Remove full scripts marked as 6.1 deprecations

2025-10-02 06:38:20 +00:00 · 2023-06-01 14:54:23 +02:00 · 2023-06-01 14:54:23 +02:00 · a55e5e3724
commit a55e5e3724
parent 7a867d52e2
23 changed files with 9 additions and 347 deletions
--- a/scripts/base/frameworks/dpd/load.zeek
+++ b/scripts/base/frameworks/dpd/load.zeek
@ -1,3 +0,0 @@
@deprecated "Remove in v6.1 - now loaded automatically";
@load base/frameworks/analyzer
--- a/scripts/policy/frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek
+++ b/scripts/policy/frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek
@ -1,64 +0,0 @@
 ##! This script can be used to add back the fields ``tx_hosts``, ``rx_hosts``
 ##! and ``conn_uids`` to the :zeek:see:`Files::Info` record and thereby also
 ##! back into the ``files.log``. These fields have been removed in Zeek 5.1
 ##! and replaced with the more commonly used ``uid`` and ``id`` fields.
 ##!
 ##! It's only purpose is to provide an easy way to add back the fields such that
 ##! existing downstream processes continue to work without the need to adapt them.
 ##! This script will be removed with Zeek 6.1 at which point downstream processes
 ##! hopefully have switched over to use ``uid`` and ``id`` instead.
 # Remove in v6.1.
@load base/frameworks/files
 module Files;
 # Add back the fields to Files::Info.
 redef record Info += {
 	## If this file was transferred over a network
 	## connection this should show the host or hosts that
 	## the data sourced from.
 	tx_hosts: set[addr] &default=addr_set() &log;
 	## If this file was transferred over a network
 	## connection this should show the host or hosts that
 	## the data traveled to.
 	rx_hosts: set[addr] &default=addr_set() &log;
 	## Connection UIDs over which the file was transferred.
 	conn_uids: set[string] &default=string_set() &log;
 };
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=9
 	{
 	local cid = c$id;
 	add f$info$conn_uids[c$uid];
 	add f$info$tx_hosts[f$is_orig ? cid$orig_h : cid$resp_h];
 	add f$info$rx_hosts[f$is_orig ? cid$resp_h : cid$orig_h];
 	}
 # For every log write to files.log, ensure tx_hosts, rx_hosts and conn_uids
 # hold just a single value. Use a high priority for this handler to ensure
 # this happens before any user defined hooks.
 hook Log::log_stream_policy(rec: any, id: Log::ID) &priority=100
 	{
 	if ( id != Files::LOG )
 		return;
 	local info = rec as Files::Info;
 	# In the common case of a single connection (or the less common case
 	# of no connection), there's nothing to do in this hook.
 	if ( |info$conn_uids| == 1 || ! info?$id )
 		return;
 	# Make singular tx_hosts, rx_hosts and conn_uids fields based on
 	# the active uid. Note, this currently assumes that Files::Info$is_orig
 	# is the same for all connections. This seems reasonable given that
 	# all connections will use the same protocol.
 	local cid = info$id;
 	info$conn_uids = set(info$uid);
 	info$tx_hosts = set(info$is_orig ? cid$orig_h : cid$resp_h);
 	info$rx_hosts = set(info$is_orig ? cid$resp_h : cid$orig_h);
 	}
--- a/scripts/policy/misc/scan.zeek
+++ b/scripts/policy/misc/scan.zeek
@ -1,184 +0,0 @@
 ##! TCP Scan detection.
 # ..Authors: Sheharbano Khattak
 #            Seth Hall
 #            All the authors of the old scan.bro
@deprecated "Remove in v6.1. Use the external github.com/ncsa/bro-simple-scan package instead (e.g., by installing it via `zkg install ncsa/bro-simple-scan`). The misc/scan.zeek script hasn't been maintained since 2013. Further, the external bro-simple-scan package from NCSA (Justin Azoff) has become the recommended alternative for TCP scan detection."
@load base/frameworks/notice
@load base/frameworks/sumstats
@load base/utils/time
 module Scan;
 export {
 	redef enum Notice::Type += {
 		## Address scans detect that a host appears to be scanning some
 		## number of destinations on a single port. This notice is
 		## generated when more than :zeek:id:`Scan::addr_scan_threshold`
 		## unique hosts are seen over the previous
 		## :zeek:id:`Scan::addr_scan_interval` time range.
 		Address_Scan,
 		## Port scans detect that an attacking host appears to be
 		## scanning a single victim host on several ports.  This notice
 		## is generated when an attacking host attempts to connect to
 		## :zeek:id:`Scan::port_scan_threshold`
 		## unique ports on a single host over the previous
 		## :zeek:id:`Scan::port_scan_interval` time range.
 		Port_Scan,
 	};
 	## Failed connection attempts are tracked over this time interval for
 	## the address scan detection.  A higher interval will detect slower
 	## scanners, but may also yield more false positives.
 	const addr_scan_interval = 5min &redef;
 	## Failed connection attempts are tracked over this time interval for
 	## the port scan detection.  A higher interval will detect slower
 	## scanners, but may also yield more false positives.
 	const port_scan_interval = 5min &redef;
 	## The threshold of the unique number of hosts a scanning host has to
 	## have failed connections with on a single port.
 	const addr_scan_threshold = 25.0 &redef;
 	## The threshold of the number of unique ports a scanning host has to
 	## have failed connections with on a single victim host.
 	const port_scan_threshold = 15.0 &redef;
 	global Scan::addr_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
 	global Scan::port_scan_policy: hook(scanner: addr, victim: addr, scanned_port: port);
 }
 event zeek_init() &priority=5
 	{
 	local r1: SumStats::Reducer = [$stream="scan.addr.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(addr_scan_threshold+2)];
 	SumStats::create([$name="addr-scan",
 	                  $epoch=addr_scan_interval,
 	                  $reducers=set(r1),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	return result["scan.addr.fail"]$unique+0.0;
 	                  	},
 	                  #$threshold_func=check_addr_scan_threshold,
 	                  $threshold=addr_scan_threshold,
 	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local r = result["scan.addr.fail"];
 	                  	local side = Site::is_local_addr(key$host) ? "local" : "remote";
 	                  	local dur = duration_to_mins_secs(r$end-r$begin);
 	                  	local message=fmt("%s scanned at least %d unique hosts on port %s in %s", key$host, r$unique, key$str, dur);
 	                  	NOTICE([$note=Address_Scan,
 	                  	        $src=key$host,
 	                  	        $p=to_port(key$str),
 	                  	        $sub=side,
 	                  	        $msg=message,
 	                  	        $identifier=cat(key$host)]);
 	                  	}]);
 	# Note: port scans are tracked similar to: table[src_ip, dst_ip] of set(port);
 	local r2: SumStats::Reducer = [$stream="scan.port.fail", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(port_scan_threshold+2)];
 	SumStats::create([$name="port-scan",
 	                  $epoch=port_scan_interval,
 	                  $reducers=set(r2),
 	                  $threshold_val(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	return result["scan.port.fail"]$unique+0.0;
 	                  	},
 	                  $threshold=port_scan_threshold,
 	                  $threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
 	                  	{
 	                  	local r = result["scan.port.fail"];
 	                  	local side = Site::is_local_addr(key$host) ? "local" : "remote";
 	                  	local dur = duration_to_mins_secs(r$end-r$begin);
 	                  	local message = fmt("%s scanned at least %d unique ports of host %s in %s", key$host, r$unique, key$str, dur);
 	                  	NOTICE([$note=Port_Scan,
 	                  	        $src=key$host,
 	                  	        $dst=to_addr(key$str),
 	                  	        $sub=side,
 	                  	        $msg=message,
 	                  	        $identifier=cat(key$host)]);
 	                  	}]);
 	}
 function add_sumstats(id: conn_id, reverse: bool)
 	{
 	local scanner      = id$orig_h;
 	local victim       = id$resp_h;
 	local scanned_port = id$resp_p;
 	if ( reverse )
 		{
 		scanner      = id$resp_h;
 		victim       = id$orig_h;
 		scanned_port = id$orig_p;
 		}
 	if ( hook Scan::addr_scan_policy(scanner, victim, scanned_port) )
 		SumStats::observe("scan.addr.fail", [$host=scanner, $str=cat(scanned_port)], [$str=cat(victim)]);
 	if ( hook Scan::port_scan_policy(scanner, victim, scanned_port) )
 		SumStats::observe("scan.port.fail", [$host=scanner, $str=cat(victim)], [$str=cat(scanned_port)]);
 	}
 function is_failed_conn(c: connection): bool
 	{
 	# Sr || ( (hR || ShR) && (data not sent in any direction) )
 	if ( (c$orig$state == TCP_SYN_SENT && c$resp$state == TCP_RESET) ||
 	     (((c$orig$state == TCP_RESET && c$resp$state == TCP_SYN_ACK_SENT) ||
 	       (c$orig$state == TCP_RESET && c$resp$state == TCP_ESTABLISHED && "S" in c$history )
 	      ) && /[Dd]/ !in c$history )
 	   )
 		return T;
 	return F;
 	}
 function is_reverse_failed_conn(c: connection): bool
 	{
 	# reverse scan i.e. conn dest is the scanner
 	# sR || ( (Hr || sHr) && (data not sent in any direction) )
 	if ( (c$resp$state == TCP_SYN_SENT && c$orig$state == TCP_RESET) ||
 	     (((c$resp$state == TCP_RESET && c$orig$state == TCP_SYN_ACK_SENT) ||
 	       (c$resp$state == TCP_RESET && c$orig$state == TCP_ESTABLISHED && "s" in c$history )
 	      ) && /[Dd]/ !in c$history )
 	   )
 		return T;
 	return F;
 	}
 event connection_attempt(c: connection)
 	{
 	local is_reverse_scan = F;
 	if ( "H" in c$history )
 		is_reverse_scan = T;
 	add_sumstats(c$id, is_reverse_scan);
 	}
 event connection_rejected(c: connection)
 	{
 	local is_reverse_scan = F;
 	if ( "s" in c$history )
 		is_reverse_scan = T;
 	add_sumstats(c$id, is_reverse_scan);
 	}
 event connection_reset(c: connection)
 	{
 	if ( is_failed_conn(c) )
 		add_sumstats(c$id, F);
 	else if ( is_reverse_failed_conn(c) )
 		add_sumstats(c$id, T);
 	}
 event connection_pending(c: connection)
 	{
 	if ( is_failed_conn(c) )
 		add_sumstats(c$id, F);
 	else if ( is_reverse_failed_conn(c) )
 		add_sumstats(c$id, T);
 	}
--- a/scripts/policy/protocols/mqtt/load.zeek
+++ b/scripts/policy/protocols/mqtt/load.zeek
@ -1,4 +0,0 @@
@deprecated "Remove in v6.1. The MQTT scripts have been moved out of policy/ into base and are loaded by default"
 # For those running bare-mode and loading protocols/mqtt from policy.
@load base/protocols/mqtt
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -62,7 +62,6 @@
@load frameworks/intel/seen/where-locations.zeek
@load frameworks/intel/seen/x509.zeek
@load frameworks/netcontrol/catch-and-release.zeek
@load frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek
@load frameworks/files/detect-MHR.zeek
@load frameworks/files/entropy-test-all-files.zeek
 #@load frameworks/files/extract-all-files.zeek
@ -88,7 +87,6 @@
@load misc/load-balancing.zeek
@load misc/loaded-scripts.zeek
@load misc/profiling.zeek
@load misc/scan.zeek
@load misc/stats.zeek
@load misc/weird-stats.zeek
@load misc/trim-trace-file.zeek
@ -119,7 +117,6 @@
@load protocols/krb/ticket-logging.zeek
@load protocols/modbus/known-masters-slaves.zeek
@load protocols/modbus/track-memmap.zeek
 #@load protocols/mqtt/__load__.zeek
@load protocols/mysql/software.zeek
@load protocols/rdp/indicate_ssl.zeek
@load protocols/smb/log-cmds.zeek
--- a/scripts/zeekygen/load.zeek
+++ b/scripts/zeekygen/load.zeek
@ -1,7 +1,6 @@
@load test-all-policy.zeek
 # Scripts which are commented out in test-all-policy.zeek.
@load protocols/mqtt/__load__.zeek
@load protocols/ssl/decryption.zeek
@load frameworks/cluster/nodes-experimental/manager.zeek
@load frameworks/control/controllee.zeek
--- a/testing/btest/Baseline/coverage.bare-mode-errors/errors
+++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors
@ -1,3 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 ### NOTE: This file has been sorted with diff-sort.
 warning in <...>/__load__.zeek, line 1: deprecated script loaded from command line arguments "Remove in v6.1 - now loaded automatically";
--- a/testing/btest/Baseline/coverage.init-default/missing_loads
+++ b/testing/btest/Baseline/coverage.init-default/missing_loads
@ -5,7 +5,6 @@
 -./frameworks/cluster/nodes/proxy.zeek
 -./frameworks/cluster/nodes/worker.zeek
 -./frameworks/cluster/setup-connections.zeek
 -./frameworks/dpd/__load__.zeek
 -./frameworks/intel/cluster.zeek
 -./frameworks/netcontrol/cluster.zeek
 -./frameworks/openflow/cluster.zeek
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.new
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.new
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.deprecated
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.log-files-event-flattening/out.deprecated
@ -1,4 +0,0 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 C4J4Th3PJpwUYZZ6gc, [orig_h=192.168.0.107, orig_p=58720/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aC4J4Th3PJpwUYZZ6gc\x0a}
 CHhAvVGS1DHFjwGM9, [orig_h=192.168.0.107, orig_p=58716/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aCHhAvVGS1DHFjwGM9\x0a}
 ClEkJM2Vm5giqnMf4h, [orig_h=192.168.0.107, orig_p=58718/tcp, resp_h=88.198.248.254, resp_p=80/tcp], {\x0a\x0988.198.248.254\x0a}, {\x0a\x09192.168.0.107\x0a}, {\x0aClEkJM2Vm5giqnMf4h\x0a}
--- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.deprecated
+++ b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.deprecated
@ -1,11 +0,0 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	files
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	tx_hosts	rx_hosts	conn_uids
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	set[addr]	set[addr]	set[string]
 XXXXXXXXXX.XXXXXX	FMnxxt3xjVcWNS2141	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	HTTP	0	(empty)	text/plain	-	0.000263	F	F	4705	4705	0	0	F	-	192.150.187.43	141.142.228.5	CHhAvVGS1DHFjwGM9
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.new
+++ b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/files.log.new
@ -1,11 +0,0 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	files
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid
 #types	time	string	string	addr	port	addr	port	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string
 XXXXXXXXXX.XXXXXX	FMnxxt3xjVcWNS2141	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	HTTP	0	(empty)	text/plain	-	0.000263	F	F	4705	4705	0	0	F	-
 #close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.deprecated
+++ b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.deprecated
@ -1 +0,0 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
--- a/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.new
+++ b/testing/btest/Baseline/scripts.policy.frameworks.files.deprecated-fields/out.new
@ -1 +0,0 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
--- a/testing/btest/core/tunnels/teredo-known-services.test
+++ b/testing/btest/core/tunnels/teredo-known-services.test
@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tunnels/Teredo.pcap base/frameworks/dpd base/protocols/tunnels base/protocols/dns protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.2.0/24}"
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/Teredo.pcap base/protocols/tunnels base/protocols/dns protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.2.0/24}"
 # @TEST-EXEC: btest-diff known_services.log
 # Expect known_services.log to NOT indicate any service using teredo.
--- a/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek
+++ b/testing/btest/scripts/base/frameworks/analyzer/enable-analyzer.zeek
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT base/protocols/dns base/protocols/conn base/frameworks/dpd
+# @TEST-EXEC: zeek -b -r ${TRACES}/var-services-std-ports.trace %INPUT base/protocols/dns base/protocols/conn
 # @TEST-EXEC: cat conn.log | zeek-cut service | grep -q dns
 #
@ -9,5 +9,3 @@ event zeek_init()
 	{
 	Analyzer::enable_analyzer(Analyzer::ANALYZER_DNS);
 	}
--- a/testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek
+++ b/testing/btest/scripts/base/frameworks/analyzer/register-for-port.zeek
@ -2,15 +2,13 @@
 # some runs having complaints that there are no scripts.
 # @TEST-REQUIRES: test "${ZEEK_USE_CPP}" != "1"
-# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace %INPUT dpd_buffer_size=0 base/protocols/conn base/protocols/ssh
 # @TEST-EXEC: cat conn.log | zeek-cut service | grep -q ssh
 #
-# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0 base/protocols/conn base/protocols/ssh base/frameworks/dpd
+# @TEST-EXEC: zeek -b -r ${TRACES}/ssh/ssh-on-port-80.trace dpd_buffer_size=0 base/protocols/conn base/protocols/ssh
 # @TEST-EXEC: cat conn.log | zeek-cut service | grep -vq ssh
 event zeek_init()
 	{
 	Analyzer::register_for_port(Analyzer::ANALYZER_SSH, 80/tcp);
 	}
--- a/testing/btest/scripts/base/frameworks/file-analysis/log-files-event-flattening.zeek
+++ b/testing/btest/scripts/base/frameworks/file-analysis/log-files-event-flattening.zeek
@ -1,10 +1,7 @@
 # @TEST-DOC: Implement Files::log_files and verify it is seeing unique File::Info records.
-# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap uid-id.zeek >out.new
+# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT >out
-# @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap frameworks/files/deprecated-txhosts-rxhosts-connuids uid-id-deprecated.zeek >out.deprecated
+# @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff out.new
 # @TEST-EXEC: btest-diff out.deprecated
@TEST-START-FILE uid-id.zeek
@load base/frameworks/files
@load base/protocols/http
@ -12,15 +9,3 @@ event Files::log_files(rec: Files::Info)
        {
        print rec$uid, rec$id;
        }
@TEST-END-FILE
@TEST-START-FILE uid-id-deprecated.zeek
@load base/frameworks/files
@load base/protocols/http
 event Files::log_files(rec: Files::Info)
        {
        print rec$uid, rec$id, cat(rec$tx_hosts), cat(rec$rx_hosts), cat(rec$conn_uids);
        }
@TEST-END-FILE
--- a/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap-dynamic.test
+++ b/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap-dynamic.test
@ -1,7 +1,7 @@
 # @TEST-EXEC: zeek -b -r $TRACES/mqtt.pcap %INPUT > out
 # @TEST-EXEC: btest-diff out
-@load policy/protocols/mqtt
+@load base/protocols/mqtt
@load base/frameworks/config
 event mqtt_publish(c: connection, is_orig: bool, msg_id: count, msg: MQTT::PublishMsg)
--- a/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap.test
+++ b/testing/btest/scripts/base/protocols/mqtt/mqtt-payload-cap.test
@ -3,4 +3,4 @@
 redef MQTT::max_payload_size = 8;
-@load policy/protocols/mqtt
+@load base/protocols/mqtt
--- a/testing/btest/scripts/base/protocols/mqtt/mqtt.test
+++ b/testing/btest/scripts/base/protocols/mqtt/mqtt.test
@ -3,4 +3,4 @@
 # @TEST-EXEC: btest-diff mqtt_subscribe.log
 # @TEST-EXEC: btest-diff mqtt_publish.log
-@load policy/protocols/mqtt
+@load base/protocols/mqtt
--- a/testing/btest/scripts/policy/frameworks/files/deprecated-fields-concurrent-range-requests.zeek
+++ b/testing/btest/scripts/policy/frameworks/files/deprecated-fields-concurrent-range-requests.zeek
@ -1,15 +0,0 @@
 # @TEST-DOC: The pcap contains 3 connections with range requests for the same file. We expect 3 files.log entries all with the same fuid, but different uids. With the deprecated fields, we expect tx_hosts, rx_hosts and conn_uuids to agree with the uid and id fields.
 # @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT 2>&1 > out
 # @TEST-EXEC: mv files.log files.log.new
 # @TEST-EXEC: mv out out.new
 # @TEST-EXEC: btest-diff out.new
 # @TEST-EXEC: btest-diff files.log.new
 # @TEST-EXEC: zeek -b -r $TRACES/http/concurrent-range-requests.pcap %INPUT frameworks/files/deprecated-txhosts-rxhosts-connuids 2>&1 > out
 # @TEST-EXEC: mv files.log files.log.deprecated
 # @TEST-EXEC: mv out out.deprecated
 # @TEST-EXEC: btest-diff out.deprecated
 # @TEST-EXEC: btest-diff files.log.deprecated
@load base/frameworks/files
@load base/protocols/http
--- a/testing/btest/scripts/policy/frameworks/files/deprecated-fields.zeek
+++ b/testing/btest/scripts/policy/frameworks/files/deprecated-fields.zeek
@ -1,15 +0,0 @@
 # @TEST-DOC: Verify the files.log with and without the tx_hosts, rx_hosts and conn_uids fields
 # @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT 2>&1 > out
 # @TEST-EXEC: mv files.log files.log.new
 # @TEST-EXEC: mv out out.new
 # @TEST-EXEC: btest-diff out.new
 # @TEST-EXEC: btest-diff files.log.new
 # @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT frameworks/files/deprecated-txhosts-rxhosts-connuids 2>&1 > out
 # @TEST-EXEC: mv files.log files.log.deprecated
 # @TEST-EXEC: mv out out.deprecated
 # @TEST-EXEC: btest-diff out.deprecated
 # @TEST-EXEC: btest-diff files.log.deprecated
@load base/frameworks/files
@load base/protocols/http
		`@ -1,3 +0,0 @@`
			`@deprecated "Remove in v6.1 - now loaded automatically";`

			`@load base/frameworks/analyzer`
		`@ -1 +0,0 @@`
			`### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.`
`@ -3,4 +3,4 @@`

	`redef MQTT::max_payload_size = 8;`	`redef MQTT::max_payload_size = 8;`

	`@load policy/protocols/mqtt`	`@load base/protocols/mqtt`