Remove trailing whitespace from script files

scripts/base/frameworks/cluster/nodes/manager.zeek

@@ -2,7 +2,7 @@
 ##!
 ##! The manager is passive (the workers connect to us), and once connected
 ##! the manager registers for the events on the workers that are needed
-##! to get the desired data from the workers.  This script will be 
+##! to get the desired data from the workers.  This script will be
 ##! automatically loaded if necessary based on the type of node being started.
 
 ##! This is where the cluster manager sets it's specific settings for other

scripts/base/frameworks/cluster/pools.zeek

@@ -364,7 +364,7 @@ event zeek_init() &priority=-5
 	if ( manager_is_logger )
 		{
 		local mgr = nodes_with_type(Cluster::MANAGER);
-		
+
 		if ( |mgr| > 0 )
 			{
 			local eln = pool_eligibility[Cluster::LOGGER]$eligible_nodes;
@@ -438,7 +438,7 @@ event zeek_init() &priority=-5
 
 		pet = pool_eligibility[pool$spec$node_type];
 		local nodes_to_init = |pet$eligible_nodes|;
-		
+
 		if ( pool$spec?$max_nodes &&
 			 pool$spec$max_nodes < |pet$eligible_nodes| )
 			nodes_to_init = pool$spec$max_nodes;

scripts/base/frameworks/dpd/main.zeek

@@ -35,7 +35,7 @@ export {
 	## Number of protocol violations to tolerate before disabling an analyzer.
 	option max_violations: table[Analyzer::Tag] of count = table() &default = 5;
 
-	## Analyzers which you don't want to throw 
+	## Analyzers which you don't want to throw
 	option ignore_violations: set[Analyzer::Tag] = set();
 
 	## Ignore violations which go this many bytes into the connection.

scripts/base/frameworks/files/magic/general.sig

@@ -252,7 +252,7 @@ signature file-mpqgame {
 	file-magic /^MPQ\x1a/
 }
 
-# Blizzard CASC Format game file 
+# Blizzard CASC Format game file
 signature file-blizgame {
 	file-mime "application/x-blizgame", 100
 	file-magic /^BLTE/
@@ -302,4 +302,3 @@ signature file-iso9660 {
         file-mime "application/x-iso9660-image", 99
         file-magic /CD001/
 }
-

scripts/base/frameworks/files/magic/office.sig

@@ -1,7 +1,6 @@
-
 # This signature is non-specific and terrible but after
-# searching for a long time there doesn't seem to be a 
-# better option.  
+# searching for a long time there doesn't seem to be a
+# better option.
 signature file-msword {
 	file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/
 	file-mime "application/msword", 50

scripts/base/frameworks/files/main.zeek

@@ -104,7 +104,7 @@ export {
 		missing_bytes: count &log &default=0;
 
 		## The number of bytes in the file stream that were not delivered to
-		## stream file analyzers.  This could be overlapping bytes or 
+		## stream file analyzers.  This could be overlapping bytes or
 		## bytes that couldn't be reassembled.
 		overflow_bytes: count &log &default=0;
 
@@ -150,7 +150,7 @@ export {
 	## f: the file.
 	global enable_reassembly: function(f: fa_file);
 
-	## Disables the file reassembler on this file.  If the file is not 
+	## Disables the file reassembler on this file.  If the file is not
 	## transferred out of order this will have no effect.
 	##
 	## f: the file.
@@ -266,7 +266,7 @@ export {
 	};
 
 	## Register callbacks for protocols that work with the Files framework.
-	## The callbacks must uniquely identify a file and each protocol can 
+	## The callbacks must uniquely identify a file and each protocol can
 	## only have a single callback registered for it.
 	##
 	## tag: Tag for the protocol analyzer having a callback being registered.
@@ -280,7 +280,7 @@ export {
 	## manipulation when they are being added to a file before the core code
 	## takes over.  This is unlikely to be interesting for users and should
 	## only be called by file analyzer authors but is *not required*.
-	## 
+	##
 	## tag: Tag for the file analyzer.
 	##
 	## callback: Function to execute when the given file analyzer is being added.

scripts/base/frameworks/intel/main.zeek

@@ -49,7 +49,7 @@ export {
 		## A URL for more information about the data.
 		url:         string      &optional;
 	};
-	
+
 	## Represents a piece of intelligence.
 	type Item: record {
 		## The intelligence indicator.
@@ -57,12 +57,12 @@ export {
 
 		## The type of data that the indicator field represents.
 		indicator_type: Type;
-		
+
 		## Metadata for the item. Typically represents more deeply
 		## descriptive data for a piece of intelligence.
 		meta:           MetaData;
 	};
-	
+
 	## Enum to represent where data came from when it was discovered.
 	## The convention is to prefix the name with ``IN_``.
 	type Where: enum {
@@ -158,8 +158,8 @@ export {
 	global extend_match: hook(info: Info, s: Seen, items: set[Item]);
 
 	## The expiration timeout for intelligence items. Once an item expires, the
-	## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item 
-	## resets the timeout. A negative value disables expiration of intelligence 
+	## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item
+	## resets the timeout. A negative value disables expiration of intelligence
 	## items.
 	const item_expiration = -1 min &redef;
 

scripts/base/frameworks/netcontrol/plugin.zeek

@@ -41,7 +41,7 @@ export {
 		name: function(state: PluginState) : string;
 
 		## If true, plugin can expire rules itself. If false, the NetControl
-		## framework will manage rule expiration. 
+		## framework will manage rule expiration.
 		can_expire: bool;
 
 		## One-time initialization function called when plugin gets registered, and

scripts/base/frameworks/netcontrol/plugins/debug.zeek

@@ -46,7 +46,7 @@ function debug_add_rule(p: PluginState, r: Rule) : bool
 	local s = fmt("add_rule: %s", r);
 	debug_log(p, s);
 
-	if ( do_something(p) ) 
+	if ( do_something(p) )
 		{
 		event NetControl::rule_added(r, p);
 		return T;
@@ -76,12 +76,10 @@ global debug_plugin = Plugin(
 function create_debug(do_something: bool) : PluginState
 	{
 	local p: PluginState = [$plugin=debug_plugin];
-	
+
 	# FIXME: Why's the default not working?
 	p$config = table();
 	p$config["all"] = (do_something ? "1" : "0");
 
 	return p;
 	}
-
-

scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek

@@ -1,7 +1,7 @@
 ##! NetControl plugin for the process-level PacketFilter that comes with
 ##! Zeek. Since the PacketFilter in Zeek is quite limited in scope
 ##! and can only add/remove filters for addresses, this is quite
-##! limited in scope at the moment. 
+##! limited in scope at the moment.
 
 @load ../plugin
 
@@ -110,4 +110,3 @@ function create_packetfilter() : PluginState
 
 	return p;
 	}
-

scripts/base/frameworks/netcontrol/types.zeek

@@ -1,7 +1,7 @@
 ##! This file defines the types that are used by the NetControl framework.
 ##!
 ##! The most important type defined in this file is :zeek:see:`NetControl::Rule`,
-##! which is used to describe all rules that can be expressed by the NetControl framework. 
+##! which is used to describe all rules that can be expressed by the NetControl framework.
 
 module NetControl;
 

scripts/base/frameworks/notice/actions/add-geodata.zeek

@@ -1,6 +1,6 @@
 ##! This script adds geographic location data to notices for the "remote"
-##! host in a connection.  It does make the assumption that one of the 
-##! addresses in a connection is "local" and one is "remote" which is 
+##! host in a connection.  It does make the assumption that one of the
+##! addresses in a connection is "local" and one is "remote" which is
 ##! probably a safe assumption to make in most cases.  If both addresses
 ##! are remote, it will use the $src address.
 
@@ -17,13 +17,13 @@ export {
 		## in order for this to work.
 		ACTION_ADD_GEODATA
 	};
-	
+
 	redef record Info += {
 		## If GeoIP support is built in, notices can have geographic
 		## information attached to them.
 		remote_location: geo_location  &log &optional;
 	};
-	
+
 	## Notice types which should have the "remote" location looked up.
 	## If GeoIP support is not built in, this does nothing.
 	option lookup_location_types: set[Notice::Type] = {};
@@ -35,7 +35,7 @@ hook policy(n: Notice::Info) &priority=10
 		add n$actions[ACTION_ADD_GEODATA];
 	}
 
-# This is handled at a high priority in case other notice handlers 
+# This is handled at a high priority in case other notice handlers
 # want to use the data.
 hook notice(n: Notice::Info) &priority=10
 	{

scripts/base/frameworks/notice/actions/email_admin.zeek

@@ -10,9 +10,9 @@ module Notice;
 
 export {
 	redef enum Action += {
-		## Indicate that the generated email should be addressed to the 
+		## Indicate that the generated email should be addressed to the
 		## appropriate email addresses as found by the
-		## :zeek:id:`Site::get_emails` function based on the relevant 
+		## :zeek:id:`Site::get_emails` function based on the relevant
 		## address or addresses indicated in the notice.
 		ACTION_EMAIL_ADMIN
 	};

scripts/base/frameworks/openflow/cluster.zeek

@@ -112,12 +112,12 @@ function lookup_controller(name: string): vector of Controller
 	if ( Cluster::local_node_type() != Cluster::MANAGER )
 		return vector();
 
-	# I am not quite sure if we can actually get away with this - in the 
+	# I am not quite sure if we can actually get away with this - in the
 	# current state, this means that the individual nodes cannot lookup
 	# a controller by name.
 	#
 	# This means that there can be no reactions to things on the actual
-	# worker nodes - because they cannot look up a name. On the other hand - 
+	# worker nodes - because they cannot look up a name. On the other hand -
 	# currently we also do not even send the events to the worker nodes (at least
 	# not if we are using broker). Because of that I am not really feeling that
 	# badly about it...

scripts/base/frameworks/signatures/main.zeek

@@ -60,7 +60,7 @@ export {
 		SIG_ALARM_PER_ORIG,
 		## Alarm once and then never again.
 		SIG_ALARM_ONCE,
-		## Count signatures per responder host and alarm with the 
+		## Count signatures per responder host and alarm with the
 		## :zeek:enum:`Signatures::Count_Signature` notice if a threshold
 		## defined by :zeek:id:`Signatures::count_thresholds` is reached.
 		SIG_COUNT_PER_RESP,
@@ -100,15 +100,15 @@ export {
 		## Number of hosts, from a summary count.
 		host_count: count        &log &optional;
 	};
-	
-	## Actions for a signature.  
+
+	## Actions for a signature.
 	const actions: table[string] of Action =  {
 		["unspecified"] = SIG_IGNORE, # place-holder
 	} &redef &default = SIG_ALARM;
 
 	## Signature IDs that should always be ignored.
 	option ignored_ids = /NO_DEFAULT_MATCHES/;
-	
+
 	## Generate a notice if, for a pair [orig, signature], the number of
 	## different responders has reached one of the thresholds.
 	const horiz_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
@@ -120,7 +120,7 @@ export {
 	## Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP`
 	## signature is triggered as often as given by one of these thresholds.
 	const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
-	
+
 	## The interval between when :zeek:enum:`Signatures::Signature_Summary`
 	## notices are generated.
 	option summary_interval = 1 day;
@@ -147,7 +147,7 @@ event zeek_init() &priority=5
 	{
 	Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy]);
 	}
-		
+
 # Returns true if the given signature has already been triggered for the given
 # [orig, resp] pair.
 function has_signature_matched(id: string, orig: addr, resp: addr): bool
@@ -173,7 +173,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 	# Trim the matched data down to something reasonable
 	if ( |data| > 140 )
 		data = fmt("%s...", sub_bytes(data, 0, 140));
-	
+
 	local src_addr: addr;
 	local src_port: port;
 	local dst_addr: addr;
@@ -212,7 +212,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 	local notice = F;
 	if ( action == SIG_ALARM )
 		notice = T;
-	
+
 	if ( action == SIG_COUNT_PER_RESP )
 		{
 		local dst = state$conn$id$resp_h;
@@ -252,7 +252,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 		        $conn=state$conn, $src=src_addr,
 		        $dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg),
 		        $sub=data]);
-	
+
 	if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
 		return;
 
@@ -279,7 +279,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 			fmt("%s has triggered signature %s on %d hosts",
 				orig, sig_id, hcount);
 
-		Log::write(Signatures::LOG, 
+		Log::write(Signatures::LOG,
 			[$ts=network_time(), $note=Multiple_Sig_Responders,
 		     $src_addr=orig, $sig_id=sig_id, $event_msg=msg,
 		     $host_count=hcount, $sub_msg=horz_scan_msg]);
@@ -296,9 +296,9 @@ event signature_match(state: signature_state, msg: string, data: string)
 			fmt("%s has triggered %d different signatures on host %s",
 				orig, vcount, resp);
 
-		Log::write(Signatures::LOG, 
+		Log::write(Signatures::LOG,
 		           [$ts=network_time(),
-		            $note=Multiple_Signatures, 
+		            $note=Multiple_Signatures,
 		            $src_addr=orig,
 		            $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
 		            $event_msg=fmt("%s different signatures triggered", vcount),
@@ -311,4 +311,3 @@ event signature_match(state: signature_state, msg: string, data: string)
 		last_vthresh[orig] = vcount;
 		}
 	}
-

scripts/base/frameworks/software/main.zeek

@@ -13,18 +13,18 @@ module Software;
 export {
 	## The software logging stream identifier.
 	redef enum Log::ID += { LOG };
-	
+
 	## A default logging policy hook for the stream.
 	global log_policy: Log::PolicyHook;
 
 	## Scripts detecting new types of software need to redef this enum to add
-	## their own specific software types which would then be used when they 
+	## their own specific software types which would then be used when they
 	## create :zeek:type:`Software::Info` records.
 	type Type: enum {
 		## A placeholder type for when the type of software is not known.
 		UNKNOWN,
 	};
-	
+
 	## A structure to represent the numeric version of software.
 	type Version: record {
 		## Major version number.
@@ -38,7 +38,7 @@ export {
 		## Additional version string (e.g. "beta42").
 		addl:   string &optional;
 	} &log;
-	
+
 	## The record type that is used for representing and logging software.
 	type Info: record {
 		## The time at which the software was detected.
@@ -58,9 +58,9 @@ export {
 		## parsing doesn't always work reliably in all cases and this
 		## acts as a fallback in the logs.
 		unparsed_version: string &log &optional;
-		
+
 		## This can indicate that this software being detected should
-		## definitely be sent onward to the logging framework.  By 
+		## definitely be sent onward to the logging framework.  By
 		## default, only software that is "interesting" due to a change
 		## in version or it being currently unknown is sent to the
 		## logging framework.  This can be set to T to force the record
@@ -68,7 +68,7 @@ export {
 		## tracking needs to happen in a specific way to the software.
 		force_log:        bool &default=F;
 	};
-	
+
 	## Hosts whose software should be detected and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	option asset_tracking = LOCAL_HOSTS;
@@ -78,21 +78,21 @@ export {
 	## id: The connection id where the software was discovered.
 	##
 	## info: A record representing the software discovered.
-	## 
+	##
 	## Returns: T if the software was logged, F otherwise.
 	global found: function(id: conn_id, info: Info): bool;
-	
+
 	## Compare two version records.
-	## 
+	##
 	## Returns:  -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
 	##           If the numerical version numbers match, the *addl* string
 	##           is compared lexicographically.
 	global cmp_versions: function(v1: Version, v2: Version): int;
-	
-	## Sometimes software will expose itself on the network with 
-	## slight naming variations.  This table provides a mechanism 
-	## for a piece of software to be renamed to a single name 
-	## even if it exposes itself with an alternate name.  The 
+
+	## Sometimes software will expose itself on the network with
+	## slight naming variations.  This table provides a mechanism
+	## for a piece of software to be renamed to a single name
+	## even if it exposes itself with an alternate name.  The
 	## yielded string is the name that will be logged and generally
 	## used for everything.
 	global alternate_names: table[string] of string {
@@ -100,17 +100,17 @@ export {
 	} &default=function(a: string): string { return a; };
 
 	## Type to represent a collection of :zeek:type:`Software::Info` records.
-	## It's indexed with the name of a piece of software such as "Firefox" 
+	## It's indexed with the name of a piece of software such as "Firefox"
 	## and it yields a :zeek:type:`Software::Info` record with more
 	## information about the software.
 	type SoftwareSet: table[string] of Info;
-	
+
 	## The set of software associated with an address.  Data expires from
-	## this table after one day by default so that a detected piece of 
+	## this table after one day by default so that a detected piece of
 	## software will be logged once each day.  In a cluster, this table is
 	## uniformly distributed among proxy nodes.
 	global tracked: table[addr] of SoftwareSet &create_expire=1day;
-	
+
 	## This event can be handled to access the :zeek:type:`Software::Info`
 	## record as it is sent on to the logging framework.
 	global log_software: event(rec: Info);
@@ -128,7 +128,7 @@ event zeek_init() &priority=5
 	{
 	Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software", $policy=log_policy]);
 	}
-	
+
 type Description: record {
 	name:             string;
 	version:          Version;
@@ -138,13 +138,13 @@ type Description: record {
 # Defining this here because of a circular dependency between two functions.
 global parse_mozilla: function(unparsed_version: string): Description;
 
-# Don't even try to understand this now, just make sure the tests are 
+# Don't even try to understand this now, just make sure the tests are
 # working.
 function parse(unparsed_version: string): Description
 	{
 	local software_name = "<parse error>";
 	local v: Version;
-	
+
 	# Parse browser-alike versions separately
 	if ( /^(Mozilla|Opera)\/[0-9]+\./ in unparsed_version )
 		{
@@ -220,10 +220,10 @@ function parse(unparsed_version: string): Description
 						{
 						v$addl = strip(version_parts[2]);
 						}
-						
+
 					}
 				}
-			
+
 			if ( 3 in version_numbers && version_numbers[3] != "" )
 				v$minor3 = extract_count(version_numbers[3]);
 			if ( 2 in version_numbers && version_numbers[2] != "" )
@@ -234,7 +234,7 @@ function parse(unparsed_version: string): Description
 				v$major = extract_count(version_numbers[0]);
 			}
 		}
-	
+
 	return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
 	}
 
@@ -245,7 +245,7 @@ function parse_with_cache(unparsed_version: string): Description
 	{
 	if (unparsed_version in parse_cache)
 		return parse_cache[unparsed_version];
-	
+
 	local res = parse(unparsed_version);
 	parse_cache[unparsed_version] = res;
 	return res;
@@ -256,7 +256,7 @@ function parse_mozilla(unparsed_version: string): Description
 	local software_name = "<unknown browser>";
 	local v: Version;
 	local parts: string_vec;
-	
+
 	if ( /Opera [0-9\.]*$/ in unparsed_version )
 		{
 		software_name = "Opera";
@@ -349,7 +349,7 @@ function parse_mozilla(unparsed_version: string): Description
 		if ( 2 in parts )
 			v = parse(parts[2])$version;
 		}
-	
+
 	else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "AdobeAIR";
@@ -392,7 +392,7 @@ function cmp_versions(v1: Version, v2: Version): int
 		else
 			return v1?$major ? 1 : -1;
 		}
-		
+
 	if ( v1?$minor && v2?$minor )
 		{
 		if ( v1$minor < v2$minor )
@@ -407,7 +407,7 @@ function cmp_versions(v1: Version, v2: Version): int
 		else
 			return v1?$minor ? 1 : -1;
 		}
-		
+
 	if ( v1?$minor2 && v2?$minor2 )
 		{
 		if ( v1$minor2 < v2$minor2 )
@@ -462,7 +462,7 @@ function software_endpoint_name(id: conn_id, host: addr): string
 # Convert a version into a string "a.b.c-x".
 function software_fmt_version(v: Version): string
 	{
-	return fmt("%s%s%s%s%s", 
+	return fmt("%s%s%s%s%s",
 	           v?$major ? fmt("%d", v$major) : "0",
 	           v?$minor ? fmt(".%d", v$minor) : "",
 	           v?$minor2 ? fmt(".%d", v$minor2) : "",
@@ -510,10 +510,10 @@ event Software::register(info: Info)
 		local changed = cmp_versions(old$version, info$version) != 0;
 
 		if ( changed )
-			event Software::version_change(old, info);	
+			event Software::version_change(old, info);
 		else if ( ! info$force_log )
 			# If the version hasn't changed, then we're just redetecting the
-			# same thing, then we don't care. 
+			# same thing, then we don't care.
 			return;
 		}
 
@@ -526,7 +526,7 @@ function found(id: conn_id, info: Info): bool
 	if ( ! info$force_log && ! addr_matches_host(info$host, asset_tracking) )
 		return F;
 
-	if ( ! info?$ts ) 
+	if ( ! info?$ts )
 		info$ts = network_time();
 
 	if ( info?$version )

scripts/base/frameworks/sumstats/cluster.zeek

@@ -220,7 +220,7 @@ event zeek_init() &priority=100
 # This variable is maintained by manager nodes as they collect and aggregate
 # results.
 # Index on a uid.
-global stats_keys: table[string] of set[Key] &read_expire=1min 
+global stats_keys: table[string] of set[Key] &read_expire=1min
 	&expire_func=function(s: table[string] of set[Key], idx: string): interval
 		{
 		Reporter::warning(fmt("SumStat key request for the %s SumStat uid took longer than 1 minute and was automatically cancelled.", idx));

scripts/base/frameworks/sumstats/main.zeek

@@ -510,7 +510,7 @@ function check_thresholds(ss: SumStat, key: Key, result: Result, modify_pct: dou
 		return F;
 
 	# Add in the extra ResultVals to make threshold_vals easier to write.
-	# This length comparison should work because we just need to make 
+	# This length comparison should work because we just need to make
 	# sure that we have the same number of reducers and results.
 	if ( |ss$reducers| != |result| )
 		{
@@ -568,4 +568,3 @@ function threshold_crossed(ss: SumStat, key: Key, result: Result)
 
 	ss$threshold_crossed(key, result);
 	}
-

scripts/base/frameworks/sumstats/plugins/sample.zeek

@@ -95,7 +95,7 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal)
 		{
 		local other_vector: vector of Observation;
 		local othercount: count;
-		
+
 		if ( rv1$sample_elements > rv2$sample_elements )
 			{
 			result$samples = copy(rv1$samples);

scripts/base/frameworks/sumstats/plugins/unique.zeek

@@ -46,7 +46,7 @@ hook register_observe_plugins()
 
 		if ( ! r?$unique_max || |rv$unique_vals| <= r$unique_max )
 			add rv$unique_vals[obs];
-			
+
 		rv$unique = |rv$unique_vals|;
 		});
 	}