
 	if ( obj2 && obj2->GetLocationInfo() != &no_location &&
 		 *obj2->GetLocationInfo() != *GetLocationInfo() )
 		loc2 = obj2->GetLocationInfo();
+	else if ( expr_location )
+		loc2 = expr_location;
 
 	reporter->PushLocation(GetLocationInfo(), loc2);
 	}

src/Obj.h

@@ -109,9 +109,9 @@ public:
 	// included in the message, though if pinpoint_only is non-zero,
 	// then obj2 is only used to pinpoint the location.
 	void Warn(const char* msg, const BroObj* obj2 = 0,
-			int pinpoint_only = 0) const;
+			int pinpoint_only = 0, const Location* expr_location = 0) const;
 	void Error(const char* msg, const BroObj* obj2 = 0,
-			int pinpoint_only = 0) const;
+			int pinpoint_only = 0, const Location* expr_location = 0) const;
 
 	// Report internal errors.
 	void BadTag(const char* msg, const char* t1 = 0,
@@ -165,7 +165,7 @@ private:
 	friend class SuppressErrors;
 
 	void DoMsg(ODesc* d, const char s1[], const BroObj* obj2 = 0,
-			int pinpoint_only = 0) const;
+			int pinpoint_only = 0, const Location* expr_location = 0) const;
 	void PinPoint(ODesc* d, const BroObj* obj2 = 0,
 			int pinpoint_only = 0) const;
 

src/OpaqueVal.cc

@@ -223,7 +223,7 @@ Val* MD5Val::DoClone(CloneState* state)
 		EVP_MD_CTX_copy_ex(out->ctx, ctx);
 		}
 
-	return out;
+	return state->NewClone(this, out);
 	}
 
 void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH])
@@ -375,7 +375,7 @@ Val* SHA1Val::DoClone(CloneState* state)
 		EVP_MD_CTX_copy_ex(out->ctx, ctx);
 		}
 
-	return out;
+	return state->NewClone(this, out);
 	}
 
 void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH])
@@ -519,7 +519,7 @@ Val* SHA256Val::DoClone(CloneState* state)
 		EVP_MD_CTX_copy_ex(out->ctx, ctx);
 		}
 
-	return out;
+	return state->NewClone(this, out);
 	}
 
 void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH])
@@ -776,10 +776,10 @@ Val* BloomFilterVal::DoClone(CloneState* state)
 		{
 		auto bf = new BloomFilterVal(bloom_filter->Clone());
 		bf->Typify(type);
-		return bf;
+		return state->NewClone(this, bf);
 		}
 
-	return new BloomFilterVal();
+	return state->NewClone(this, new BloomFilterVal());
 	}
 
 bool BloomFilterVal::Typify(BroType* arg_type)
@@ -948,7 +948,8 @@ CardinalityVal::~CardinalityVal()
 
 Val* CardinalityVal::DoClone(CloneState* state)
 	{
-	return new CardinalityVal(new probabilistic::CardinalityCounter(*c));
+	return state->NewClone(this,
+			       new CardinalityVal(new probabilistic::CardinalityCounter(*c)));
 	}
 
 bool CardinalityVal::Typify(BroType* arg_type)

src/Type.cc

@@ -1672,6 +1672,10 @@ int is_assignable(BroType* t)
 	return 0;
 	}
 
+#define CHECK_TYPE(t) \
+	if ( t1 == t || t2 == t ) \
+		return t;
+
 TypeTag max_type(TypeTag t1, TypeTag t2)
 	{
 	if ( t1 == TYPE_INTERVAL || t1 == TYPE_TIME )
@@ -1681,10 +1685,6 @@ TypeTag max_type(TypeTag t1, TypeTag t2)
 
 	if ( BothArithmetic(t1, t2) )
 		{
-#define CHECK_TYPE(t) \
-	if ( t1 == t || t2 == t ) \
-		return t;
-
 		CHECK_TYPE(TYPE_DOUBLE);
 		CHECK_TYPE(TYPE_INT);
 		CHECK_TYPE(TYPE_COUNT);

src/Val.cc

@@ -89,8 +89,6 @@ Val* Val::Clone(CloneState* state)
 
 	auto c = DoClone(state);
 	assert(c);
-
-	state->clones.insert(std::make_pair(this, c));
 	return c;
 	}
 
@@ -353,6 +351,35 @@ void Val::ValDescribeReST(ODesc* d) const
 	}
 	}
 
+
+bool Val::WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val)
+	{
+	if ( !to_type || !from_type )
+		return true;
+	else if ( same_type(to_type, from_type) )
+		return false;
+
+	if ( to_type->InternalType() == TYPE_INTERNAL_DOUBLE )
+		return false;
+	else if ( to_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+		{
+		if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
+			return (val->InternalDouble() < 0.0 || val->InternalDouble() > static_cast<double>(UINT64_MAX));
+		else if ( from_type->InternalType() == TYPE_INTERNAL_INT )
+			return (val->InternalInt() < 0);
+		}
+	else if ( to_type->InternalType() == TYPE_INTERNAL_INT )
+		{
+		if ( from_type->InternalType() == TYPE_INTERNAL_DOUBLE )
+			return (val->InternalDouble() < static_cast<double>(INT64_MIN) ||
+			        val->InternalDouble() > static_cast<double>(INT64_MAX));
+		else if ( from_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+			return (val->InternalUnsigned() > INT64_MAX);
+		}
+
+	return false;
+	}
+
 MutableVal::~MutableVal()
 	{
 	for ( list<ID*>::iterator i = aliases.begin(); i != aliases.end(); ++i )
@@ -831,8 +858,12 @@ unsigned int StringVal::MemoryAllocation() const
 
 Val* StringVal::DoClone(CloneState* state)
 	{
-	return new StringVal(new BroString((u_char*) val.string_val->Bytes(),
+	// We could likely treat this type as immutable and return a reference
-	                                   val.string_val->Len(), 1));
+	// instead of creating a new copy, but we first need to be careful and
+	// audit whether anything internal actually does mutate it.
+	return state->NewClone(this, new StringVal(
+	        new BroString((u_char*) val.string_val->Bytes(),
+	                      val.string_val->Len(), 1)));
 	}
 
 PatternVal::PatternVal(RE_Matcher* re) : Val(base_type(TYPE_PATTERN))
@@ -885,10 +916,13 @@ unsigned int PatternVal::MemoryAllocation() const
 
 Val* PatternVal::DoClone(CloneState* state)
 	{
+	// We could likely treat this type as immutable and return a reference
+	// instead of creating a new copy, but we first need to be careful and
+	// audit whether anything internal actually does mutate it.
 	auto re = new RE_Matcher(val.re_val->PatternText(),
 	                         val.re_val->AnywherePatternText());
 	re->Compile();
-	return new PatternVal(re);
+	return state->NewClone(this, new PatternVal(re));
 	}
 
 ListVal::ListVal(TypeTag t)
@@ -977,6 +1011,7 @@ Val* ListVal::DoClone(CloneState* state)
 	{
 	auto lv = new ListVal(tag);
 	lv->vals.resize(vals.length());
+	state->NewClone(this, lv);
 
 	loop_over_list(vals, i)
 		lv->Append(vals[i]->Clone(state));
@@ -2137,6 +2172,7 @@ void TableVal::ReadOperation(Val* index, TableEntryVal* v)
 Val* TableVal::DoClone(CloneState* state)
 	{
 	auto tv = new TableVal(table_type);
+	state->NewClone(this, tv);
 
 	const PDict(TableEntryVal)* tbl = AsTable();
 	IterCookie* cookie = tbl->InitForIteration();
@@ -2249,10 +2285,15 @@ vector<RecordVal*> RecordVal::parse_time_records;
 RecordVal::RecordVal(RecordType* t, bool init_fields) : MutableVal(t)
 	{
 	origin = 0;
-	record_type = t;
+	int n = t->NumFields();
-	int n = record_type->NumFields();
 	val_list* vl = val.val_list_val = new val_list(n);
 
+	if ( is_parsing )
+		{
+		parse_time_records.emplace_back(this);
+		Ref();
+		}
+
 	if ( ! init_fields )
 		return;
 
@@ -2260,10 +2301,10 @@ RecordVal::RecordVal(RecordType* t, bool init_fields) : MutableVal(t)
 	// by default).
 	for ( int i = 0; i < n; ++i )
 		{
-		Attributes* a = record_type->FieldDecl(i)->attrs;
+		Attributes* a = t->FieldDecl(i)->attrs;
 		Attr* def_attr = a ? a->FindAttr(ATTR_DEFAULT) : 0;
 		Val* def = def_attr ? def_attr->AttrExpr()->Eval(0) : 0;
-		BroType* type = record_type->FieldDecl(i)->type;
+		BroType* type = t->FieldDecl(i)->type;
 
 		if ( def && type->Tag() == TYPE_RECORD &&
 		     def->Type()->Tag() == TYPE_RECORD &&
@@ -2294,12 +2335,6 @@ RecordVal::RecordVal(RecordType* t, bool init_fields) : MutableVal(t)
 		vl->append(def ? def->Ref() : 0);
 
 		Unref(def);
-
-		if ( is_parsing )
-			{
-			parse_time_records.emplace_back(this);
-			Ref();
-			}
 		}
 	}
 
@@ -2340,7 +2375,7 @@ Val* RecordVal::LookupWithDefault(int field) const
 	if ( val )
 		return val->Ref();
 
-	return record_type->FieldDefault(field);
+	return Type()->AsRecordType()->FieldDefault(field);
 	}
 
 void RecordVal::ResizeParseTimeRecords()
@@ -2348,7 +2383,7 @@ void RecordVal::ResizeParseTimeRecords()
 	for ( auto& rv : parse_time_records )
 		{
 		auto vs = rv->val.val_list_val;
-		auto rt = rv->record_type;
+		auto rt = rv->Type()->AsRecordType();
 		auto current_length = vs->length();
 		auto required_length = rt->NumFields();
 
@@ -2368,7 +2403,7 @@ void RecordVal::ResizeParseTimeRecords()
 
 Val* RecordVal::Lookup(const char* field, bool with_default) const
 	{
-	int idx = record_type->FieldOffset(field);
+	int idx = Type()->AsRecordType()->FieldOffset(field);
 
 	if ( idx < 0 )
 		reporter->InternalError("missing record field: %s", field);
@@ -2453,6 +2488,7 @@ void RecordVal::Describe(ODesc* d) const
 	{
 	const val_list* vl = AsRecord();
 	int n = vl->length();
+	auto record_type = Type()->AsRecordType();
 
 	if ( d->IsBinary() || d->IsPortable() )
 		{
@@ -2489,6 +2525,7 @@ void RecordVal::DescribeReST(ODesc* d) const
 	{
 	const val_list* vl = AsRecord();
 	int n = vl->length();
+	auto record_type = Type()->AsRecordType();
 
 	d->Add("{");
 	d->PushIndent();
@@ -2520,8 +2557,9 @@ Val* RecordVal::DoClone(CloneState* state)
 	// record. As we cannot guarantee that it will ber zeroed out at the
 	// approproate time (as it seems to be guaranteed for the original record)
 	// we don't touch it.
-	auto rv = new RecordVal(record_type, false);
+	auto rv = new RecordVal(Type()->AsRecordType(), false);
 	rv->origin = nullptr;
+	state->NewClone(this, rv);
 
 	loop_over_list(*val.val_list_val, i)
 		{
@@ -2750,6 +2788,7 @@ Val* VectorVal::DoClone(CloneState* state)
 	{
 	auto vv = new VectorVal(vector_type);
 	vv->val.vector_val->reserve(val.vector_val->size());
+	state->NewClone(this, vv);
 
 	for ( unsigned int i = 0; i < val.vector_val->size(); ++i )
 		{
@@ -2779,7 +2818,7 @@ void VectorVal::ValDescribe(ODesc* d) const
 	d->Add("]");
 	}
 
-Val* check_and_promote(Val* v, const BroType* t, int is_init)
+Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location)
 	{
 	if ( ! v )
 		return 0;
@@ -2803,7 +2842,7 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 		if ( same_type(t, vt, is_init) )
 			return v;
 
-		t->Error("type clash", v);
+		t->Error("type clash", v, 0, expr_location);
 		Unref(v);
 		return 0;
 		}
@@ -2812,9 +2851,9 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	     (! IsArithmetic(v_tag) || t_tag != TYPE_TIME || ! v->IsZero()) )
 		{
 		if ( t_tag == TYPE_LIST || v_tag == TYPE_LIST )
-			t->Error("list mixed with scalar", v);
+			t->Error("list mixed with scalar", v, 0, expr_location);
 		else
-			t->Error("arithmetic mixed with non-arithmetic", v);
+			t->Error("arithmetic mixed with non-arithmetic", v, 0, expr_location);
 		Unref(v);
 		return 0;
 		}
@@ -2822,12 +2861,12 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	if ( v_tag == t_tag )
 		return v;
 
-	if ( t_tag != TYPE_TIME )
+	if ( t_tag != TYPE_TIME && ! BothArithmetic(t_tag, v_tag) )
 		{
 		TypeTag mt = max_type(t_tag, v_tag);
 		if ( mt != t_tag )
 			{
-			t->Error("over-promotion of arithmetic value", v);
+			t->Error("over-promotion of arithmetic value", v, 0, expr_location);
 			Unref(v);
 			return 0;
 			}
@@ -2844,7 +2883,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 	Val* promoted_v;
 	switch ( it ) {
 	case TYPE_INTERNAL_INT:
-		if ( t_tag == TYPE_INT )
+		if ( ( vit == TYPE_INTERNAL_UNSIGNED || vit == TYPE_INTERNAL_DOUBLE ) && Val::WouldOverflow(vt, t, v) )
+			{
+			t->Error("overflow promoting from unsigned/double to signed arithmetic value", v, 0, expr_location);
+			Unref(v);
+			return 0;
+			}
+		else if ( t_tag == TYPE_INT )
 			promoted_v = val_mgr->GetInt(v->CoerceToInt());
 		else if ( t_tag == TYPE_BOOL )
 			promoted_v = val_mgr->GetBool(v->CoerceToInt());
@@ -2858,7 +2903,13 @@ Val* check_and_promote(Val* v, const BroType* t, int is_init)
 		break;
 
 	case TYPE_INTERNAL_UNSIGNED:
-		if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
+		if ( ( vit == TYPE_INTERNAL_DOUBLE || vit == TYPE_INTERNAL_INT) && Val::WouldOverflow(vt, t, v) )
+			{
+			t->Error("overflow promoting from signed/double to unsigned arithmetic value", v, 0, expr_location);
+			Unref(v);
+			return 0;
+			}
+		else if ( t_tag == TYPE_COUNT || t_tag == TYPE_COUNTER )
 			promoted_v = val_mgr->GetCount(v->CoerceToUnsigned());
 		else // port
 			{

src/Val.h

@@ -91,7 +91,7 @@ typedef union {
 
 class Val : public BroObj {
 public:
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(bool b, TypeTag t)
 		{
 		val.int_val = b;
@@ -101,7 +101,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(int32 i, TypeTag t)
 		{
 		val.int_val = bro_int_t(i);
@@ -111,7 +111,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(uint32 u, TypeTag t)
 		{
 		val.uint_val = bro_uint_t(u);
@@ -121,7 +121,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(int64 i, TypeTag t)
 		{
 		val.int_val = i;
@@ -131,7 +131,7 @@ public:
 #endif
 		}
 
-	BRO_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
+	ZEEK_DEPRECATED("use val_mgr->GetBool, GetFalse/GetTrue, GetInt, or GetCount instead")
 	Val(uint64 u, TypeTag t)
 		{
 		val.uint_val = u;
@@ -365,6 +365,8 @@ public:
 		}
 #endif
 
+	static bool WouldOverflow(const BroType* from_type, const BroType* to_type, const Val* val);
+
 protected:
 
 	friend class EnumType;
@@ -418,7 +420,16 @@ protected:
 
 	// For internal use by the Val::Clone() methods.
 	struct CloneState {
-	    std::unordered_map<const Val*, Val*> clones;
+		// Caches a cloned value for later reuse during the same
+		// cloning operation. For recursive types, call this *before*
+		// descending down.
+		Val* NewClone(Val *src, Val* dst)
+			{
+			clones.insert(std::make_pair(src, dst));
+			return dst;
+			}
+
+		std::unordered_map<Val*, Val*> clones;
 	};
 
 	Val* Clone(CloneState* state);
@@ -437,15 +448,15 @@ protected:
 class PortManager {
 public:
 	// Port number given in host order.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	PortVal* Get(uint32 port_num, TransportProto port_type) const;
 
 	// Host-order port number already masked with port space protocol mask.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	PortVal* Get(uint32 port_num) const;
 
 	// Returns a masked port number
-	BRO_DEPRECATED("use PortVal::Mask() instead")
+	ZEEK_DEPRECATED("use PortVal::Mask() instead")
 	uint32 Mask(uint32 port_num, TransportProto port_type) const;
 };
 
@@ -590,11 +601,11 @@ protected:
 class PortVal : public Val {
 public:
 	// Port number given in host order.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	PortVal(uint32 p, TransportProto port_type);
 
 	// Host-order port number already masked with port space protocol mask.
-	BRO_DEPRECATED("use val_mgr->GetPort() instead")
+	ZEEK_DEPRECATED("use val_mgr->GetPort() instead")
 	explicit PortVal(uint32 p);
 
 	Val* SizeVal() const override	{ return val_mgr->GetInt(val.uint_val); }
@@ -1012,7 +1023,7 @@ public:
 	~RecordVal() override;
 
 	Val* SizeVal() const override
-		{ return val_mgr->GetCount(record_type->NumFields()); }
+		{ return val_mgr->GetCount(Type()->AsRecordType()->NumFields()); }
 
 	void Assign(int field, Val* new_val, Opcode op = OP_ASSIGN);
 	Val* Lookup(int field) const;	// Does not Ref() value.
@@ -1076,7 +1087,7 @@ protected:
 class EnumVal : public Val {
 public:
 
-	BRO_DEPRECATED("use t->GetVal(i) instead")
+	ZEEK_DEPRECATED("use t->GetVal(i) instead")
 	EnumVal(int i, EnumType* t) : Val(t)
 		{
 		val.int_val = i;
@@ -1165,7 +1176,7 @@ protected:
 // Unref()'ing the original.  If not a match, generates an error message
 // and returns nil, also Unref()'ing v.  If is_init is true, then
 // the checking is done in the context of an initialization.
-extern Val* check_and_promote(Val* v, const BroType* t, int is_init);
+extern Val* check_and_promote(Val* v, const BroType* t, int is_init, const Location* expr_location = nullptr);
 
 // Given a pointer to where a Val's core (i.e., its BRO value) resides,
 // returns a corresponding newly-created or Ref()'d Val.  ptr must already

src/analyzer/Analyzer.cc

@@ -679,6 +679,9 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
 
 void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 	{
+	if ( ! protocol_violation )
+		return;
+
 	StringVal* r;
 
 	if ( data && len )
@@ -692,9 +695,6 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 	else
 		r = new StringVal(reason);
 
-	if ( ! protocol_violation )
-		return;
-
 	EnumVal* tval = tag.AsEnumVal();
 	Ref(tval);
 

src/analyzer/protocol/CMakeLists.txt

@@ -36,9 +36,9 @@ add_subdirectory(rdp)
 add_subdirectory(rfb)
 add_subdirectory(rpc)
 add_subdirectory(sip)
-add_subdirectory(snmp)
 add_subdirectory(smb)
 add_subdirectory(smtp)
+add_subdirectory(snmp)
 add_subdirectory(socks)
 add_subdirectory(ssh)
 add_subdirectory(ssl)

src/analyzer/protocol/arp/CMakeLists.txt

@@ -4,12 +4,12 @@
 # it's also parsing a protocol just like them. The current structure
 # is merely a left-over from when this code was written.
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro ARP)
+zeek_plugin_begin(Zeek ARP)
-bro_plugin_cc(ARP.cc Plugin.cc)
+zeek_plugin_cc(ARP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_end()
 

src/analyzer/protocol/arp/Plugin.cc

@@ -4,14 +4,14 @@
 #include "plugin/Plugin.h"
 
 namespace plugin {
-namespace Bro_ARP {
+namespace Zeek_ARP {
 
 class Plugin : public plugin::Plugin {
 public:
 	plugin::Configuration Configure()
 		{
 		plugin::Configuration config;
-		config.name = "Bro::ARP";
+		config.name = "Zeek::ARP";
 		config.description = "ARP Parsing";
 		return config;
 		}

src/analyzer/protocol/arp/events.bif

@@ -40,7 +40,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
 
-## Generated for ARP packets that Bro cannot interpret. Examples are packets
+## Generated for ARP packets that Zeek cannot interpret. Examples are packets
 ## with non-standard hardware address formats or hardware addresses that do not
 ## match the originator of the packet.
 ##
@@ -56,8 +56,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 ##
 ## .. zeek:see:: arp_reply arp_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

src/analyzer/protocol/ayiya/CMakeLists.txt

@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro AYIYA)
+zeek_plugin_begin(Zeek AYIYA)
-bro_plugin_cc(AYIYA.cc Plugin.cc)
+zeek_plugin_cc(AYIYA.cc Plugin.cc)
-bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
+zeek_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/ayiya/Plugin.cc

@@ -6,7 +6,7 @@
 #include "AYIYA.h"
 
 namespace plugin {
-namespace Bro_AYIYA {
+namespace Zeek_AYIYA {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("AYIYA", ::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::AYIYA";
+		config.name = "Zeek::AYIYA";
 		config.description = "AYIYA Analyzer";
 		return config;
 		}

src/analyzer/protocol/backdoor/CMakeLists.txt

@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro BackDoor)
+zeek_plugin_begin(Zeek BackDoor)
-bro_plugin_cc(BackDoor.cc Plugin.cc)
+zeek_plugin_cc(BackDoor.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/backdoor/Plugin.cc

@@ -6,7 +6,7 @@
 #include "BackDoor.h"
 
 namespace plugin {
-namespace Bro_BackDoor {
+namespace Zeek_BackDoor {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("BackDoor", ::analyzer::backdoor::BackDoor_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::BackDoor";
+		config.name = "Zeek::BackDoor";
 		config.description = "Backdoor Analyzer deprecated";
 		return config;
 		}

src/analyzer/protocol/bittorrent/CMakeLists.txt

@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro BitTorrent)
+zeek_plugin_begin(Zeek BitTorrent)
-bro_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
+zeek_plugin_cc(BitTorrent.cc BitTorrentTracker.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
+zeek_plugin_pac(bittorrent.pac bittorrent-analyzer.pac bittorrent-protocol.pac)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/bittorrent/Plugin.cc

@@ -7,7 +7,7 @@
 #include "BitTorrentTracker.h"
 
 namespace plugin {
-namespace Bro_BitTorrent {
+namespace Zeek_BitTorrent {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -17,7 +17,7 @@ public:
 		AddComponent(new ::analyzer::Component("BitTorrentTracker", ::analyzer::bittorrent::BitTorrentTracker_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::BitTorrent";
+		config.name = "Zeek::BitTorrent";
 		config.description = "BitTorrent Analyzer";
 		return config;
 		}

src/analyzer/protocol/conn-size/CMakeLists.txt

@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro ConnSize)
+zeek_plugin_begin(Zeek ConnSize)
-bro_plugin_cc(ConnSize.cc Plugin.cc)
+zeek_plugin_cc(ConnSize.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_bif(functions.bif)
+zeek_plugin_bif(functions.bif)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/conn-size/Plugin.cc

@@ -6,7 +6,7 @@
 #include "ConnSize.h"
 
 namespace plugin {
-namespace Bro_ConnSize {
+namespace Zeek_ConnSize {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("ConnSize", ::analyzer::conn_size::ConnSize_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::ConnSize";
+		config.name = "Zeek::ConnSize";
 		config.description = "Connection size analyzer";
 		return config;
 		}

src/analyzer/protocol/dce-rpc/CMakeLists.txt

@@ -1,12 +1,12 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DCE_RPC)
+zeek_plugin_begin(Zeek DCE_RPC)
-bro_plugin_cc(DCE_RPC.cc Plugin.cc)
+zeek_plugin_cc(DCE_RPC.cc Plugin.cc)
-bro_plugin_bif(consts.bif types.bif events.bif)
+zeek_plugin_bif(consts.bif types.bif events.bif)
-bro_plugin_pac(
+zeek_plugin_pac(
     dce_rpc.pac
     dce_rpc-protocol.pac
     dce_rpc-analyzer.pac
@@ -14,5 +14,5 @@ bro_plugin_pac(
     endpoint-atsvc.pac
     endpoint-epmapper.pac
     )
-bro_plugin_end()
+zeek_plugin_end()
 

src/analyzer/protocol/dce-rpc/Plugin.cc

@@ -6,7 +6,7 @@
 #include "DCE_RPC.h"
 
 namespace plugin {
-namespace Bro_DCE_RPC {
+namespace Zeek_DCE_RPC {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("DCE_RPC", ::analyzer::dce_rpc::DCE_RPC_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::DCE_RPC";
+		config.name = "Zeek::DCE_RPC";
 		config.description = "DCE-RPC analyzer";
 		return config;
 		}

src/analyzer/protocol/dhcp/CMakeLists.txt

@@ -1,11 +1,11 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DHCP)
+zeek_plugin_begin(Zeek DHCP)
-bro_plugin_cc(DHCP.cc Plugin.cc)
+zeek_plugin_cc(DHCP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_bif(types.bif)
+zeek_plugin_bif(types.bif)
-bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
+zeek_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/dhcp/Plugin.cc

@@ -6,7 +6,7 @@
 #include "DHCP.h"
 
 namespace plugin {
-namespace Bro_DHCP {
+namespace Zeek_DHCP {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -15,7 +15,7 @@ public:
 		AddComponent(new ::analyzer::Component("DHCP", ::analyzer::dhcp::DHCP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::DHCP";
+		config.name = "Zeek::DHCP";
 		config.description = "DHCP analyzer";
 		return config;
 		}

src/analyzer/protocol/dhcp/dhcp-options.pac

@@ -21,6 +21,29 @@ refine typeattr Option += &let {
 };
 
 
+##############################
+# TIME OFFSET OPTION
+##############################
+let TIME_OFFSET_OPTION = 2;
+
+# Parse the option
+refine casetype OptionValue += {
+	TIME_OFFSET_OPTION -> time_offset : int32;
+};
+
+refine flow DHCP_Flow += {
+	function process_time_offset_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(25, val_mgr->GetInt(${v.time_offset}));
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_timeoffset_option = $context.flow.process_time_offset_option(info.value) &if(code==TIME_OFFSET_OPTION);
+};
+
+
 ##############################
 # ROUTER OPTION
 ##############################
@@ -55,6 +78,74 @@ refine typeattr Option += &let {
 };
 
 
+##############################
+# TIME SERVER OPTION
+##############################
+let TIME_SERVER_OPTION = 4;
+
+# Parse the option
+refine casetype OptionValue += {
+	TIME_SERVER_OPTION -> timeserver_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_timeserver_option(v: OptionValue): bool
+		%{
+		VectorVal* timeserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.timeserver_list}->size();
+		vector<uint32>* rlist = ${v.timeserver_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			timeserver_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(26, timeserver_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_timeserver_option = $context.flow.process_timeserver_option(info.value) &if(code==TIME_SERVER_OPTION);
+};
+
+
+##############################
+# NAME SERVER OPTION
+##############################
+let NAME_SERVER_OPTION = 5;
+
+# Parse the option
+refine casetype OptionValue += {
+	NAME_SERVER_OPTION -> nameserver_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_nameserver_option(v: OptionValue): bool
+		%{
+		VectorVal* nameserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.nameserver_list}->size();
+		vector<uint32>* rlist = ${v.nameserver_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			nameserver_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(27, nameserver_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_nameserver_option = $context.flow.process_nameserver_option(info.value) &if(code==NAME_SERVER_OPTION);
+};
+
+
 ##############################
 # DNS SERVER OPTION
 ##############################
@@ -194,6 +285,39 @@ refine typeattr Option += &let {
 };
 
 
+##############################
+# NTP SERVER OPTION
+##############################
+let NTP_SERVER_OPTION = 42;
+
+# Parse the option
+refine casetype OptionValue += {
+	NTP_SERVER_OPTION -> ntpserver_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_ntpserver_option(v: OptionValue): bool
+		%{
+		VectorVal* ntpserver_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.ntpserver_list}->size();
+		vector<uint32>* rlist = ${v.ntpserver_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			ntpserver_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(28, ntpserver_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_ntpserver_option = $context.flow.process_ntpserver_option(info.value) &if(code==NTP_SERVER_OPTION);
+};
+
 ##############################
 # VENDOR SPECIFIC OPTION
 ##############################

src/analyzer/protocol/dnp3/CMakeLists.txt

@@ -1,10 +1,10 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DNP3)
+zeek_plugin_begin(Zeek DNP3)
-bro_plugin_cc(DNP3.cc Plugin.cc)
+zeek_plugin_cc(DNP3.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
+zeek_plugin_pac(dnp3.pac dnp3-analyzer.pac dnp3-protocol.pac dnp3-objects.pac)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/dnp3/Plugin.cc

@@ -6,7 +6,7 @@
 #include "DNP3.h"
 
 namespace plugin {
-namespace Bro_DNP3 {
+namespace Zeek_DNP3 {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("DNP3_UDP", ::analyzer::dnp3::DNP3_UDP_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::DNP3";
+		config.name = "Zeek::DNP3";
 		config.description = "DNP3 UDP/TCP analyzers";
 		return config;
 		}

src/analyzer/protocol/dns/CMakeLists.txt

@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro DNS)
+zeek_plugin_begin(Zeek DNS)
-bro_plugin_cc(DNS.cc Plugin.cc)
+zeek_plugin_cc(DNS.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/dns/DNS.cc

@@ -281,6 +281,10 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			status = ParseRR_TXT(msg, data, len, rdlength, msg_start);
 			break;
 
+		case TYPE_SPF:
+			status = ParseRR_SPF(msg, data, len, rdlength, msg_start);
+			break;
+
 		case TYPE_CAA:
 			status = ParseRR_CAA(msg, data, len, rdlength, msg_start);
 			break;
@@ -1321,6 +1325,36 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 	return rdlength == 0;
 	}
 
+int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_SPF_reply || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	VectorVal* char_strings = new VectorVal(string_vec);
+	StringVal* char_string;
+
+	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
+		char_strings->Assign(char_strings->Size(), char_string);
+
+	if ( dns_SPF_reply )
+		analyzer->ConnectionEventFast(dns_SPF_reply, {
+			analyzer->BuildConnVal(),
+			msg->BuildHdrVal(),
+			msg->BuildAnswerVal(),
+			char_strings,
+		});
+	else
+		Unref(char_strings);
+
+	return rdlength == 0;
+	}
+
 int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start)

src/analyzer/protocol/dns/DNS.h

@@ -63,6 +63,8 @@ typedef enum {
 	TYPE_DNSKEY = 48,	///< DNS Key record (RFC 4034)
 	TYPE_DS = 43,		///< Delegation signer (RFC 4034)
 	TYPE_NSEC3 = 50,
+	// Obsoleted
+	TYPE_SPF = 99,          ///< Alternative: storing SPF data in TXT records, using the same format (RFC 4408). Support for it was discontinued in RFC 7208
 	// The following are only valid in queries.
 	TYPE_AXFR = 252,
 	TYPE_ALL = 255,
@@ -282,6 +284,9 @@ protected:
 	int ParseRR_TXT(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
+	int ParseRR_SPF(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
 	int ParseRR_CAA(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);

src/analyzer/protocol/dns/Plugin.cc

@@ -6,7 +6,7 @@
 #include "DNS.h"
 
 namespace plugin {
-namespace Bro_DNS {
+namespace Zeek_DNS {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("Contents_DNS", 0));
 
 		plugin::Configuration config;
-		config.name = "Bro::DNS";
+		config.name = "Zeek::DNS";
 		config.description = "DNS analyzer";
 		return config;
 		}

src/analyzer/protocol/dns/events.bif

@@ -1,7 +1,7 @@
 ## Generated for all DNS messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -15,7 +15,7 @@
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid  dns_query_reply dns_rejected
 ##    dns_request non_dns_request  dns_max_queries dns_session_timeout dns_skip_addl
@@ -26,7 +26,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 ## is raised once for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -42,7 +42,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -55,7 +55,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ## the reply; there's no stateful correlation with the query.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -71,7 +71,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -81,7 +81,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ## Generated for each entry in the Question section of a DNS reply.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -97,7 +97,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end
 ##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_rejected
 ##    dns_request non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -109,7 +109,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -123,7 +123,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply
 ##    dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -134,7 +134,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -148,7 +148,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## .. zeek:see::  dns_A_reply dns_A6_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -159,7 +159,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -173,7 +173,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## .. zeek:see::  dns_A_reply dns_AAAA_reply dns_CNAME_reply dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -184,7 +184,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -198,7 +198,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply  dns_PTR_reply dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -209,7 +209,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -223,7 +223,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply  dns_EDNS_addl dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -234,7 +234,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -248,7 +248,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply  dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -259,7 +259,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -273,7 +273,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -284,7 +284,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -296,7 +296,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply  dns_end dns_full_request
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply  dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -307,7 +307,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -319,7 +319,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -330,7 +330,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -346,7 +346,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply  dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -357,7 +357,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -378,6 +378,31 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_TXT_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
 
+## Generated for DNS replies of type *SPF*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## strs: The textual information returned by the reply.
+##
+## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl  dns_WKS_reply dns_end dns_full_request
+##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
+##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+event dns_SPF_reply%(c: connection, msg: dns_msg, ans: dns_answer, strs: string_vec%);
+
 ## Generated for DNS replies of type *CAA* (Certification Authority Authorization).
 ## For replies with multiple answers, an individual event of the corresponding type
 ## is raised for each.
@@ -401,7 +426,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -425,7 +450,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -433,7 +458,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
 
 ## Generated on DNS reply resource records when the type of record is not one
-## that Bro knows how to parse and generate another more specific event.
+## that Zeek knows how to parse and generate another more specific event.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
 ##    transport-layer session being analyzed.
@@ -444,14 +469,14 @@ event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: strin
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_SRV_reply dns_end
+##    dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_SRV_reply dns_end
 event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 
 ## Generated for DNS replies of type *EDNS*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -463,7 +488,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_HINFO_reply dns_MX_reply
 ##    dns_NS_reply dns_PTR_reply dns_SOA_reply dns_SRV_reply dns_TSIG_addl
-##    dns_TXT_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
+##    dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request dns_mapping_altered
 ##    dns_mapping_lost_name dns_mapping_new_name dns_mapping_unverified
 ##    dns_mapping_valid dns_message dns_query_reply dns_rejected dns_request
 ##    non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
@@ -474,7 +499,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -486,7 +511,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply  dns_TXT_reply dns_WKS_reply dns_end dns_full_request
+##    dns_SRV_reply  dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_end dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -565,7 +590,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 ## all resource records have been passed on.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -575,7 +600,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 ##
 ## .. zeek:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
 ##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
-##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_full_request
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_SPF_reply dns_WKS_reply dns_full_request
 ##    dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
 ##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
 ##    dns_rejected dns_request non_dns_request dns_max_queries dns_session_timeout
@@ -590,6 +615,6 @@ event dns_full_request%(%);
 
 ## msg: The raw DNS payload.
 ##
-## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
+## .. note:: This event is deprecated and superseded by Zeek's dynamic protocol
 ##    detection framework.
 event non_dns_request%(c: connection, msg: string%);

src/analyzer/protocol/file/CMakeLists.txt

@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro File)
+zeek_plugin_begin(Zeek File)
-bro_plugin_cc(File.cc Plugin.cc)
+zeek_plugin_cc(File.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/file/Plugin.cc

@@ -6,7 +6,7 @@
 #include "./File.h"
 
 namespace plugin {
-namespace Bro_File {
+namespace Zeek_File {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -16,7 +16,7 @@ public:
 		AddComponent(new ::analyzer::Component("IRC_Data", ::analyzer::file::IRC_Data::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::File";
+		config.name = "Zeek::File";
 		config.description = "Generic file analyzer";
 		return config;
 		}

src/analyzer/protocol/finger/CMakeLists.txt

@@ -1,9 +1,9 @@
 
-include(BroPlugin)
+include(ZeekPlugin)
 
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
-bro_plugin_begin(Bro Finger)
+zeek_plugin_begin(Zeek Finger)
-bro_plugin_cc(Finger.cc Plugin.cc)
+zeek_plugin_cc(Finger.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+zeek_plugin_bif(events.bif)
-bro_plugin_end()
+zeek_plugin_end()

src/analyzer/protocol/finger/Plugin.cc

@@ -5,7 +5,7 @@
 #include "Finger.h"
 
 namespace plugin {
-namespace Bro_Finger {
+namespace Zeek_Finger {
 
 class Plugin : public plugin::Plugin {
 public:
@@ -14,7 +14,7 @@ public:
 		AddComponent(new ::analyzer::Component("Finger", ::analyzer::finger::Finger_Analyzer::Instantiate));
 
 		plugin::Configuration config;
-		config.name = "Bro::Finger";
+		config.name = "Zeek::Finger";
 		config.description = "Finger analyzer";
 		return config;
 		}