Remove InterConn analyzer

NEWS

@@ -411,6 +411,8 @@ Removed Functionality
     - ``software_unparsed_version_found``
     - ``software_parse_error``
     - ``print_hook``
+    - ``interconn_stats``
+    - ``interconn_remove_conn``
 
 - The following types/records were deprecated in version 2.6 or below and are
   removed from this release:
@@ -441,6 +443,13 @@ Removed Functionality
     - ``ssl_passphrase``
     - ``suppress_local_output``
     - ``irc_servers``
+    - ``interconn_min_interarrival``
+    - ``interconn_max_interarrival``
+    - ``interconn_max_keystroke_pkt_size``
+    - ``interconn_default_pkt_size``
+    - ``interconn_stat_period``
+    - ``interconn_stat_backoff``
+    - ``interconn_endp_stats``
 
 - The following constants were used as part of deprecated functionality in version 2.6
   or below and are removed from this release:
@@ -486,6 +495,8 @@ Removed Functionality
   This is typically not necessary and it's a problem that is more
   appropriately addressed at the system configuration level.
 
+- Removed the InterConn analyzer.
+
 Deprecated Functionality
 ------------------------
 

scripts/base/frameworks/analyzer/main.zeek

@@ -124,7 +124,6 @@ export {
 	## A set of analyzers to disable by default at startup. The default set
 	## contains legacy analyzers that are no longer supported.
 	global disabled_analyzers: set[Analyzer::Tag] = {
-		ANALYZER_INTERCONN,
 		ANALYZER_STEPPINGSTONE,
 		ANALYZER_BACKDOOR,
 		ANALYZER_TCPSTATS,

scripts/base/init-bare.zeek

@@ -3864,38 +3864,6 @@ const stp_idle_min: interval &redef;
 ## Internal to the stepping stone detector.
 global stp_skip_src: set[addr] &redef;
 
-## Deprecated.
-const interconn_min_interarrival: interval &redef;
-
-## Deprecated.
-const interconn_max_interarrival: interval &redef;
-
-## Deprecated.
-const interconn_max_keystroke_pkt_size: count &redef;
-
-## Deprecated.
-const interconn_default_pkt_size: count &redef;
-
-## Deprecated.
-const interconn_stat_period: interval &redef;
-
-## Deprecated.
-const interconn_stat_backoff: double &redef;
-
-## Deprecated.
-type interconn_endp_stats: record {
-	num_pkts: count;
-	num_keystrokes_two_in_row: count;
-	num_normal_interarrivals: count;
-	num_8k0_pkts: count;
-	num_8k4_pkts: count;
-	is_partial: bool;
-	num_bytes: count;
-	num_7bit_ascii: count;
-	num_lines: count;
-	num_normal_lines: count;
-};
-
 ## Deprecated.
 const backdoor_stat_period: interval &redef;
 

src/NetVar.cc

@@ -125,14 +125,6 @@ double stp_delta;
 double stp_idle_min;
 TableVal* stp_skip_src;
 
-double interconn_min_interarrival;
-double interconn_max_interarrival;
-int interconn_max_keystroke_pkt_size;
-int interconn_default_pkt_size;
-double interconn_stat_period;
-double interconn_stat_backoff;
-RecordType* interconn_endp_stats;
-
 double backdoor_stat_period;
 double backdoor_stat_backoff;
 
@@ -389,14 +381,6 @@ void init_net_var()
 	stp_idle_min = opt_internal_double("stp_idle_min");
 	stp_skip_src = internal_val("stp_skip_src")->AsTableVal();
 
-	interconn_min_interarrival = opt_internal_double("interconn_min_interarrival");
-	interconn_max_interarrival = opt_internal_double("interconn_max_interarrival");
-	interconn_max_keystroke_pkt_size = opt_internal_int("interconn_max_keystroke_pkt_size");
-	interconn_default_pkt_size = opt_internal_int("interconn_default_pkt_size");
-	interconn_stat_period = opt_internal_double("interconn_stat_period");
-	interconn_stat_backoff = opt_internal_double("interconn_stat_backoff");
-	interconn_endp_stats = internal_type("interconn_endp_stats")->AsRecordType();
-
 	backdoor_stat_period = opt_internal_double("backdoor_stat_period");
 	backdoor_stat_backoff = opt_internal_double("backdoor_stat_backoff");
 	backdoor_endp_stats = internal_type("backdoor_endp_stats")->AsRecordType();

src/NetVar.h

@@ -128,14 +128,6 @@ extern double stp_delta;
 extern double stp_idle_min;
 extern TableVal* stp_skip_src;
 
-extern double interconn_min_interarrival;
-extern double interconn_max_interarrival;
-extern int interconn_max_keystroke_pkt_size;
-extern int interconn_default_pkt_size;
-extern double interconn_stat_period;
-extern double interconn_stat_backoff;
-extern RecordType* interconn_endp_stats;
-
 extern double backdoor_stat_period;
 extern double backdoor_stat_backoff;
 

src/Sessions.cc

@@ -22,8 +22,6 @@
 #include "analyzer/protocol/stepping-stone/events.bif.h"
 #include "analyzer/protocol/backdoor/BackDoor.h"
 #include "analyzer/protocol/backdoor/events.bif.h"
-#include "analyzer/protocol/interconn/InterConn.h"
-#include "analyzer/protocol/interconn/events.bif.h"
 #include "analyzer/protocol/arp/ARP.h"
 #include "analyzer/protocol/arp/events.bif.h"
 #include "Discard.h"

src/analyzer/Manager.cc

@@ -8,7 +8,6 @@
 #include "protocol/backdoor/BackDoor.h"
 #include "protocol/conn-size/ConnSize.h"
 #include "protocol/icmp/ICMP.h"
-#include "protocol/interconn/InterConn.h"
 #include "protocol/pia/PIA.h"
 #include "protocol/stepping-stone/SteppingStone.h"
 #include "protocol/tcp/TCP.h"
@@ -89,7 +88,6 @@ void Manager::InitPreScript()
 	// Cache these tags.
 	analyzer_backdoor = GetComponentTag("BACKDOOR");
 	analyzer_connsize = GetComponentTag("CONNSIZE");
-	analyzer_interconn = GetComponentTag("INTERCONN");
 	analyzer_stepping = GetComponentTag("STEPPINGSTONE");
 	analyzer_tcpstats = GetComponentTag("TCPSTATS");
 	}
@@ -466,11 +464,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 			// can handle both reassembled and non-reassembled input.
 			tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false);
 
-		if ( IsEnabled(analyzer_interconn) )
-			// Add a InterConn analyzer if requested.  This analyzer
-			// can handle both reassembled and non-reassembled input.
-			tcp->AddChildAnalyzer(new interconn::InterConn_Analyzer(conn), false);
-
 		if ( IsEnabled(analyzer_stepping) )
 			{
 			// Add a SteppingStone analyzer if requested.  The port

src/analyzer/Manager.h

@@ -357,7 +357,6 @@ private:
 
 	Tag analyzer_backdoor;
 	Tag analyzer_connsize;
-	Tag analyzer_interconn;
 	Tag analyzer_stepping;
 	Tag analyzer_tcpstats;
 

src/analyzer/protocol/CMakeLists.txt

@@ -18,7 +18,6 @@ add_subdirectory(http)
 add_subdirectory(icmp)
 add_subdirectory(ident)
 add_subdirectory(imap)
-add_subdirectory(interconn)
 add_subdirectory(irc)
 add_subdirectory(krb)
 add_subdirectory(login)

src/analyzer/protocol/interconn/CMakeLists.txt

@@ -1,9 +0,0 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek InterConn)
-zeek_plugin_cc(InterConn.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_end()

src/analyzer/protocol/interconn/InterConn.cc

@@ -1,274 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek-config.h"
-
-#include "InterConn.h"
-#include "Event.h"
-#include "Net.h"
-#include "analyzer/protocol/tcp/TCP.h"
-
-#include "events.bif.h"
-
-using namespace analyzer::interconn;
-
-InterConnEndpoint::InterConnEndpoint(tcp::TCP_Endpoint* e)
-	{
-	endp = e;
-	max_top_seq = 0;
-	num_pkts = num_keystrokes_two_in_a_row = num_normal_interarrivals =
-		num_8k0_pkts = num_8k4_pkts = num_bytes = num_7bit_ascii =
-			num_lines = num_normal_lines = 0;
-	is_partial = keystroke_just_seen = 0;
-	last_keystroke_time = 0.0;
-	}
-
-#define NORMAL_LINE_LENGTH 80
-
-int InterConnEndpoint::DataSent(double t, uint64 seq, int len, int caplen,
-		const u_char* data, const IP_Hdr* /* ip */,
-		const struct tcphdr* /* tp */)
-	{
-	if ( caplen < len )
-		len = caplen;
-
-	if ( len <= 0 )
-		return 0;
-
-	if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL )
-		is_partial = 1;
-
-	uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
-	uint64 top_seq = seq + len;
-
-	if ( top_seq <= ack || top_seq <= max_top_seq )
-		// There is no new data in this packet
-		return 0;
-
-	if ( seq < max_top_seq )
-		{ // Only consider new data
-		int64 amount_seen = max_top_seq - seq;
-		seq += amount_seen;
-		data += amount_seen;
-		len -= amount_seen;
-		}
-
-	if ( max_top_seq && seq > max_top_seq )
-		// We've got a pkt above a hole
-		num_pkts += EstimateGapPacketNum(seq - max_top_seq);
-
-	++num_pkts;
-	max_top_seq = top_seq;
-
-	// Count the bytes.
-	num_bytes += len;
-
-	int last_char = 0;
-	int offset = 0;	// where we consider the latest line to have begun
-
-	for ( int i = 0; i < len; ++i )
-		{
-		unsigned int c = data[i];
-
-		if ( c == '\n' && last_char == '\r' )
-			{
-			// Compress CRLF to just one line termination.
-			last_char = c;
-			continue;
-			}
-
-		if ( c == '\n' || c == '\r' )
-			{
-			++num_lines;
-			if ( i - offset <= NORMAL_LINE_LENGTH )
-				++num_normal_lines;
-			offset = i;
-			}
-
-		else if ( c != 0 && c < 128 )
-			++num_7bit_ascii;
-
-		last_char = c;
-		}
-
-	if ( IsPotentialKeystrokePacket(len) )
-		{
-		if ( keystroke_just_seen )
-			{
-			++num_keystrokes_two_in_a_row;
-
-			if ( IsNormalKeystrokeInterarrival(t - last_keystroke_time) )
-				++num_normal_interarrivals;
-			}
-		else
-			keystroke_just_seen = 1;
-
-		// Look for packets matching the SSH signature of
-		// being either 0 or 4 modulo 8.
-		switch ( len & 7 ) {
-		case 0:
-			if ( len >= 16 )
-				++num_8k0_pkts;
-			break;
-
-		case 4:
-			++num_8k4_pkts;
-			break;
-		}
-
-		last_keystroke_time = t;
-		}
-	else
-		keystroke_just_seen = 0;
-
-	return 1;
-	}
-
-RecordVal* InterConnEndpoint::BuildStats()
-	{
-	RecordVal* stats = new RecordVal(interconn_endp_stats);
-
-	stats->Assign(0, val_mgr->GetCount(num_pkts));
-	stats->Assign(1, val_mgr->GetCount(num_keystrokes_two_in_a_row));
-	stats->Assign(2, val_mgr->GetCount(num_normal_interarrivals));
-	stats->Assign(3, val_mgr->GetCount(num_8k0_pkts));
-	stats->Assign(4, val_mgr->GetCount(num_8k4_pkts));
-	stats->Assign(5, val_mgr->GetBool(is_partial));
-	stats->Assign(6, val_mgr->GetCount(num_bytes));
-	stats->Assign(7, val_mgr->GetCount(num_7bit_ascii));
-	stats->Assign(8, val_mgr->GetCount(num_lines));
-	stats->Assign(9, val_mgr->GetCount(num_normal_lines));
-
-	return stats;
-	}
-
-int InterConnEndpoint::EstimateGapPacketNum(int gap) const
-	{
-	return (gap + interconn_default_pkt_size - 1) / interconn_default_pkt_size;
-	}
-
-int InterConnEndpoint::IsPotentialKeystrokePacket(int len) const
-	{
-	return len <= interconn_max_keystroke_pkt_size;
-	}
-
-int InterConnEndpoint::IsNormalKeystrokeInterarrival(double t) const
-	{
-	return interconn_min_interarrival <= t && t <= interconn_max_interarrival;
-	}
-
-InterConn_Analyzer::InterConn_Analyzer(Connection* c)
-: tcp::TCP_ApplicationAnalyzer("INTERCONN", c)
-	{
-	orig_endp = resp_endp = 0;
-	orig_stream_pos = resp_stream_pos = 1;
-
-	timeout = backdoor_stat_period;
-	backoff = backdoor_stat_backoff;
-
-	c->GetTimerMgr()->Add(new InterConnTimer(network_time + timeout, this));
-	}
-
-InterConn_Analyzer::~InterConn_Analyzer()
-	{
-	Unref(orig_endp);
-	Unref(resp_endp);
-	}
-
-void InterConn_Analyzer::Init()
-	{
-	tcp::TCP_ApplicationAnalyzer::Init();
-
-	assert(TCP());
-	orig_endp = new InterConnEndpoint(TCP()->Orig());
-	resp_endp = new InterConnEndpoint(TCP()->Resp());
-	}
-
-void InterConn_Analyzer::DeliverPacket(int len, const u_char* data,
-			bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
-	{
-	tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig,
-						seq, ip, caplen);
-
-	if ( is_orig )
-		orig_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
-	else
-		resp_endp->DataSent(network_time, seq, len, caplen, data, 0, 0);
-	}
-
-void InterConn_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
-	{
-	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
-
-	if ( is_orig )
-		{
-		orig_endp->DataSent(network_time, orig_stream_pos, len, len, data, 0, 0);
-		orig_stream_pos += len;
-		}
-
-	else
-		{
-		resp_endp->DataSent(network_time, resp_stream_pos, len, len, data, 0, 0);
-		resp_stream_pos += len;
-		}
-	}
-
-void InterConn_Analyzer::Done()
-	{
-	if ( ! IsFinished() )
-		{
-		if ( ! Conn()->Skipping() )
-			StatEvent();
-
-		RemoveEvent();
-		}
-
-	tcp::TCP_ApplicationAnalyzer::Done();
-	}
-
-void InterConn_Analyzer::StatTimer(double t, int is_expire)
-	{
-	if ( IsFinished() || Conn()->Skipping() )
-		return;
-
-	StatEvent();
-
-	if ( ! is_expire )
-		{
-		timeout *= backoff;
-		timer_mgr->Add(new InterConnTimer(t + timeout, this));
-		}
-	}
-
-void InterConn_Analyzer::StatEvent()
-	{
-	if ( interconn_stats )
-		Conn()->ConnectionEventFast(interconn_stats, this, {
-			Conn()->BuildConnVal(),
-			orig_endp->BuildStats(),
-			resp_endp->BuildStats(),
-		});
-	}
-
-void InterConn_Analyzer::RemoveEvent()
-	{
-	if ( interconn_remove_conn )
-		Conn()->ConnectionEventFast(interconn_remove_conn, this, {Conn()->BuildConnVal()});
-	}
-
-InterConnTimer::InterConnTimer(double t, InterConn_Analyzer* a)
-: Timer(t, TIMER_INTERCONN)
-	{
-	analyzer = a;
-	// Make sure connection does not expire.
-	Ref(a->Conn());
-	}
-
-InterConnTimer::~InterConnTimer()
-	{
-	Unref(analyzer->Conn());
-	}
-
-void InterConnTimer::Dispatch(double t, int is_expire)
-	{
-	analyzer->StatTimer(t, is_expire);
-	}

src/analyzer/protocol/interconn/InterConn.h

@@ -1,88 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#ifndef ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H
-#define ANALYZER_PROTOCOL_INTERCONN_INTERCONN_H
-
-#include "analyzer/protocol/tcp/TCP.h"
-#include "Timer.h"
-#include "NetVar.h"
-
-namespace analyzer { namespace interconn {
-
-class InterConnEndpoint : public BroObj {
-public:
-	explicit InterConnEndpoint(tcp::TCP_Endpoint* e);
-
-	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
-		     const IP_Hdr* ip, const struct tcphdr* tp);
-
-	RecordVal* BuildStats();
-
-protected:
-	int EstimateGapPacketNum(int gap) const;
-	int IsPotentialKeystrokePacket(int len) const;
-	int IsNormalKeystrokeInterarrival(double t) const;
-
-	tcp::TCP_Endpoint* endp;
-	double last_keystroke_time;
-	uint64 max_top_seq;
-	uint32 num_pkts;
-	uint32 num_keystrokes_two_in_a_row;
-	uint32 num_normal_interarrivals;
-	uint32 num_8k4_pkts;
-	uint32 num_8k0_pkts;
-	uint32 num_bytes;
-	uint32 num_7bit_ascii;
-	uint32 num_lines;
-	uint32 num_normal_lines;
-	int is_partial;
-	int keystroke_just_seen;
-};
-
-
-class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer {
-public:
-	explicit InterConn_Analyzer(Connection* c);
-	~InterConn_Analyzer() override;
-
-	void Init() override;
-	void Done() override;
-	void StatTimer(double t, int is_expire);
-
-	static analyzer::Analyzer* Instantiate(Connection* conn)
-		{ return new InterConn_Analyzer(conn); }
-
-protected:
-	// We support both packet and stream input and can be put in place even
-	// if the TCP analyzer is not yet reassembling.
-	void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen) override;
-	void DeliverStream(int len, const u_char* data, bool is_orig) override;
-
-	void StatEvent();
-	void RemoveEvent();
-
-	InterConnEndpoint* orig_endp;
-	InterConnEndpoint* resp_endp;
-
-	int orig_stream_pos;
-	int resp_stream_pos;
-
-	double timeout;
-	double backoff;
-};
-
-class InterConnTimer : public Timer {
-public:
-	InterConnTimer(double t, InterConn_Analyzer* a);
-	~InterConnTimer() override;
-
-	void Dispatch(double t, int is_expire) override;
-
-protected:
-	InterConn_Analyzer* analyzer;
-};
-
-} } // namespace analyzer::* 
-
-#endif

src/analyzer/protocol/interconn/Plugin.cc

@@ -1,25 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-
-#include "plugin/Plugin.h"
-
-#include "InterConn.h"
-
-namespace plugin {
-namespace Zeek_InterConn {
-
-class Plugin : public plugin::Plugin {
-public:
-	plugin::Configuration Configure()
-		{
-		AddComponent(new ::analyzer::Component("InterConn", ::analyzer::interconn::InterConn_Analyzer::Instantiate));
-
-		plugin::Configuration config;
-		config.name = "Zeek::InterConn";
-		config.description = "InterConn analyzer deprecated";
-		return config;
-		}
-} plugin;
-
-}
-}

src/analyzer/protocol/interconn/events.bif

@@ -1,8 +0,0 @@
-# ##### Deprecated events. Proposed for removal.
-
-## Deprecated. Will be removed.
-event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
-
-## Deprecated. Will be removed.
-event interconn_remove_conn%(c: connection%);
-

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -85,7 +85,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_InterConn.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -85,7 +85,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_InterConn.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek

testing/btest/Baseline/plugins.hooks/output

@@ -1,5 +1,4 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
@@ -66,7 +65,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
@@ -278,7 +276,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -459,7 +457,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -605,7 +603,6 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_IMAP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_IRC.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Ident.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_InterConn.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_KRB.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_KRB.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Zeek_Login.events.bif.zeek) -> -1
@@ -896,7 +893,6 @@
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN))
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
@@ -963,7 +959,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
@@ -1175,7 +1170,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1356,7 +1351,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1502,7 +1497,6 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_IMAP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_IRC.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Ident.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_InterConn.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_KRB.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Zeek_Login.events.bif.zeek)
@@ -1793,7 +1787,6 @@
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000   MetaHookPre   QueueEvent(zeek_init())
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
-0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_INTERCONN)
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
@@ -1860,7 +1853,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
-0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
@@ -2071,7 +2063,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2252,7 +2244,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2398,7 +2390,6 @@
 0.000000 | HookLoadFile  .<...>/Zeek_IMAP.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_IRC.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_Ident.events.bif.zeek
-0.000000 | HookLoadFile  .<...>/Zeek_InterConn.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_KRB.events.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFile  .<...>/Zeek_Login.events.bif.zeek
@@ -2684,7 +2675,7 @@
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLoadFile  base<...>/zeek.bif.zeek
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1560631035.263667, node=zeek, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent filter_change_tracking()
 0.000000 | HookQueueEvent zeek_init()