From 574bcb0a51b18d1e209f75f89bbe8ee4b9e6306a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 21 Jul 2015 11:57:16 -0700
Subject: [PATCH 1/3] Add simple XMPP StartTLS analyzer.

This is a very simple XMPP analyzer that basically only can parse the
protocol until the client and server start negotiating a TLS session. At
that point, the TLS analyzer is attached.

While the basic case seems to be working, I fully expect that I missed
something and that this might break in a lot of cases.
---
 scripts/base/init-default.bro                 |   1 +
 scripts/base/protocols/xmpp/README            |   5 +
 scripts/base/protocols/xmpp/__load__.bro      |   1 +
 scripts/base/protocols/xmpp/main.bro          |  11 +++
 src/analyzer/protocol/CMakeLists.txt          |   1 +
 src/analyzer/protocol/xmpp/CMakeLists.txt     |  11 +++
 src/analyzer/protocol/xmpp/Plugin.cc          |  26 ++++++
 src/analyzer/protocol/xmpp/XMPP.cc            |  87 ++++++++++++++++++
 src/analyzer/protocol/xmpp/XMPP.h             |  38 ++++++++
 src/analyzer/protocol/xmpp/xmpp-analyzer.pac  |  41 +++++++++
 src/analyzer/protocol/xmpp/xmpp-protocol.pac  |  17 ++++
 src/analyzer/protocol/xmpp/xmpp.pac           |  35 +++++++
 .../conn.log                                  |  10 ++
 .../ssl.log                                   |  10 ++
 .../x509.log                                  |  11 +++
 testing/btest/Traces/tls/xmpp-starttls.pcap   | Bin 0 -> 8174 bytes
 .../scripts/base/protocols/xmpp/starttls.test |   9 ++
 17 files changed, 314 insertions(+)
 create mode 100644 scripts/base/protocols/xmpp/README
 create mode 100644 scripts/base/protocols/xmpp/__load__.bro
 create mode 100644 scripts/base/protocols/xmpp/main.bro
 create mode 100644 src/analyzer/protocol/xmpp/CMakeLists.txt
 create mode 100644 src/analyzer/protocol/xmpp/Plugin.cc
 create mode 100644 src/analyzer/protocol/xmpp/XMPP.cc
 create mode 100644 src/analyzer/protocol/xmpp/XMPP.h
 create mode 100644 src/analyzer/protocol/xmpp/xmpp-analyzer.pac
 create mode 100644 src/analyzer/protocol/xmpp/xmpp-protocol.pac
 create mode 100644 src/analyzer/protocol/xmpp/xmpp.pac
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/x509.log
 create mode 100644 testing/btest/Traces/tls/xmpp-starttls.pcap
 create mode 100644 testing/btest/scripts/base/protocols/xmpp/starttls.test

diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 473d94fc84..7e921a6831 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -59,6 +59,7 @@
 @load base/protocols/ssl
 @load base/protocols/syslog
 @load base/protocols/tunnels
+@load base/protocols/xmpp
 
 @load base/files/pe
 @load base/files/hash
diff --git a/scripts/base/protocols/xmpp/README b/scripts/base/protocols/xmpp/README
new file mode 100644
index 0000000000..3d2194ef3d
--- /dev/null
+++ b/scripts/base/protocols/xmpp/README
@@ -0,0 +1,5 @@
+Support for the Extensible Messaging and Presence Protocol (XMPP).
+
+Note that currently the XMPP analyzer only supports analyzing XMPP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+actual chat information from XMPP sessions, only X509 certificates.
diff --git a/scripts/base/protocols/xmpp/__load__.bro b/scripts/base/protocols/xmpp/__load__.bro
new file mode 100644
index 0000000000..a10fe855df
--- /dev/null
+++ b/scripts/base/protocols/xmpp/__load__.bro
@@ -0,0 +1 @@
+@load ./main
diff --git a/scripts/base/protocols/xmpp/main.bro b/scripts/base/protocols/xmpp/main.bro
new file mode 100644
index 0000000000..3d7a4cbc37
--- /dev/null
+++ b/scripts/base/protocols/xmpp/main.bro
@@ -0,0 +1,11 @@
+
+module XMPP;
+
+const ports = { 5222/tcp, 5269/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, ports);
+	}
+
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 467fce83ee..d19b2ac042 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -43,4 +43,5 @@ add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(teredo)
 add_subdirectory(udp)
+add_subdirectory(xmpp)
 add_subdirectory(zip)
diff --git a/src/analyzer/protocol/xmpp/CMakeLists.txt b/src/analyzer/protocol/xmpp/CMakeLists.txt
new file mode 100644
index 0000000000..408f01d47c
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/CMakeLists.txt
@@ -0,0 +1,11 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro XMPP)
+bro_plugin_cc(Plugin.cc)
+bro_plugin_cc(XMPP.cc)
+bro_plugin_pac(xmpp.pac xmpp-analyzer.pac xmpp-protocol.pac)
+bro_plugin_end()
+
diff --git a/src/analyzer/protocol/xmpp/Plugin.cc b/src/analyzer/protocol/xmpp/Plugin.cc
new file mode 100644
index 0000000000..b4332b447b
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/Plugin.cc
@@ -0,0 +1,26 @@
+// See the file  in the main distribution directory for copyright.
+
+
+#include "plugin/Plugin.h"
+
+#include "XMPP.h"
+
+namespace plugin {
+namespace Bro_XMPP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::analyzer::Component("XMPP", ::analyzer::xmpp::XMPP_Analyzer::Instantiate));
+
+
+		plugin::Configuration config;
+		config.name = "Bro::XMPP";
+		config.description = "XMPP analyzer StartTLS only";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc
new file mode 100644
index 0000000000..c84c372c4d
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/XMPP.cc
@@ -0,0 +1,87 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "XMPP.h"
+#include "analyzer/protocol/tcp/TCP_Reassembler.h"
+#include "analyzer/Manager.h"
+
+using namespace analyzer::xmpp;
+
+XMPP_Analyzer::XMPP_Analyzer(Connection* conn)
+	: tcp::TCP_ApplicationAnalyzer("XMPP", conn)
+	{
+	interp = new binpac::XMPP::XMPP_Conn(this);
+	had_gap = false;
+	tls_active = false;
+	}
+
+XMPP_Analyzer::~XMPP_Analyzer()
+	{
+	delete interp;
+	}
+
+void XMPP_Analyzer::Done()
+	{
+	tcp::TCP_ApplicationAnalyzer::Done();
+
+	interp->FlowEOF(true);
+	interp->FlowEOF(false);
+	}
+
+void XMPP_Analyzer::EndpointEOF(bool is_orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::EndpointEOF(is_orig);
+	interp->FlowEOF(is_orig);
+	}
+
+void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
+
+	if ( tls_active )
+		{
+		// If TLS has been initiated, forward to child and abort further
+		// processing
+		ForwardStream(len, data, orig);
+		return;
+		}
+
+	assert(TCP());
+	if ( TCP()->IsPartial() )
+		return;
+
+	if ( had_gap )
+		// If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can
+		// handle this.
+		return;
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		printf("BinPAC Exception: %s\n", e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+	}
+
+void XMPP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
+	interp->NewGap(orig, len);
+	}
+
+void XMPP_Analyzer::StartTLS()
+	{
+	// StartTLS was called. This means we saw a client starttls followed
+	// by a server proceed. From here on, everything should be a binary
+	// TLS datastream.
+
+	tls_active = true;
+
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+	}
diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h
new file mode 100644
index 0000000000..628be7bb2d
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/XMPP.h
@@ -0,0 +1,38 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_XMPP_XMPP_H
+#define ANALYZER_PROTOCOL_XMPP_XMPP_H
+
+#include "analyzer/protocol/tcp/TCP.h"
+
+#include "xmpp_pac.h"
+
+namespace analyzer { namespace xmpp {
+
+class XMPP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+public:
+	XMPP_Analyzer(Connection* conn);
+	virtual ~XMPP_Analyzer();
+
+	virtual void Done();
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	virtual void Undelivered(uint64 seq, int len, bool orig);
+
+	// Overriden from tcp::TCP_ApplicationAnalyzer.
+	virtual void EndpointEOF(bool is_orig);
+
+	void StartTLS();
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new XMPP_Analyzer(conn); }
+
+protected:
+	binpac::XMPP::XMPP_Conn* interp;
+	bool had_gap;
+
+	bool tls_active;
+};
+
+} } // namespace analyzer::*
+
+#endif /* ANALYZER_PROTOCOL_XMPP_XMPP_H */
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
new file mode 100644
index 0000000000..a4417e1601
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -0,0 +1,41 @@
+refine connection XMPP_Conn += {
+
+	%member{
+	bool client_starttls;
+	%}
+
+	%init{
+	client_starttls = false;
+	%}
+
+	function proc_xmpp_token(is_orig: bool, name: bytestring, rest: bytestring): bool
+		%{
+		string token = std_str(name);
+
+		if ( is_orig && token == "stream:stream" )
+			// Yup, looks like xmpp...
+			bro_analyzer()->ProtocolConfirmation();
+
+		if ( token == "success" || token == "message" )
+			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
+			bro_analyzer()->SetSkip(true);
+
+		if ( is_orig && token == "starttls" )
+			client_starttls = true;
+
+		if ( !is_orig && token == "proceed" && client_starttls )
+			{
+			bro_analyzer()->StartTLS();
+			}
+
+		//printf("Processed: %d %s %s \n", is_orig, c_str(name), c_str(rest));
+
+		return true;
+		%}
+
+};
+
+refine typeattr XMPP_TOKEN += &let {
+       proc: bool = $context.connection.proc_xmpp_token(is_orig, name, rest);
+};
+
diff --git a/src/analyzer/protocol/xmpp/xmpp-protocol.pac b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
new file mode 100644
index 0000000000..e05268fe32
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
@@ -0,0 +1,17 @@
+type XML_START = RE/</;
+type XML_END = RE/>/;
+type XML_NAME = RE/\/?[?:[:alnum:]]+/;
+type XML_REST = RE/[^<>]*/;
+type SPACING = RE/[ \r\n]*/;
+
+type XMPP_PDU(is_orig: bool) = XMPP_TOKEN(is_orig)[] &until($input.length() == 0);
+
+type XMPP_TOKEN(is_orig: bool) = record {
+	: SPACING;
+	: XML_START;
+	name: XML_NAME;
+	rest: XML_REST;
+	: XML_END;
+	: SPACING;
+};
+
diff --git a/src/analyzer/protocol/xmpp/xmpp.pac b/src/analyzer/protocol/xmpp/xmpp.pac
new file mode 100644
index 0000000000..42ec85f0cc
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/xmpp.pac
@@ -0,0 +1,35 @@
+# binpac file for the XMPP analyzer.
+# Note that we currently do not even try to parse the protocol
+# completely -- this is only supposed to be able to parse xmpp
+# till StartTLS does (or does not) kick in.
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+namespace analyzer { namespace xmpp { class XMPP_Analyzer; } }
+namespace binpac { namespace XMPP { class XMPP_Conn; } }
+typedef analyzer::xmpp::XMPP_Analyzer* XMPPAnalyzer;
+
+#include "XMPP.h"
+%}
+
+extern type XMPPAnalyzer;
+
+analyzer XMPP withcontext {
+	connection:	 XMPP_Conn;
+	flow:		 XMPP_Flow;
+};
+
+connection XMPP_Conn(bro_analyzer: XMPPAnalyzer) {
+	upflow = XMPP_Flow(true);
+	downflow = XMPP_Flow(false);
+};
+
+%include xmpp-protocol.pac
+
+flow XMPP_Flow(is_orig: bool) {
+	datagram = XMPP_PDU(is_orig) withcontext(connection, this);
+};
+
+%include xmpp-analyzer.pac
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
new file mode 100644
index 0000000000..2f5bd2f66d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2015-07-21-18-55-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1437091701.732171	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	tcp	ssl,xmpp	2.213218	676	4678	SF	-	-	0	ShADadfFr	19	1676	15	5442	(empty)
+#close	2015-07-21-18-55-16
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/ssl.log
new file mode 100644
index 0000000000..f67ea92631
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-18-55-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437091702.232293	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	F5Nz2G1vSZQ0QXM2s8,FUw8omi2keRxShDUa	(empty)	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	-	-
+#close	2015-07-21-18-55-16
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/x509.log
new file mode 100644
index 0000000000..4a49298e8a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/x509.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2015-07-21-18-55-16
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1437091702.407347	F5Nz2G1vSZQ0QXM2s8	3	0DF4F2	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	1382043019.000000	1445115019.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	jabber.ccc.de,conference.jabber.ccc.de,jabberd.jabber.ccc.de,pubsub.jabber.ccc.de,vjud.jabber.ccc.de	-	-	-	F	-
+1437091702.407347	FUw8omi2keRxShDUa	3	00	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	1049027389.000000	1995712189.000000	rsaEncryption	md5WithRSAEncryption	rsa	4096	65537	-	-	-	-	-	T	-
+#close	2015-07-21-18-55-16
diff --git a/testing/btest/Traces/tls/xmpp-starttls.pcap b/testing/btest/Traces/tls/xmpp-starttls.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b4a7ee61e10d771d4783cdc9f369b5d410c60f52
GIT binary patch
literal 8174
zcmc&(c|4Tc|39-B3}fGlGDt%*^Vs)2kw`*myOuE++c1kFW%))$Dr=O=5|vb_v|de{
z7L}WP%ayKMT@o#p(53P_&sc8g-tX`G*VpTHUgkN^dEV#qd7t;^^LfsBns3$=V*wsa
z{*8?RfPoi0r{msYi^aeS_#16eNkSPX!DhYd^)@#|fFl65HXgRXmQYwypV;7=HD=b)
z+A9~t7%jMiB2{6>#*BLbz~Y6@VQ@Gh3`T^gYr1_1y@$t+qX*ZJfD61v+c@s{90GJp
zI02v$-VLM3=nQf}t-T%P@0Y_F?iR_I?%N`ZqT{RZSP|lL)i*R09nK_-+T8|`?I9}K
zX4!4HcspwMnJqKyz6;S^6Q!h-emMgf5ZIe?07XU-W6zSnMTmyBS%?)0VkqK<Z9ha*
zl2SUYG9A&9!(}u4Bh1JDkvB(#M{*`EtSBK|Zj?EV#^8o9*qf=L{s93DHkHK=rj3v0
zP{zkwQO0kX)5DpJNG^rUWleTb>2x|ZkU=5GFxVU>E7FRhM@1;sF{mHI<E)^}%;MaT
zD2H<Xs%Hl0u8h$G)`?Pp-CjHH2V})Z*EHn-ig@u00Pi6h+GZiP6XgYnHa|pE0_+Bp
z>4=s#kc{be+gSgIu1Q~~-2ZP$WCmJM3=9p;j7&@oO-(7}AT}#v67<IeqP&}j`$q;_
zQ5ccqbbf`-|Gm(v_Mo!RiJmTt1J+Pz!%%3lk8V%OBGm?^6s6M%h94WoAKGTpi3ubs
zpme^xG=t7z!2&@#Zx>F{xfWfZN#=qW{#+iL!9l6?XLGsXoJkS!*pcQ;1~<q&%Af5Y
z!7)dDgkszr5f!Bihf%C8*^Fo&lg$XESzAI0jz4W}NuLCmkn49kjbgL7EIKQkM)!|`
zY7Oz{gji8HA^y606mldhkTE6kO`A4R;b1z0!_j3$GN_RZE{zdMV~k@3(gXswqJ+E9
z?U<Z!hZXcSUYw|K_fRK0FOz6bXOCEp6$M(wW&|@iTn78^Et+(n#*EgT9F0CX5mM%p
z_XQ!630L6n*HkqWUDK<%v)A+^1+FRa;h|}3x)xp2+Ypfl!vk%zl1FfYg&=uk{t!_~
zifDOlI^uu5gfxL$zG*nXg$AH)rm#Q|QBe@5wbO<5kphJkod|`sDQZes$-1VgHkN{Q
zV+2le{-0ztZbLP+;qR%n;-f?ywwXahbVvEewUAno2cc6$bi!~+MyX|_<3J(|6|~Ky
z7Q;Sgk0LHi_#vW_l*p?m(-9SL7>pSPV2p6M;7-}5Bdx2Bvvx;Hhkpv!O%z+wm{`b?
zRqGd$4x_B{1)!FX@E7y7_zU=Qd?F|VrJxub0bw8%FhK|~1E#<P7=xW)2S^1ee0@HZ
zzlgt(FUc1Ihkz9@0^9jCz7C(l*Wk<YMZr-}0*b(45DaXA4X_3VKp*G<1RMYbARp|9
z1$PN>0QP)6zAj&zugRC-<3S;?1T>Hb?0_&|nlH>3=VO5o!1HDJB0vGi0x3Y^llVA5
z1oA)zNCI&n3dXRIDQ_SK@Hl|M!dog}E>Hw>;D2SH1b-_42|$AP(ZNKZ0o6hRWH6tA
zAz%rxjtgOhaCi(Ji^t(GI4ll_#bB{m90bQ;(DlG;6F|2R5VV;p6KW$Wp(=YZqZ)i%
z%NRX)2G*CjYA6o0^1{_U1y$CmfWrZ6ECA*>ocD33m|g$Qo}XJTf9&AN22b3w4epPM
zetrE&xr?Vo<Q)cl1OS;axOia7In*c!A>ISMc>~1%078e5WT65i8JAQfFdRqv)Q^w|
zqKi_UQ-?_yjF1pOV)djD2?EX=Pm~p2#bR;E4t9F;5f!vYOjdp(+o73@?oVg1xoBn9
zQ%A_?eVptZ2RpI@>?M0LgCm)d!DKrgH-yDza%1(>5Y?%PL@^3799~oui_NwD3kI35
zNYXRVL-b7a5hFy;Y#qEb`tA}5*AqiT(TNDM*d>mWc8bUfJNrij@Sq(NmJ9#YgU%}O
zMadz=pT!|Nup**(Xs&b!=LL`%)YViy1w?M#c+x};AAfs5k}>MvbAu5AxMYkZfc->l
zG6n<gRyU?>S1I^*z1O)rV&k_}vT=Qw#Pc7ms4iUB4{O`&uZ|)=Z%SHyd2X}2>K|Hn
zPqw)(Ut=cIFEzwzx*y+v_NgirtHq-aEo+_YWAvoL`Yv70Poe(KT)DUBSoZqQMJ`%~
z?`vCOOX+sE*J559blA3boxjWIg~zHNl%4_n9{;jqfrUZ%{T<efldp}PzZ#czg%(L4
zYEjtRnAY6*wMWWsNx$a6%XrbgZElqEBef^nGk7aWpOP0cTuuy{*Et9FitYY*Ib{X)
zNLRXyZMkS;{Gvkv20d#pCpE^6N|<PsIZ}0Qq?g;i7^w(+U4H4fcXmeWdVXKP(q9$N
zjJV(YlgY&5px8>2F-DLPJwzOGI8PRX8N*`{AP~?zN%RU2gXB13h~Cx2>moV?5gh{5
znJ^AJ^$SA~^-Fceq<*%?V+cfe8;?mgA>wd|!Q>DO22VjW5sk@f1e2;bp+pv)6ZM@G
zX^0*=l`4J_qJ=ChT2Q2(N}d==XNP}3kj;o;g)ykG7vZ3fNaMqi(B$bFNLHe=B7+!g
zMkJjv`6fE9j%4|XB0Zy9E{Yex;RVd-m5B-E1y1k#URp5haLF()*=!cgXjP1pJFZ&y
zawzP2SN3D8Dw7?E&ebq!za{M79&(~Bws-2rJ_-%*j7gE`c&~`f7BO+-@akCB$iC0p
zwNs?>G<=6vHlKD)ao$>~690Hh=>ts3#nd`}a7oGB+8pytx3`UcFWmFa<gaOKETVfG
z<?nx(%aO(AMjz8SdN0v8<XmQ-PLl+9WcKWaVbFtxrAsZT8ye=`F<CrX<(5;GLD!V@
zR##jtSGLVNC^!g-byB$H-0S|8-FJsC@#Nm6lI~zNdfIx0Q!X6bEfezfuu@Z}6=`1$
zic1h3W#Yb`ioRebtI86;yfu(;d=dSn`1{<Ot_mYhu%lV2_REeow=L{8$DeGs+1GSc
zB2L#OPq)-G+DXw)GF+=Jrm}G)I>J{cyz_cftlzNqYu+w@8D+1fM1pDifX9dB9ha~N
zBiDu41#djdbSf&Rd?*Xwt&j6_wq7=D@5LRZouys%k2sr>Ql95=aMSrL>Q;mGef{fJ
z>i+Wa9;MhhQ+DX0rBs7u^!7W_SJpTuonAw_9kgVdv9@%UZE)}V`qvwOS|ohDl&QCg
z@2JLex;S><AzqS^bL1qajpM+KAfTCll=hFAe~uvYTTg$#7{p9w{>ppPGrv3zpXQ}X
zIp@_YpGWvS(iFZ*>RHTs{B2o-PMi5#BU;>Z6Y7{g$1cfc%ps0Cwq!JH_=&f3#hvQP
z?hkW30$0UGK2`ccx|0ip?T}<)E12~)$1^?#d@nrw|2*F#28e+HqNlHKW{Bo{_}f6=
zY~u2NS&EXevy(p-P5xMz{9&j*Qs=)~y7is0mhj5F{vre0-OKwdf^76U!m!5ApT-aM
z?cBR!ld+Ip?w_K)GL1`9Ier%+w{`J-0#84zI_0P+P9F&-c0FynX8k7rR<G;G@3<>Q
z8^hIpJ52ud^1~o~6ZXik$l#raKKJ&#k@%_G`kP9z98o?zb^H3jpha;fmV3qy?kw5z
zfkyP#$*9@pwz^FAU3Y8N;mRd;^L_jnLP4MTOMY(18MfahHp~dg_YmqG5X!{QQ&voV
zcX!Q|n_+P~`>NOvG}n_e-zi{a_UgY?RC501jt~`#*k9Bv6biGcFhADg={(%kR4bg{
zrd)5BkZ?~WIZnt&M`ZngX~{{&jY0SFpB<J;FKK$gJun<C&h~46$jUc3lxG-Yy&x{D
zN+NeYtFy?_)T!c`-Fue{GDFXl|CJ_5Z4s?q`>X;#)|9<9g!&?V`AMJ4w2bcDV?{T;
zc9o4jPxnwiRCBXVx^8i1YI@%0Q{*RUw7E9*zj!cqs8!FwFcKV9b_~Y<V(03vov-%Q
zK$Rzs_ZXS8>3Or9%7>(z^9J)TFbSFJFTlzNNqUts!dpyRL)LfdG;h1-d#bC4?K*(z
zSWdonpnT2!On^x*=Bb&Sr;~!Mm%2xhgCE^~y7oEt_ui(4hnE8`?6d27LH<MgYM{3L
zUG=uj2gV%U<tvMNEMK?oMs(k;2F{6&VzJ5M_Xrlh`^Y@BfJopK@Nx?0^_83N4E)}?
zXW-|iD)SFDW=fBdq*C<020rN^l9ZqL!!gBMk8b%N>OC3e1xeIMK?N5=;67js(MLN}
z@j8e$LMhTL(nwW9D=7z_%}js&qkUIOk*Qja!Q(X){vS^m{`G_io}!@n!#7MCGcu5|
znHm)mWdqMG^blnAUr&+n%M_fvSma;^mmJIDvB|7Wk!1AMlo`aN`*RuOAQqdvbd{qc
zIfUUKNM^x9A$V3a`BpI9l^MxVP?fdrd?-xDUfz%>bKi(KFNw7)wBSL1h-AXCml-~}
zXy$iB2>-CFyOEFX!R7={--8`I(@{QhB2h}R>6*pl9&ASz`reNs8ki73A`b5AV4Jy%
zz_E#Q(OS}eY<evjIU%SeN+3?<>hxM-{c}Iz=Du~6=lzBX95AIjqY4iN96Gw=Ot23L
zF}CPD<@}_9i%pHTex-v8=`#$lU25Ukt@WvLG$_|I&28gXi(mbo-H&BjR5P;5>ywf<
z6h7>6!=#n9OM6$y-&Zx^C+A1`KM#%1E8Ro&vUXQHvF~GB^0l@u$5U?mI3kugj4FIV
zOv0<HH$vqr_Tx<!w9L<05h3AG_w?4@`*{(=4((kCgJQAeih~3Fmcww(yO0Mj=j>4*
z&40ONoi)b9B3-1aWFU9N+=hb>4^%&|iR#sLdEQd>n&s$hAT##OQh$-x@U7vr-klmZ
zoW2FdMe`reFQ-=tZ#znRg4x@4M5nf1<b-6lv*s6>uSe|L25wmot*LtUg87)R$&k3b
z>3-3eO8xG83U#+0=$nLad__h*hL?F73lVd%uKlrdrG{F}d4&V>`btPq!Kun;6$WV?
zM|)yZ|Fjaj!4WGfsAPQ!zSuz%D_2^OvE{L|k+za;WwzhTywsKF;?}n8RTDeXn4DQ}
zaV@M(IP=o})fyGG;W_or1j|1jt*H28h$h<R$)bMY_L$QPZj@K<x_Yc;Nf9Yc>UDVk
zf`*ZUN1~jlzsaRH*N{c?N&@>9sI(Ou70TB%U-hPLB@7lycz;^=G`ltClqSdZwgcSd
zVcf(4W*H7B+Tp*+3>zf5Eqyv<c``xcnAG0f?Zyr(ly2@jNq%moOWG1D789nQqjaA&
zT3cNx)`tAn;*)*GGKGY{`ZVl>cGf&S0^HrK|M_8YM$t1H(*9$Jqi`wb+{PB4+8i6H
zubrBko7<aAx0TDqH;|+-7kzK7{lp61e~;wv{2NHWuD!joZmY5Uu0&T&C%(6XhEiL6
z?eSVOEwPOkvX)i69by_K=XS2{y3HUJ$5%#mo*gM#c)z-T<g@%2IiJ-1YhH#ifM~XH
zgB|Hr?a{GIR$bp(wErlzd4$ur%5e#3xR-9@yWB=EW?{lLtV!A>>vUHgGqKimS6_=K
zfJdtN$#PNc#oob-_r$RTudmr@5Avf*FY7z#E2h}|sR|q-_VF#K-O5M*C1=(Whrhw~
zzWJoePp!2#{Dotj5|?FMxfeMvT~>SQvGegVbnA_mfV+P*9^+v=!mYWW%{*lRhQGc-
zBOE(#c7%U@10%fiO4n3`XHQ1>@0J9>hlpsKg;<lMh9a)>`yrx|6sVJ#Ld-!CQDc`%
zLHq3R`x_!M-T$rLdnG?-C3Eje-*55fTid;qzrJohxJYF&7GJDIS{VCkWC^vB)bJ;_
zH&F9)rCi(Kt6Q~=l4-piBZ_hmN^oibv{HrA{{4kQ%nk~;_Uz;O74J6d(mEDIUCuqE
zvFv^Bu)1o&gLlojNzbZKhCJ_zOdavf%vd0psElT;SJl%q*4H<T(L!B#x)yh?eJW$M
z=$h`x`Ob(F?#{S^FJ*gzcWn<`-)g*(E52ulx+GBc^rqE=7Zy9V;}NMtORBnpQ6tVn
zBmRDwhGJ1tJ5r{TTBzGm{%tN?rf-+sCQ03C4oPj<1QBc6#6SRCBDBp~Ca-LGXlP4t
zzWYN&xJ)UjlZd;!QA9<^t?~q`Ir9w8j1<R6+p0L9sIU(io|i227@aXBSOUO9bwQg&
z<OiaPfJp7>M1GqKiF8AWyp}Xc<Xft)>F#cH#`6;t?meM<^ub+f{z);J-rSm;jY{*c
zg&8Ks*GPEJJD{F^w<`Lhjb6%@ethD`ty>ZX2AzV$O|dQ|r#F~i8VX6JX(@-rhGZ<|
zy{%P!;~BkZ@cJ4tRc*VBxc8!dxn2Z~IRxwF%{_k9qO9FDMVDmrDcicvo-{kw8?>9;
zQW#j~crHg~+n;Qyh1a`BKG5+B={)YsgwB`RH&=DoRa>4uHr6Pq6FnIB#qjcwnq$_B
zhLMLT7n>m$@Pty(W^r+wI8VTZ#|$o-C%H)6Gn<Ru6I|@`#|IY29j4~2RsFMZMGMzA
zQ9W0+Qh3$6E4l=`h70u{&W-hJC@${sSp0IpLzqnL8A@{=Ex2A@rCpckzz?#pd1-UJ
zu6E(|bqkAq+@)lUWx#g*cZWRP6jdG6T|QG~bw)crN0nLElxr49Eom+rpzKCue*O}A
z?foOOu4UOD+|Dm}JLf&>;vMKB3%ZE5SuXk$=L=jsH{HcC#-xk&J+ocZns71G@vRQl
zZQatCUp3-me44I4&aqa$)8!KRp05%ipF(|QjZXgwPXG52BS}N`{ot1w`gVg6(+neK
zq~^h-zBBedSA9!G5vd{ngjhX*A}$i2jX1`Dh=Vn@|1IKMxUse+^b0<bqBM<vge`<N
zj%7i_Pc?G05f#G!vT+vahD22X>A%k)Jxf5kG>E&QH$^)9=(@Wb^_u-1;;cMj=vai>
znCJTgue0I7KB$2Q#^WDcGxk9qX(-|?i0BVRfwozQo|(odqD#dO5n<->+&mpo9_E3$
z6PYKs+35E*+fVl$GF@EibFnGthGr2u;roAd!5)4YwIvkv%$P77(wv<rEd{DOrcbyT
zA{tj?-~l}lv{^K3nI)h!pWQu!=4|)?SP4JJ$ETsc&_5LGW6eKeB?_?8|1;MA0i7ik
Axc~qF

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/xmpp/starttls.test b/testing/btest/scripts/base/protocols/xmpp/starttls.test
new file mode 100644
index 0000000000..f046d49283
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/starttls.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/ssl
+@load base/protocols/xmpp

From 0b897c70da1ddcfd867101a7331ac45cd003d457 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 21 Jul 2015 13:20:35 -0700
Subject: [PATCH 2/3] Add xmpp dpd sig and fix a few parsing problems for
 connections that do not upgrade to TLS.

---
 scripts/base/protocols/xmpp/__load__.bro        |   2 ++
 scripts/base/protocols/xmpp/dpd.sig             |   5 +++++
 src/analyzer/protocol/xmpp/XMPP.cc              |   1 -
 src/analyzer/protocol/xmpp/xmpp-analyzer.pac    |   7 ++++---
 src/analyzer/protocol/xmpp/xmpp-protocol.pac    |   3 ++-
 .../ssl.log                                     |  10 ++++++++++
 .../ssl.log                                     |  10 ++++++++++
 .../Traces/tls/xmpp-dialback-starttls.pcap      | Bin 0 -> 14673 bytes
 .../scripts/base/protocols/xmpp/client-dpd.test |   8 ++++++++
 .../protocols/xmpp/server-dialback-dpd.test     |   8 ++++++++
 10 files changed, 49 insertions(+), 5 deletions(-)
 create mode 100644 scripts/base/protocols/xmpp/dpd.sig
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
 create mode 100644 testing/btest/Traces/tls/xmpp-dialback-starttls.pcap
 create mode 100644 testing/btest/scripts/base/protocols/xmpp/client-dpd.test
 create mode 100644 testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test

diff --git a/scripts/base/protocols/xmpp/__load__.bro b/scripts/base/protocols/xmpp/__load__.bro
index a10fe855df..0f41578f8a 100644
--- a/scripts/base/protocols/xmpp/__load__.bro
+++ b/scripts/base/protocols/xmpp/__load__.bro
@@ -1 +1,3 @@
 @load ./main
+
+@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/xmpp/dpd.sig b/scripts/base/protocols/xmpp/dpd.sig
new file mode 100644
index 0000000000..50ae57a669
--- /dev/null
+++ b/scripts/base/protocols/xmpp/dpd.sig
@@ -0,0 +1,5 @@
+signature dpd_xmpp {
+	ip-proto == tcp
+	payload /^(<\?xml[^?>]*\?>)?[\n\r ]*<stream:stream [^>]*xmlns='jabber:/
+	enable "xmpp"
+}
diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc
index c84c372c4d..ee2667a276 100644
--- a/src/analyzer/protocol/xmpp/XMPP.cc
+++ b/src/analyzer/protocol/xmpp/XMPP.cc
@@ -61,7 +61,6 @@ void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		printf("BinPAC Exception: %s\n", e.c_msg());
 		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
index a4417e1601..90b51ec183 100644
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -16,7 +16,8 @@ refine connection XMPP_Conn += {
 			// Yup, looks like xmpp...
 			bro_analyzer()->ProtocolConfirmation();
 
-		if ( token == "success" || token == "message" )
+		if ( token == "success" || token == "message" || token == "db:result"
+		     || token == "db:verify" || token == "presence" )
 			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
 			bro_analyzer()->SetSkip(true);
 
@@ -24,9 +25,9 @@ refine connection XMPP_Conn += {
 			client_starttls = true;
 
 		if ( !is_orig && token == "proceed" && client_starttls )
-			{
 			bro_analyzer()->StartTLS();
-			}
+		else if ( !is_orig && token == "proceed" )
+			reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");
 
 		//printf("Processed: %d %s %s \n", is_orig, c_str(name), c_str(rest));
 
diff --git a/src/analyzer/protocol/xmpp/xmpp-protocol.pac b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
index e05268fe32..9b21679c30 100644
--- a/src/analyzer/protocol/xmpp/xmpp-protocol.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
@@ -3,6 +3,7 @@ type XML_END = RE/>/;
 type XML_NAME = RE/\/?[?:[:alnum:]]+/;
 type XML_REST = RE/[^<>]*/;
 type SPACING = RE/[ \r\n]*/;
+type CONTENT = RE/[^<>]*/;
 
 type XMPP_PDU(is_orig: bool) = XMPP_TOKEN(is_orig)[] &until($input.length() == 0);
 
@@ -12,6 +13,6 @@ type XMPP_TOKEN(is_orig: bool) = record {
 	name: XML_NAME;
 	rest: XML_REST;
 	: XML_END;
-	: SPACING;
+	tagcontent: CONTENT;
 };
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
new file mode 100644
index 0000000000..0ce11b2e6f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-20-08-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437091702.232293	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	F5Nz2G1vSZQ0QXM2s8,FUw8omi2keRxShDUa	(empty)	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	-	-
+#close	2015-07-21-20-08-11
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
new file mode 100644
index 0000000000..15641ba5b0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-21-20-18-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1437506779.381295	CXWv6p3arKYeMETxOg	184.73.173.246	1193	104.236.167.107	5269	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp384r1	-	F	-	-	T	FLFr7Z1TXmFDv9FwC2,FydVem3ToAkEIAHD29,FK07OA1VxtQi69Irde	F3D2e62Vxl7iTnwbA4,FUCD5w4ABMG5N0YvSi,FxWUEd3mgvThYO2uod,FGOrVE2laVCPsCLMF6	CN=www.0xxon.net,OU=Free SSL,OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=*.hosted.im,OU=Domain Control Validated	CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US
+#close	2015-07-21-20-18-36
diff --git a/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap b/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ad55c6eceba70f34ebabaf3f8aa8f25f83fa0fe8
GIT binary patch
literal 14673
zcmdUW2|QG7`~Mj;_I;Oi%9{1qvWx7Ih*C<~8QW-#wX%gulAWmRdv;0LrtoOB6d{yK
zi#;iX@;hhHgQvIWUH<Ry^ZU=|bDML{-1l`a*L8ib?|t1zcXMSX34j9r{Gb2?bTe?Z
z^x$|F0H{OPa6uu|;}j99k>#}5PZWR-0DyL%H2^U(Z}nP(k~!yzd{<N<OX8^<L19>u
zCkc*W*c|{!P^8re1d0TfR-FB(GypgbAe>iau1W&{4M2me1%xHR5?K;ag+?PN4oISi
zClijr=gwwnV}l4l73v8te;J#I-7IlzI$Opj0!iFv!hmC_7l20zf8dcF8A1TBpli7N
zMOK&H7g!cP?U%ARa11lt&?t8Mxx1l#9B^J3tcRMgv?M6JTV2%)k8`kbS6=->Lp40S
z)^5~<o$+{2Whp5Kyt4z&PtwK4*46<hiN!fdt=9GuUahYty!w-}mjezGzxGtw-ge6m
z%Jvu=H(MJ!S79_Bt0oNk`C&aIJsj}Dn+K&1PZtMGcNa8Oxco&CA|cmcMeIr2qKIvf
zBDzc%yfu6(R~Jor3;|?AmI9ZpQV@wD*I_A|62Fwf;jQ7v_pdD4@22~&F6$;Gp&fBp
z_f5-%u~!pzlyS6|lU7iYu$7j!m5@_%kd{!i0c9i{cge{(+RDf|%Gk-Rt}{^|%5F9u
zPHMsq9{)gRKMldr!3OV*bMR7EUDwvSlD%;r%6{&ip33W0{?w-w+}s9-$GdrLtc`KN
zJ1TqH;B4Hzpq6gRkZHjJB%o@-P?I$?`YDg7_{AN_-}%f}qR(h;vGXpY5z+`)@ii}D
zMZ+K1h|>9y00z2-%U^uvsNEb<7X2?}LFyNRTKyZ-f;+BiLjKNr(}~u5WwYIpMx4qK
zLT$8O>tqz*3=IM<Tdfzc49Or$ar~teX!t%O(C|HRSUU#?`+r_3@aVB!q`)D_W8kuN
z*%116^F*lGzIoY%P>>30O`v{#%>aN6i9m2600cV{d9d{Az_knUA^T=^Xs@w<`S1em
zoYs%5&R=1c)b5<Kga#Q(014s*5rP1Lg+K*l1L=S(-~uQCioki`96^R4Nf0Fn5$Fk|
zz%@V(kO#sDOauym4PYkF5|98DL5d(o5GL>wm<g0X7H}PKf>2r(kO5MGD^Lv3CP)(`
z2s;Ua1Udo=xC+^p6p#dH5*P{O1R4SfKnlf`6%uHst^hTFLIMa9fC`X<n$rQaz&7X^
z4Zs0VLeJO$c7OsP1IPgufE8*)3NQi8P#7WskN`cv05C%JcK~QI1Q`h#k`zHoLW)E|
zQ3ZuWB9J6VBng6qgald^s4fBluW}}|%D+LlOrmy^w`jNaRF1HK34_1qI>J4BN(x-3
z28d;=jZnvgWWiDtB>$0=P)=A^NI;zg0F;r)7sgTDvS}1`>5c4;BlZqU`<KE(eJqw4
z`74qS6yvkH00IaAOe>ILfuD;7PX`jg&`%98^Z*P`0a6_>lvEQ8MeWQWPMQ%&7EI(A
zt4tDht+Y#-FE4u!(vne%M(9V((;^VmqyQKaBTWrbk|7VG$e2m=_DFMq+u$1tW+pu-
zHsKv`=zTUGcFqo7(4{m3NC*E&&P;A*<K~FP*-LYR9Pkq=W=5_3`}S+^M{8-KjWF&Q
zyo0^;E>I5s4aqFA_S*q7O|&-F-3H@<K4jyDvA4lP!4PfcU<Y9y^aaN+s6EKbPAe@B
zDu7BL@nZ?!N`s(+jI6wpypknoEWI7%gC$clbF7Ke!g}CwShsbtQ0I&w{c05oU7Q0X
z-ONau4P;pz53R4SujJ1N2!<kdY+MxtDS!+`&;!tODw0shXdcKcXoTN+LmzTdDI)Ya
zZS(W~cv%XHNMqTzb-2MXw{y%Gf55P<w&#19XvnnC3e_m-*BAEc0l}&{)l|WgO?PS-
z?M59;Ct5Rk4&USqVjPzNUNhANBt_Mp+{y3L)JStqjJ8(jkzu!60_W!@S21K@DAoO(
z%inSi`<Gc%eVZHYaI4ylF3IfIkbPm+mG1HxynEG$LVs@DDw8g<nGzq!Bx*v>&N>ya
zs2|KjBWr1|Ip(gg-SDx%k?*s91ssX2L)B4xwZj8DQhz9rotfzDix{Kz=b@jdm`ME^
zBfH=199Mkr%&URhIoJJIOW)MRG+FF?f(yOuvsY?&lda)#FL%gu07P~uq6b=$F5=4b
z@S`|DwqTZ+G8g3pOX|LuF{VRaue7R_MP7UWd7wq+p+m8uSY%%-u$NyUw2c3tJaEYD
zRx_ETNEgw9c<2#`6%-0dLYe{6z}1=IdlC>>Z7hg_RYf62h9D&+M<RY+k%0T*%4n26
zs0%8SQ9~6_h)QY5xyeB>aOZkG5(FC$%$~d;`s774E=fDAJJucxe@SVXn1K{zWKJP8
z2oeNn4h!T%?E?)#gABb4od~Tp-ere#TWe)!v)Ybm-;fEfn%tiTylTIz=BuSC2{i;m
z!q>+Faa(`T7aI54Y(SC?J>dV{9`K;RPl1RCj<q3U?YulUNd)=f*)gKHLC(<4HXlm)
zr}=LN1jzIufQdE}c$J=EI%wKBdQt8xZyf9Mk~#TV&c{O^L)fqT7IwWXFemRw_83|0
zJn&>T`CZ2}uOn}*_}hh6Pe(MxWkGZPu!%=DBi<nGaneiShJ6fe{P*xOX2O!+qB(4D
zvg~4}SK-(-#rL5J715FPkSX4;DN%7dhmj${yW_m`5^KTOE*{k%0&kgQ_XrBjWh~$6
zeZ{hbeU-xN_RY$u+01fs`w03Q-l0juOSv?c;w$4w$Ib)e<P+O{$={=@!wL#ycqQ_N
zG3u5{+Vi*aT-f-THDYPc1{sE-Yh&2;z8y|7N6Ab6L2q;#yQC6D*KaFlS{rK`$Q98|
zzxW!{Z5#6D13*RthLTZ$p~z3GILaU<=`q&ty~~Xy(qka|bQJkUz@UL)H2l8?qp)QY
zVRXj^7}avX;W3UFyHyC)^u{}5aTvTm5j*8T8EKiH*eRm~-Ab=x=l?;t|2z1NzDKg{
zb;gmLaYgw{;@=US&kP9mZPd1;I&8`X83Y=VAfCqqEt&4V$ZYzEZ*R%2s#AwVrWtUR
zAR8AA2cpoEJ?+OGqSa~3jP8}+(m8%WO75k;fPJ-QDUdwh==Ab>XF$GLu*&I@uSo~7
z$$C_$!!PbgzEl-9oMh4I$zh#zc}jvj{#xdphh0xjjkbuUifoVFhmG4WnEN?Een@Cg
zH@EY~5&5VU<5(?|-ACei-AuPn9cC&1;ceolZdA@4!My02Qa`Mcz#D#G5E(DP;qge=
zROh|tOF^w1+Shw?Cu;)lKXIRu<Pr9=8q@)Ui{4ghQkOMopL=op9oMy>(s$vZx$E%j
z0Ku=#Citx@3nWon%$rdSi!PZ`OquAHk?Gz5zrRFhIDr3zUql4R1m6?kmjWb%P#9uk
ze+R-`a1%6&1!Mxr$WYKFumMnw;2-%=I-nM)nXx-VEkfmQ0d<ot|1@PHke*zJIS5A`
zKs!)n{T{+msh@)X5sqrw+neLOz3@a-{%0|B0~|t*jSPhr#8}K{e;l{%t_yd3?+TNC
z;eM`ttuR%+sK?O}p+08tK1;rSac(Fv`iguC-7XIAilHGB-09Lm-}CMC^D*d$*-nyt
zhk{PM)*joF*kVPCFwtfG9CG1^TjWsG3{&PM<vo!p3x;y1gjFc2u>vZ%Yj*g<s+?}S
z_qQ>o-Y@uiQ(>Ax=MT63;p2%yRpTYux2J+=QXS>JWUP(f4Mp0BdmLc&bxwN5;cdza
zaN*Any>3%PX^D)oeeWmjw$c-}e!irr;)csgSlGk)Y7$EprE`xAC>r@V*nji2m*2!3
z|6tdUTQuk8+%fahNw=DR9E`qXaD3Umu0y>cX&m#UX;^>8Hk9EVjjqLK*%zJn?I!==
zOCU|!%Ng4>Ki+ZqKq)Onzj{H2>FC{a_?`#z_+m-3rMiHn<Tnd^LYJ$aW(+GF6;Y9X
zM`s~nSzF?N<2c%pGxv7hO{KeEQ?yp5zUAkCpL!^u7R=VdemU~4btX;eQ7ye#!=6<3
z6W_Ye-Mtre>%$v*aGOHJjp4yP$oB~a*Gj+B3z#Of$5C`Gn|wlQoH~DGl5Xh6Q{Paz
zL9#@WzL;+kV+uW-)}2o1-o8E5I%T2GFNYij6kyIz`ivB4M*+mLm93))AvrKxS6kl9
z))~=6&d=fRd1@~J#OzGirn^nBHn{gucZ7(Gwx<xkZDD!@w&_lc=hH*J;eOL&f`#nu
zCb%d-x#;bHom~0?*-6BkP;~bXY(oV=>Iac?JVefqtpycf$Eic(2D8z{y`EXiVJ|na
zP&lYyH^dY(9cjqnAm@U(Hubt;qc!(P3qf3f$c1@+KGpGq$hwD(8`|951a0hq_r>B|
zrFVd6xE_*u+h6NJr2POEi-)5J6gT8$L1|D<QC1OR-cTI*^Y;HtlnW)<v{ppMP69J_
z5{R)w4jcQ?Jnkvgp^6){0z<7G+D`Z@VhY)3_&tG>^=7YH7DbsZ8wN2PYDo9Q-LeUK
zU`WrNulBYaWiz$HnB4XyLY-<+{n)qo_i_RKEUq7}R)uGT2KbbnjOm^DPP=&3ZShrk
z=ogm2Z;dT^Qu~9h1l?SA(!w>+0M9RsyNW-Xyqv<#QXKg1t;cd-!AP9I3oTdM+JoQ6
z?$*22T%4u5lsb~;hPkrfrw{7%l)R=@)v;cdNir3#cWQnpS>rmU+t!B8sNi#WsZVhy
z$GGtGSzU#&@sE!~^tGIfaiVF*8jQF^B9HAjRb8CYKQ(N6wwY4b*j@d~Vj}yC)3O$t
zs+UYBscVjviQ93$vbevye$=WZtxV_2n`}#g>N|yp)H<+5D+Y%fKNYNesVx~*Sh`dD
zg<ARBN3A`)7y7~;G0*hZy}n>w8zpk+1`E$sst+f}JLrbg3X?MR8&v1ZZqn{BA~1$b
z98#Hkmi6Z7txD961Bt=$n2*s$4l}Vx2~Rx9*hMGSotOh8b-k}lTn_3sWn_!k1bKEg
zXBCNWFVbrlxk{$v(-g`fT-{Sz{mA6K>ldSlli+CHE4GN?z7>t3rOrL)gR*6nC6DoH
zGKSc-bDVS)o5+j2C4EfUMQ^y-|HyMRXW3_$lp<Wc#onie*XkIS%Z)VOP4cK67rA!z
zaZ{D)i+sIzVP>l#Gvo^xGP5aQmNcXU$W;r?FSZDoPa_+K1s<7mZU~sajHg=zCcLd&
z4Va`Llu}p$8Q}+L6cq>s(6w-=4L{;Tsevk>Qiei?e1z=JSmh?^4P|Qaa9AR4E7qNH
z-DkBlVNWCmKl$}w2L->KpfD)7eh(rdwr%A6FuI+gCjVXPZh@F?)7YFh5*9ETVXZY`
zNYIZkC8oKcKd`JiNY*lxm4M4uq$HUN$%T<}_mj;?$-0^yfsoSQ4*)jJaSK-_?lA0|
z&d!`j4exwXo4M11_M_!|*QokuAC$+;0na*K)s=m;c$dc^p@PqvGeoV7zTUZ*>E2>a
z>D~5Ln9eH9UqOS}_iObH?oO3rcBbdkavXtTqyEo|Ep%wgL>4;--kBtxuX`14fjJY`
zci^E{NE7$$`&ti2M$#(Y1c{*7#JD3fM(x?LCyh?)(Wp>wo6D?li%>sS)FK)B=o@*`
z9sPYVpA+sEdS#81o#MatGHZ6<!SnzdofHn|w&NPE{9pY8rlW4UUc80X{c>tX%@EZW
zAAH1eSW|$f@-nOSVZDKA58dyqU;9s_Rt@ykj%ZXpNmeQiuj7fXA3T@Vl{Y=3f@M&|
zLRlMxI}L!qAOQ{=)Z>T#=YvtQyu0JLHRQcH2a5EpRa8+ahm#)H@;*(uA#SSkpt{hL
zevmxD%QRLkU%gU1N%85sCjCiYwkh6f(a+8U^A{#{8QR_OEERx0_w{5g{{BbfyK1*t
zJK~lK>Ea+_2SkV$@40Am?{w-5ZnuNwOQ8&M5^oQgu_bu;w=bC9p-fI{I_OTubfUbb
z#v$MVO*N0d0vF|Nwd^xx%^X4(x`XZ?w4kazSt`@;MYZ)PmlfU17K`BowjE4k?Sp4~
zH5s{v>fW`!9qY}hy;Tw}AX$v*calBg-JtI}ap#^@Gb!N1K(4<tZTb!-@;ZaM)@3!;
zcZ=kHxg;!K?y*Pa#?kTG*<Ecl=!*#LIi5EEvF+{C?BKf>((mWr=cf^xzU;fpFkFEB
z(<vKoWtXPiLy>K1-=}qOKI~km??ZesR@35qb0aS1d$}^i?YxjVc;2*Er*(`bUo%Z1
zx(XZ1TVAp*U<@4LRGTC%00<!wBpLwk?^A^Ul!09Jh022zz!)h&EL-!jq=R<fV86m%
z{HtGa1e!3Umpexib9_uu)Bw|YfGHdxMME5b8{z<{RSrN2tc25$uXujMZ}bvkVy=2a
z^gn1Oy_S2UU?$hZVFIuoHqy*Q=z+3vRAzQqJl@OR#?4_vLQW5>ZDVim52K7Y+Q7q3
zQd$BOgDC(tv%oqWK}h5!>4ddkuPB9c@Wgsy@K~I`lr%&G;Oa<bQ9Uf0C~G}e_a|d_
zK>sA{XbH5Q%v$nJPDWM+l;0&M4JYrQJfO@jP)SZ+R^Ad+`e%}NYfJ}8LoF)ljD=E<
z_L3O)zs=JXip0A{#V+~}r^GTn&+G#jFxxA)QPAH|3-V+<889w-!$pc!p)=X0;GTAl
zU={8Wx8m2diE9xIf@LH$lM`p69r%t(U4MMo)qVSN_l0YJOqhK?9^Wiw)QYB}xz5h;
z+G&ieb<}R#kw>@BD0r|uk0=PXN{;g?Q^=v_p4o|EcNsUODxyAXIr_LUZTrKPx3aBd
zdGicXCznO*Z?b=|e;`;R^QviZu8q#d-|@x$gBKSL(sv=AJb$Kqig9e>54Xa~#{A={
zhFA3^MfrPr(&p<!d~=0*s=NE2yI020^F{&pXzUlujP8E4Px^9b>=spS+)k-CfueQS
zU-fJ39=SA=<ixzbQ7nX3D)(Q@t8EH$P*QH!Y5<c0A(P42nIRk@xNb2}T5O}eIN4*I
zWW1o`F9l-AGK1TpQAXfiP@jz2Izk^2@!cIk&W?bRxeDvy3(C)lt&97a#&GzDb_n{c
zH-zG#3+Vihb6*<=25PLgg0_ls|3Y`f89|f5Z(<G__ZozwAIqHuvt)ah+^RlRiwC!Z
z+u_+VqM#gj=te^grTo)o|4fEX*pX~2ihnzm<ao!dl`^?B66dP1#pj8UQDE{+{7sQ#
zJNM;vjTbpvuotpwkUlpY^B}zG-8m)R+n1>xw(m&*1ybZfxUbcv{5_{N?>%zQJ!4LO
zro{1kaAMa}$8$4z9Y2->;vQw9-{kI_iZe5eJ*cW~SJx3WsGv4`T~40eS~@@1tcPKy
z8+0n&<9?l5Fk2>k{}sa>uc;c%Yy>~iJzD6~W4d+RkQOv7`d0af(a_w$s_>P?^k`v4
zb~W3lI<At~vP&&<AtQS@u~UwR1$RvJ2vbrmUAh-5a9LP*P<wjLH>h?+ro<db?W<AQ
zF)eJ=N<C+(Oxgmvi1GhnjpIBsl_a{r%5g01P)42^_DUl5d~=as%r5$YV}$^!8-mA9
zDEC&o3XzCS$u=T1p8bCgjnbghD%Ob*u?}WI&wr2ni$vs)+>HF<eMTdz$dAnf00@1F
z`zrL`;H5Mu56VIZ9?%EEOWBRLV95WUVc_qQdbfukF?5&tG<3(?j)V5KArx-SsD4}a
zXsH!-hmOnbw(nIBaKB*FF+5o8=W2J>Hm02(<96jfC(A{n$2ziO=LfH6mx=udwz=kS
z(b6ILWjCm5rMH~QR^P0Uq-h!r+3SKxV`o(3Cs2`hwp?hzQP0l(<w+sE%ZhqtUAjEg
zZwG-fof{4HC;N-Az`(#0P}zU~2_wA)p6R3aTCQ2ER8(rk_T|VLk5xSv-d`dZnfu3=
zp3b~dJgL3K`J37YyCp=G)fZ|TMrEi-66{;pluc&#mVWS;Eu%q`2Yq~nQo4sBakD$H
z=zEvzKK|VO+wmMG=JJLZ<9d~629kV(cb^_uTE}Wm2&>tMM^&5l6r1oELAGI!@=G9s
zPs7&FWRz3G$r+qPYNqEJNHsmscN1RFzl09r*3KUw2o(Y0l)?IW#FpcOO%N&%i{(Q}
zg5scPhDe4`#82MvmneXPHZ2lPGQ=RD3pYcfc7xFVXKh0SQ;D@6A@nB(6Zmw-?sxp-
zSKvqy=oZg#U$Hi+Fvf5t^TdACw43_X^JEW9F6Vj8TS#*?){jUHEZli^bh!G%dw*Lx
znyg+IJ1^;*UkmheR462}tYUhrPYdp6JOsAXXkR-ee(l}y_tP{sMNK23TvK7!YtNp!
ztJSWZ&+JJX%lG9zbIDoj{ytoRmjLh08$0M8vR|-0tj$$?K@d7fe$v8aJ78M<jNVi<
z?MuDavQPW2oG1N#;$x+0Uqvfpy7qZ<MDC8%jNw0X)bK|R@^G4NWwW*Q*@ZJEn(g;8
zW18!xNu-{#nonu7_EVMSN6JoCNcij$8bpn!&)e{^4xYnK=_ZMkWD1?3qRf{>WnZda
zs7HYa02Km(;~5AX9ag~+$@PJC%R+&6o6&LYu#}3K!`#^c{gcY+;jrGGYs7F3{ivB&
z(GSKgEjJr4FSN`C=z`B`f0Dhmg9d3RQ?wDcWT9hPB8-6{|8<Q1XVCTUV5sS&Eyc{@
z5xIG;2OQb+!3Kv%VdP(gkpDMt2jmgo4v5>l|K$igl_L{n!VsOX{&oP{Aqs$s5+IhX
zI|qtoyCpb&xM4QO51A-p{NPA04~hVQ9cP*ITG3hvm9Uxj;Rfl#V{>6##u?QEo+)iI
zhze45a^tBli~FUHfIB`EZ#(4rCYXGAmd!g@$@J8_Z}K&G<HAd!%p*0s3z26Rvl=5=
zU4mXxH`i=qA$>U3T!2bY(LF6gI}14OxPJ-bzAK86<JPlEZtH5rMUtrYXG6N=FR9eW
ztxn%Ry;Lq{mJ?@-F%=}W;nWU^5--$B;(v8RIV6>CXDfH%s1<L`_3I#&Qv1yL;3Y$=
z$1)S)wpxO6B!`3%vDGS`qPsmRK3+YKIFsJ}ZNSXk`dX9thr`9SCv=zFTey&_l;Z}{
z$1u88!+PtG$PPgw^S=U#zeK!^kodHv{Ap~r5#z}!n@4JyKZXiiy5IhrkSMbXiO`uG
zD4Zdf!5^`Gom&19693zHc!b)lAufV3U*Oc_QRxmIJ~z+ST8~EKy1B+=lh<I-9g$<U
z3HROx%FZwC@d+PD<c`{L*qf5(yn~Yx6&q!1hGKF~D}Vg%YK}YvnRe{ke2j3lrC^Zq
zEtw}nVJo7FJ7sf*oGQbAWS&QJn_Rd*C_1+XsbKW}{HvZafzK7quO8o=7`}4+mVr51
zHGzYsjr#zHL5}<Ds>9R|`X>5Ixn-h7JZazj$YZ}AM&DrJS!FrOml0uBH+^~qLp`kD
zd@G*%K9zaP4J#HW1-FN}QqmL(MIP9w`m{F|Rstbq$;ns4O5AQJ7&*?`#4@5s8o~5{
zoSl^AujNkI`*LWQzKR0#$^aA!!b3Rm`*Dpd0vpkg6iTB1Z=oS52kw$ll2(BJ5?S2F
z+y9+Ggd)%zC%^h03oZN}3kC5#mY3Ih$1FGuGLMe;p3sjNYaCh`nRep-;^16maWdn$
zZ{1{?!Ki1j+93`*3hax|k2`k<k(lo=XXvX8=_Yuq83wiaHmmy;b0Tk|U8P*aDq7D6
zw$$;K-|f>8#uh0Yo<Aql+b1zs$bO3tx63$>eYZnO+<>TuRo0L5!_+T>-d$pSJ^o0!
z=M7U9vqWEX*$F1K3<^?;nq#>RiYT2cyxG>)_*TtaoGq7aD<Ad*=blCqQ-^|5eh!yq
zKV;#)py1}kV$0=Bjhu(u*nU*rpFZwIJLTJuI_IBKUqSAa#Y#Jrarh7IQ&j4<A}8)>
zlA9gwU<_2mw=S&Q#Kc?<!;d9%m60Hj*&zflq+tV{`Xw}kTw3K*A>m+1XfVsK>SQ|Q
zK<APF3xPHiI*(m_MFzE&Z{Bb~3E4Ms&nRO!Tlr8ucA4pqO!BB`-watYmSZuz9P<=;
zYE;|4oeO64z>FlZgDY~eb~weU$J~f)o&=E`>A8Rw^WM34(ua{*kK1hr5_G(7Ht9SN
zxY-j*Qo`?#xl~)Tuf4<Qp)CJL?(;?0E^2zPJwU&^aQ%tO3(xt$D?(@%bHQQ{ukiP2
z+pkf%h0+x)+@o1!;B`xyK1bU^Z*#F^>a1AeLUddhPH7xHc6RdYlVlHy`f+2S8ZWVt
zXLCkBgigM(VZ`rUvEV#M@2xM{VTxhTAYrme?CH{|WH6d)xxt{7mwTP6C($;Qw&Q$g
zs|?MESh~)8+H{et6}Lq#ElL#V%XoqY8q(q1o+ASQ*xI0GBA+Tp@5w%7u}7-zfVzz;
zxuK7^xmGdNn<4i78lTAS-bXugeNScaabl>umGJr#-H6-QV<mBU_xSZ#(+4Cq9(fPl
zd*k2m#P|hU1EX)Q;hA@0Qv6r89VMG@Q*-w9Ps@Q5w-nHOcPKcgD&^N^`j9&>{<N+a
z%|Ji}p}cl)Yg4&eOkwwI?xWKWKajM4_Xh46OgwSYrt#U;qJFdL1<g5Evbc*+W~sBk
z+c1)|eiNjnl=qDccr?=V<z)j?XE&KyM#1q614+(3(5uDjsTKP~pGQ7L=8Gfy*}CN~
ztF|dRUNnlNmq2C<Emr5YRTMoxt@?Oc30OgkIWE6l^vt<}93L6wYb{BnOF4=qt(1|F
z6im4^rFLc3+m=-^Cu~oezVIw=&Oz~rWO<<73yp1v2d$$IV>?r-V=p}Srhaqd^2@nd
z@*muRIXg>_sD++es-|_OON}h7IVdAkbRe1)lwRW4E&i2Gd;WPus2K~i?!-3`0g+Qf
z_fB<x>(vs*PyU!Xm?OwnY=Gx}X|Hg^5_6hI!8hwfcFTN@4((}}UkO9Z=r{Z-pUAIb
z|H`jatl^yMI=@=PQ2czsc<U(za5SWVD8=fRQXqci^9}$u48I}n7GrqW_#4~nrK6Y1
zZW0<l=$e-^wvSkV3>kB^w{;^%K7W%Q7l?(2uP8+IyQ7xx#G@9K&BRW{8X|TT@bK-b
zq0BPz1IxOKr2>|rJGg8miNKWI4_Fo+|4UiWBwQT<0D8?AxVyIc+P-z4W(y{l5+3Zw
zN2f4}yi*u=VzJ4gd;28tAop$-HirDuN8cBtnyQpK+Z1}Uq<(yV=1V52w%3_cY=7^l
z!o_w&J5|2Ul6^K#VlJwuBTGmpEfoXnFYRJF%A+$Hc-xaHC_^dJP9eSS#kpjZ2d6Wd
z@BVSFDIr&Dj?+<@qUP$R-`Q#~?4$%&=ACURCe;@Z28@w(3Z~wQhda$t9Y^|>q86>5
zW;P?Or)z2sPU;0Ff2Wk~qwyj5^uTNJ9!~{KK`)=dWvfCF!y$#RLN$7~D74~Kj;fFe
zM=^(=3vn$FRcoqz%ecd<K)P!d^Qxeu-hgc<yN1zzWj<Mv!sg_r^t~2{DvF+&BiqK6
zR4%nYTVd61Stbk(BKeR0(Pf;naIz6h5q>GW&Fi~s+L5J?R^behw67nT;N<ff(Rve>
z@lOfzs0OZZ9xMIEyIuip@!u^I>gFC^5{M3J_6X}xV9m`IiQ?TpMnl6Tn2IyI==9mZ
zm2Ys@R9Pu#z}YO48$LQykx|YVc75dgQPI4Z3e5ZR{tL%FQ1RFD1rH<zFTAiXOH3@6
zpU8{SKuPCIeD*FJJse;XU;J2TINQeID4874ce^UABbbHE_)Ow~0IuN9r&%v=axyse
z+Q;+P@Rqak-N#r&CNCi5efadlD`Gmf^ZV`y{8s14?tx4<@}5K_I`(2wvfDp|K4!@I
zgDv<lw-uP_?A3^g!|tEBZp;a2@KA_adRK$z56iasm-PBlx^?F)Ft^EtMtjp~vGC)i
zLs}QSTc6bxMt5`Gk)w8bP?t!{pwlDCK1(ou)_&2V<}yc_r?N)sXntUkPVW3WJr#6V
z?-GSaa=o(U;4MGA*~Ldf^U>md=<$5UJ^dCZVeOCIp#Gg#tq{FRX|pG&3K@-XVoVr{
zIS#hNHUocPS-PdvKoN8em%n(`ReONwRV}}i1zD0u=c-p>*Stz+-!Q0DP!e;ZBJZtN
zvPX7uR%@`*Ig>8BJg(>CsOm#Py7^LzOU@U+=Jo+U@;t_sPV)FM->Pbq@QGI#f1}+t
zgEvi4`s6dqTpxX@dHT5i5eMfl?8lZT_1;WG*f3Vpeac71+Rffvfk!S^K@DU=qlU{?
z9{}P*iin`bzu5;kF^~_W!am^3vpRCeH6Iv>BL7ih%5$ti)n!PUCO{tl?y<2eha@#+
z>t5&b;n5zPnGRw9vz#fM(yM^p^nqnnf^+Z#X->zK2qzv3Q}c<8MO)IO9YfLDRpI%l
zEDz(im>b-8`I$8G2D5_x=x~7t95Y7q8@1UZh-y>Vvec=N+PX~`i#g1vi1UR0z_O$#
zXn=#zHC+BOdA*Qg;^aNHOuieMd>TA?pDqAkg}{(=ZSwC-3d6GX#B5Iy%5!8x_EPYW
zeSkahhdTL9@VP<kBx*}1v&2rI0mH#(5RwuizxwY{u%y2XRV1W@DCOecNtupB{cggg
zL@BOYq^wSO+dnm7c&KmXX@A#A8L<<W|DcnXP$w7IR@L?oR98;y1oIzsG7NQ6VD#JN
bsvvga{2z2O0(H__`&%QdBzEHTA9V6RBaGr~

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/xmpp/client-dpd.test b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
new file mode 100644
index 0000000000..9c9cc29c8a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load base/protocols/ssl
+@load base/protocols/conn
+@load-sigs base/protocols/xmpp/dpd.sig
diff --git a/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test b/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
new file mode 100644
index 0000000000..9483c0cca8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-dialback-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load base/frameworks/dpd
+@load base/frameworks/signatures
+@load base/protocols/ssl
+@load base/protocols/conn
+@load-sigs base/protocols/xmpp/dpd.sig

From f2acaec9b7512418f7b71947da90810ab082486e Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 29 Apr 2016 13:50:52 -0700
Subject: [PATCH 3/3] XMPP: Add StartTLS event and update tests

Also tiny cleanyp to the code.
---
 src/analyzer/protocol/xmpp/CMakeLists.txt     |  1 +
 src/analyzer/protocol/xmpp/Plugin.cc          |  5 +--
 src/analyzer/protocol/xmpp/XMPP.cc            |  3 +-
 src/analyzer/protocol/xmpp/XMPP.h             | 10 +++---
 src/analyzer/protocol/xmpp/events.bif         |  5 +++
 src/analyzer/protocol/xmpp/xmpp-analyzer.pac  |  5 ++-
 src/analyzer/protocol/xmpp/xmpp.pac           |  3 ++
 .../Baseline/core.print-bpf-filters/output2   | 10 +++---
 .../canonified_loaded_scripts.log             |  5 +--
 .../canonified_loaded_scripts.log             |  7 +++--
 testing/btest/Baseline/plugins.hooks/output   | 31 +++++++++++++++----
 11 files changed, 59 insertions(+), 26 deletions(-)
 create mode 100644 src/analyzer/protocol/xmpp/events.bif

diff --git a/src/analyzer/protocol/xmpp/CMakeLists.txt b/src/analyzer/protocol/xmpp/CMakeLists.txt
index 408f01d47c..ec5bb84837 100644
--- a/src/analyzer/protocol/xmpp/CMakeLists.txt
+++ b/src/analyzer/protocol/xmpp/CMakeLists.txt
@@ -6,6 +6,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 bro_plugin_begin(Bro XMPP)
 bro_plugin_cc(Plugin.cc)
 bro_plugin_cc(XMPP.cc)
+bro_plugin_bif(events.bif)
 bro_plugin_pac(xmpp.pac xmpp-analyzer.pac xmpp-protocol.pac)
 bro_plugin_end()
 
diff --git a/src/analyzer/protocol/xmpp/Plugin.cc b/src/analyzer/protocol/xmpp/Plugin.cc
index b4332b447b..d3bfcc5b10 100644
--- a/src/analyzer/protocol/xmpp/Plugin.cc
+++ b/src/analyzer/protocol/xmpp/Plugin.cc
@@ -1,6 +1,4 @@
 // See the file  in the main distribution directory for copyright.
-
-
 #include "plugin/Plugin.h"
 
 #include "XMPP.h"
@@ -14,10 +12,9 @@ public:
 		{
 		AddComponent(new ::analyzer::Component("XMPP", ::analyzer::xmpp::XMPP_Analyzer::Instantiate));
 
-
 		plugin::Configuration config;
 		config.name = "Bro::XMPP";
-		config.description = "XMPP analyzer StartTLS only";
+		config.description = "XMPP analyzer (StartTLS only)";
 		return config;
 		}
 } plugin;
diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc
index ee2667a276..72229aeaba 100644
--- a/src/analyzer/protocol/xmpp/XMPP.cc
+++ b/src/analyzer/protocol/xmpp/XMPP.cc
@@ -9,14 +9,13 @@ using namespace analyzer::xmpp;
 XMPP_Analyzer::XMPP_Analyzer(Connection* conn)
 	: tcp::TCP_ApplicationAnalyzer("XMPP", conn)
 	{
-	interp = new binpac::XMPP::XMPP_Conn(this);
+	interp = unique_ptr<binpac::XMPP::XMPP_Conn>(new binpac::XMPP::XMPP_Conn(this));
 	had_gap = false;
 	tls_active = false;
 	}
 
 XMPP_Analyzer::~XMPP_Analyzer()
 	{
-	delete interp;
 	}
 
 void XMPP_Analyzer::Done()
diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h
index 628be7bb2d..202403748a 100644
--- a/src/analyzer/protocol/xmpp/XMPP.h
+++ b/src/analyzer/protocol/xmpp/XMPP.h
@@ -14,12 +14,12 @@ public:
 	XMPP_Analyzer(Connection* conn);
 	virtual ~XMPP_Analyzer();
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	void StartTLS();
 
@@ -27,7 +27,7 @@ public:
 		{ return new XMPP_Analyzer(conn); }
 
 protected:
-	binpac::XMPP::XMPP_Conn* interp;
+	std::unique_ptr<binpac::XMPP::XMPP_Conn> interp;
 	bool had_gap;
 
 	bool tls_active;
diff --git a/src/analyzer/protocol/xmpp/events.bif b/src/analyzer/protocol/xmpp/events.bif
new file mode 100644
index 0000000000..ee36bd5333
--- /dev/null
+++ b/src/analyzer/protocol/xmpp/events.bif
@@ -0,0 +1,5 @@
+## Generated when a XMPP connection goes encrypted after a successful
+## StartTLS exchange between the client and the server.
+##
+## c: The connection.
+event xmpp_starttls%(c: connection%);
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
index 90b51ec183..3240b57bb3 100644
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -25,7 +25,10 @@ refine connection XMPP_Conn += {
 			client_starttls = true;
 
 		if ( !is_orig && token == "proceed" && client_starttls )
+			{
 			bro_analyzer()->StartTLS();
+			BifEvent::generate_xmpp_starttls(bro_analyzer(), bro_analyzer()->Conn());
+			}
 		else if ( !is_orig && token == "proceed" )
 			reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");
 
@@ -37,6 +40,6 @@ refine connection XMPP_Conn += {
 };
 
 refine typeattr XMPP_TOKEN += &let {
-       proc: bool = $context.connection.proc_xmpp_token(is_orig, name, rest);
+	proc: bool = $context.connection.proc_xmpp_token(is_orig, name, rest);
 };
 
diff --git a/src/analyzer/protocol/xmpp/xmpp.pac b/src/analyzer/protocol/xmpp/xmpp.pac
index 42ec85f0cc..e6b5f4bba0 100644
--- a/src/analyzer/protocol/xmpp/xmpp.pac
+++ b/src/analyzer/protocol/xmpp/xmpp.pac
@@ -6,7 +6,10 @@
 %include binpac.pac
 %include bro.pac
 
+
 %extern{
+#include "events.bif.h"
+
 namespace analyzer { namespace xmpp { class XMPP_Analyzer; } }
 namespace binpac { namespace XMPP { class XMPP_Conn; } }
 typedef analyzer::xmpp::XMPP_Analyzer* XMPPAnalyzer;
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index d0f448441b..3321684b43 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -21,7 +21,9 @@
 1 5060
 1 5072
 1 514
+1 5222
 1 5223
+1 5269
 2 53
 1 5353
 1 5355
@@ -48,8 +50,8 @@
 1 992
 1 993
 1 995
-55 and
-54 or
-55 port
-37 tcp
+57 and
+56 or
+57 port
+39 tcp
 18 udp
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 703db6ea63..65f93aa51d 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-26-18-11-39
+#open	2016-04-29-20-49-16
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -111,6 +111,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
@@ -132,4 +133,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2016-04-26-18-11-39
+#close	2016-04-29-20-49-16
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index c7a3c03d09..6ea7dd5d17 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-04-26-18-11-49
+#open	2016-04-29-20-49-25
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -111,6 +111,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_TCP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
@@ -295,6 +296,8 @@ scripts/base/init-default.bro
     scripts/base/protocols/syslog/consts.bro
     scripts/base/protocols/syslog/main.bro
   scripts/base/protocols/tunnels/__load__.bro
+  scripts/base/protocols/xmpp/__load__.bro
+    scripts/base/protocols/xmpp/main.bro
   scripts/base/files/pe/__load__.bro
     scripts/base/files/pe/consts.bro
     scripts/base/files/pe/main.bro
@@ -305,4 +308,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-checksum-offloading.bro
   scripts/base/misc/find-filtered-trace.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-04-26-18-11-49
+#close	2016-04-29-20-49-25
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 61099efaf9..186f3a4a2a 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -57,6 +57,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
@@ -116,6 +118,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <no result>
@@ -140,6 +144,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})) -> <no result>
@@ -233,7 +238,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461962978.799805, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -354,7 +359,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461962978.799805, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -467,6 +472,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_XMPP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ZIP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./acld) -> -1
 0.000000   MetaHookPost  LoadFile(./addrs) -> -1
@@ -644,6 +650,7 @@
 0.000000   MetaHookPost  LoadFile(base<...>/urls) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/utils) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
+0.000000   MetaHookPost  LoadFile(base<...>/xmpp) -> -1
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
@@ -706,6 +713,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_BACKDOOR))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_INTERCONN))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
@@ -765,6 +774,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
@@ -789,6 +800,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {5223<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)}))
@@ -882,7 +894,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1461962978.799805, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1003,7 +1015,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1461962978.799805, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1116,6 +1128,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_XMPP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_ZIP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./acld)
 0.000000   MetaHookPre   LoadFile(./addrs)
@@ -1293,6 +1306,7 @@
 0.000000   MetaHookPre   LoadFile(base<...>/urls)
 0.000000   MetaHookPre   LoadFile(base<...>/utils)
 0.000000   MetaHookPre   LoadFile(base<...>/x509)
+0.000000   MetaHookPre   LoadFile(base<...>/xmpp)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(bro_init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
@@ -1355,6 +1369,8 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_INTERCONN)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
@@ -1414,6 +1430,8 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
@@ -1438,6 +1456,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {5223<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)mkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
@@ -1530,7 +1549,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1461962978.799805, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1651,7 +1670,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461868125.285894, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1461962978.799805, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()