Copy docs into Zeek repo directly

This is based on commit 99e6942efec5feff50523f6b2a1f5868f19ab638 from the zeek-docs repo.
2025-10-17 14:08:20 +00:00 · 2025-09-15 15:52:18 -07:00 · 2025-09-15 15:52:18 -07:00 · adce4e604a
commit adce4e604a
parent 979a98c73c
1075 changed files with 169492 additions and 1 deletions
--- a/doc/script-reference/assert_1.zeek
+++ b/doc/script-reference/assert_1.zeek
@ -0,0 +1,18 @@
+event test_1() {
+	assert 3 == 3;
+	local x = 37;
+	assert x > 40;
+	print "not reached";
+}
+
+event test_2() {
+	assert 2 == 2;
+	local x = 37;
+	assert x > 40, fmt("%s is not greater than 40", x);
+	print "not reached";
+}
+
+event zeek_init() {
+	schedule 0.01sec { test_1() };
+	schedule 0.02sec { test_2() };
+}
--- a/doc/script-reference/attributes.rst
+++ b/doc/script-reference/attributes.rst
@ -0,0 +1,791 @@
+Attributes
+==========
+
+The Zeek scripting language supports customization of many language elements via
+*attributes*. For example, attributes can ensure that a function gets invoked
+whenever you modify a table, automatically expire elements from a set, or tell
+the :ref:`logging framework <framework-logging>` which record fields you'd like
+it to write. Zeek features the following attributes:
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Description
+
+  * - :zeek:attr:`&redef`
+    - Redefine a global constant or extend a type.
+
+  * - :zeek:attr:`&priority`
+    - Specify priority for event handler or hook.
+
+  * - :zeek:attr:`&log`
+    - Mark a record field as to be written to a log.
+
+  * - :zeek:attr:`&optional`
+    - Allow a record field value to be missing.
+
+  * - :zeek:attr:`&default`
+    - Specify a default value.
+
+  * - :zeek:attr:`&default_insert`
+    - Specify a default value for tables with insert behavior.
+
+  * - :zeek:attr:`&add_func`
+    - Specify a function to call for each ``redef +=``.
+
+  * - :zeek:attr:`&delete_func`
+    - Same as ``&add_func``, except for ``redef -=``.
+
+  * - :zeek:attr:`&expire_func`
+    - Specify a function to call when container element expires.
+
+  * - :zeek:attr:`&read_expire`
+    - Specify a read timeout interval.
+
+  * - :zeek:attr:`&write_expire`
+    - Specify a write timeout interval.
+
+  * - :zeek:attr:`&create_expire`
+    - Specify a creation timeout interval.
+
+  * - :zeek:attr:`&on_change`
+    - Specify a function to call on set/table changes
+
+  * - :zeek:attr:`&raw_output`
+    - Open file in raw mode (chars. are not escaped).
+
+  * - :zeek:attr:`&error_handler`
+    - Used internally for reporter framework events.
+
+  * - :zeek:attr:`&type_column`
+    - Used by input framework for :zeek:type:`port` type.
+
+  * - :zeek:attr:`&backend`
+    - Used for table persistence/synchronization.
+
+  * - :zeek:attr:`&broker_store`
+    - Used for table persistence/synchronization.
+
+  * - :zeek:attr:`&broker_allow_complex_type`
+    - Used for table persistence/synchronization.
+
+  * - :zeek:attr:`&ordered`
+    - Used for predictable member iteration of tables and sets.
+
+  * - :zeek:attr:`&deprecated`
+    - Marks an identifier as deprecated.
+
+  * - :zeek:attr:`&is_assigned`
+    - Suppress "used before defined" warnings from ``zeek -u`` analysis.
+
+  * - :zeek:attr:`&is_used`
+    - Suppress lack-of-use warnings from ``zeek -u`` analysis.
+
+  * - :zeek:attr:`&group`
+    - Annotates event handlers and hooks with event groups.
+
+.. _attribute-propagation-pitfalls:
+
+.. warning::
+
+    A confusing pitfall can be mistaking that attributes bind to a *variable*
+    or a *type*, where in reality they bind to a *value*.  Example:
+
+    .. code-block:: zeek
+
+        global my_table: table[count] of string &create_expire=1sec;
+
+        event zeek_init()
+            {
+            my_table = table();
+            my_table[1] = "foo";
+            }
+
+    In the above, the re-assignment of ``my_table`` will also drop the original
+    *value*'s :zeek:attr:`&create_expire` and no entries will ever be expired
+    from ``my_table``.  The alternate way of re-assignment that creates a new
+    table *value* with the expected attribute would be:
+
+    .. code-block:: zeek
+
+        my_table = table() &create_expire=1sec;
+
+Here is a more detailed explanation of each attribute:
+
+.. zeek:attr:: &redef
+
+&redef
+------
+
+Allows use of a :zeek:keyword:`redef` to redefine initial values of
+global variables (i.e., variables declared either :zeek:keyword:`global`
+or :zeek:keyword:`const`).  Example:
+
+.. code-block:: zeek
+
+    const clever = T &redef;
+    global cache_size = 256 &redef;
+
+Note that a variable declared ``global`` can also have its value changed
+with assignment statements (doesn't matter if it has the :zeek:attr:`&redef`
+attribute or not).
+
+.. zeek:attr:: &priority
+
+&priority
+---------
+
+Specifies the execution priority (as a signed integer) of a hook or
+event handler. Higher values are executed before lower ones. The
+default value is ``0``.  Example:
+
+.. code-block:: zeek
+
+    event zeek_init() &priority=10
+        {
+        print "high priority";
+        }
+
+.. zeek:attr:: &log
+
+&log
+----
+
+When a :zeek:type:`record` field has the ``&log`` attribute, this field is
+included as a column in the log stream associated with the record type. This
+association happens with :zeek:see:`Log::create_stream` and commonly looks as
+follows:
+
+.. code-block:: zeek
+
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        ts: time &log &default=network_time();
+        id: conn_id &log;
+        msg: string &log;
+        hidden: count &default=0;  # This is not logged.
+    };
+
+    event zeek_init() {
+        Log::create_stream(LOG, [$columns=Info, $path="example"]);
+    }
+
+The log stream above will have the columns ``ts``, ``id`` and ``msg``.
+
+When ``&log`` is placed at the end of a record type declaration, all fields
+listed in the declaration will have the ``&log`` attribute implicitly.
+
+.. code-block:: zeek
+
+    type conn_id: record {
+        orig_h: addr;
+        orig_p: port;
+        resp_h: addr;
+        resp_p: port;
+    } &log;
+
+Fields added to such a record types later on using :zeek:see:`redef` need to
+explicitly specify ``&log`` again, however.
+
+.. zeek:attr:: &optional
+
+&optional
+---------
+
+Allows a record field value to be missing. Zeek allows such fields to remain
+uninitialized and unassigned, and to have assigned values removed via
+:zeek:keyword:`delete`.
+
+In this example, the record could be instantiated with either
+``myrec($a=127.0.0.1)`` or ``myrec($a=127.0.0.1, $b=80/tcp)``:
+
+.. code-block:: zeek
+
+    type myrec: record { a: addr; b: port &optional; };
+
+The ``?$`` operator can be used to check if a record field has a value or
+not (it returns a ``bool`` value of ``T`` if the field has a value,
+and ``F`` if not).
+
+.. zeek:attr:: &default
+
+&default
+--------
+
+Specifies a default value for a record field, container element, or a
+function/hook/event parameter.
+
+In this example, the record could be instantiated with either
+``myrec($a=5, $c=3.14)`` or ``myrec($a=5, $b=53/udp, $c=3.14)``:
+
+.. code-block:: zeek
+
+    type myrec: record { a: count; b: port &default=80/tcp; c: double; };
+
+In this example, the table will return the string ``"foo"`` for any
+attempted access to a non-existing index:
+
+.. code-block:: zeek
+
+    global mytable: table[count] of string &default="foo";
+
+In addition to constant values as shown above, the :zeek:attr:`&default` attribute
+also accepts arbitrary Zeek expressions. For example, arithmetic expressions and
+function calls are possible:
+
+.. code-block:: zeek
+
+   type Info: record {
+       ts: time &log &default=network_time();
+       ts_ms: double &log &default=time_to_double(network_time()) * 1000;
+   };
+
+The expressions are evaluated whenever a new record is instantiated.
+
+On tables, the :zeek:attr:`&default` attribute can further be set to a function
+(including an anonymous lambda function), which will be invoked for any read access
+to a non-existing index to generate a substitute result. The signature of such a default function
+has to match with the index and value types of the given table. Below, a default
+function for a table with a composite index and value type of :zeek:type:`string` is shown.
+The arguments for the function call, ``c`` and ``s`` below, are populated with
+the values used for the index:
+
+.. code-block:: zeek
+
+    function table_default(c: count, s: string): string {
+        return fmt("unknown-%s-%s", c, s);
+    }
+
+    global mytable: table[count, string] of string &default=table_default;
+
+    print mytable[0, "a"];
+
+Using an anonymous function instead looks as follows:
+
+.. code-block:: zeek
+
+    global mytable: table[count, string] of string &default=function(c: count, s: string): string {
+        return fmt("unknown-%s-%s", c, s);
+    };
+
+    print mytable[0, "a"];
+
+The output of both these examples is ``unknown-0-a``.
+
+A common usage pattern of the :zeek:attr:`&default` attribute in Zeek's base
+scripts is to format a default textual representation for unknown protocol
+values that are otherwise mapped to textual descriptions.
+The following excerpt is from :doc:`/scripts/base/protocols/dns/consts.zeek`
+mapping numeric DNS query types to their textual representation. A default
+function is used to produce a string containing the numeric value of query types:
+
+.. code-block:: zeek
+
+    ## Mapping of DNS query type codes to human readable string
+    ## representation.
+    const query_types = {
+        [1] = "A",
+        [2] = "NS",
+        [3] = "MD",
+        [4] = "MF",
+        [5] = "CNAME",
+        # many many more ...
+        [65422] = "XPF",
+        [65521] = "INTEGRITY",
+    } &default = function(n: count): string { return fmt("query-%d", n); };
+
+
+Note that when accessing a non-existing index, the created default value will
+not be inserted into the table. The following script will output ``foo``,
+but the table remains empty. The second print statement outputs ``0``:
+
+.. code-block:: zeek
+
+    global mytable: table[count] of string &default="foo";
+    print mytable[0];
+    print |mytable|;
+
+For inserting the created default value into a table, the :zeek:attr:`&default_insert`
+attribute can be used instead.
+
+When used with function/hook/event parameters, all of the parameters
+with the :zeek:attr:`&default` attribute must come after all other parameters.
+For example, the following function could be called either as ``myfunc(5)``
+or as ``myfunc(5, 53/udp)``:
+
+.. code-block:: zeek
+
+    function myfunc(a: count, b: port &default=80/tcp)
+        {
+        print a, b;
+        }
+
+.. zeek:attr:: &default_insert
+
+&default_insert
+---------------
+
+.. versionadded:: 6.1
+
+This attribute is only applicable to tables. :zeek:attr:`&default_insert`
+provides the same functionality as table's :zeek:attr:`&default` but with the addition
+that upon access to a non-existing index, the created value will be inserted
+into the table. For complex value types like tables or record types used for
+tracking further state, :zeek:attr:`&default_insert` is often more useful and
+efficient than :zeek:attr:`&default`.
+
+.. zeek:attr:: &add_func
+
+&add_func
+---------
+
+Can be applied to an identifier with &redef to specify a function to
+be called any time a ``redef <id> += ...`` declaration is parsed.  The
+function takes two arguments of the same type as the identifier, the first
+being the old value of the variable and the second being the new
+value given after the ``+=`` operator in the :zeek:keyword:`redef` declaration.  The
+return value of the function will be the actual new value of the
+variable after the "redef" declaration is parsed.
+
+.. zeek:attr:: &delete_func
+
+&delete_func
+------------
+
+Same as :zeek:attr:`&add_func`, except for :zeek:keyword:`redef` declarations
+that use the ``-=`` operator.
+
+.. zeek:attr:: &expire_func
+
+&expire_func
+------------
+
+Called right before a container element expires. The function's first
+argument is of the same type as the container it is associated with.
+The function then takes a variable number of arguments equal to the
+number of indexes in the container. For example, for a
+``table[string,string] of count`` the expire function signature is:
+
+.. code-block:: zeek
+
+    function(t: table[string, string] of count, s: string, s2: string): interval
+
+The return value is an :zeek:type:`interval` indicating the amount of
+additional time to wait before expiring the container element at the
+given index (which will trigger another execution of this function).
+
+.. zeek:attr:: &read_expire
+
+&read_expire
+------------
+
+Specifies a read expiration timeout for container elements. That is,
+the element expires after the given amount of time since the last
+time it has been read. Note that a write also counts as a read.
+
+.. zeek:attr:: &write_expire
+
+&write_expire
+-------------
+
+Specifies a write expiration timeout for container elements. That
+is, the element expires after the given amount of time since the
+last time it has been written.
+
+.. zeek:attr:: &create_expire
+
+&create_expire
+--------------
+
+Specifies a creation expiration timeout for container elements. That
+is, the element expires after the given amount of time since it has
+been inserted into the container, regardless of any reads or writes.
+
+.. note::
+
+   In order to support expiration timeouts, Zeek associates a timer
+   with each container that weeds out stale entries. For containers with many members,
+   Zeek needs to keep an eye on the amount of effort spent expiring
+   elements. It does this via three configurable properties:
+
+   * :zeek:see:`table_expire_interval` specifies how frequently Zeek checks a
+     container's members. The interval establishes an upper bound on how long it
+     may take Zeek to react to an element's expiration.
+
+   * :zeek:see:`table_incremental_step` specifies how many members Zeek
+     checks in one batch.
+
+   * :zeek:see:`table_expire_delay` interval specifies how long Zeek
+     waits until it processes the next batch of members.
+
+.. zeek:attr:: &on_change
+
+&on_change
+----------
+
+Called right after a change has been applied to a container. The function's
+first argument is of the same type as the container it is associated with,
+followed by a :zeek:see:`TableChange` record which specifies the type of change
+that happened. The function then takes a variable number of arguments equal to
+the number of indexes in the container, followed by an argument for the value
+of the container (if the container has a value) For example, for a
+``table[string,string] of count`` the ``&on_change`` function signature is:
+
+.. code-block:: zeek
+
+    function(t: table[string, string] of count, tpe: TableChange,
+             s: string, s2: string, val: count)
+
+For a ``set[count]`` the function signature is:
+
+.. code-block:: zeek
+
+    function(s: set[count], tpe: TableChange, c: count)
+
+The passed value specifies the state of a value before the change, where this
+makes sense. In case a element is changed, removed, or expired, the passed
+value will be the value before the change, removal, or expiration. When an
+element is added, the passed value will be the value of the added element
+(since no old element existed).
+
+Note that the ``&on_change`` function is only called when the container itself
+is modified (due to an assignment, delete operation, or expiry). When a
+container contains a complex element (like a record, set, or vector), changes
+to these complex elements are not propagated back to the parent.  For example,
+in this example the ``change_function`` for the table will only be called once,
+when ``s`` is inserted,  but it will not be called when ``s`` is changed:
+
+.. code-block:: zeek
+
+    local t: table[string] of set[string] &on_change=change_function;
+    local s: set[string] = set();
+    t["s"] = s; # change_function of t is called
+    add s["a"]; # change_function of t is _not_ called.
+
+Also note that the ``&on_change`` function of a container will not be called
+when the container is already executing its ``&on_change`` function. Thus,
+writing an ``&on_change`` function like this is supported and will not lead to
+a infinite loop:
+
+.. code-block:: zeek
+
+    local t: table[string] of set[string] &on_change=change_function;
+
+    function change_function(t: table[string, int] of count, tpe: TableChange,
+                             idxa: string, idxb: int, val: count)
+        {
+        t[idxa, idxb] = val+1;
+        }
+
+.. zeek:attr:: &raw_output
+
+&raw_output
+-----------
+
+Opens a file in raw mode, i.e., non-ASCII characters are not escaped.
+
+.. zeek:attr:: &error_handler
+
+&error_handler
+--------------
+
+Internally set on the events that are associated with the reporter
+framework: :zeek:id:`reporter_info`, :zeek:id:`reporter_warning`, and
+:zeek:id:`reporter_error`.  It prevents any handlers of those events
+from being able to generate reporter messages that go through any of
+those events (i.e., it prevents an infinite event recursion).  Instead,
+such nested reporter messages are output to stderr.
+
+.. zeek:attr:: &type_column
+
+&type_column
+------------
+
+Used by the input framework. It can be used on columns of type
+:zeek:type:`port` (such a column only contains the port number) and
+specifies the name of an additional column in
+the input file which specifies the protocol of the port (tcp/udp/icmp).
+
+In the following example, the input file would contain four columns
+named ``ip``, ``srcp``, ``proto``, and ``msg``:
+
+.. code-block:: zeek
+
+    type Idx: record {
+        ip: addr;
+    };
+
+
+    type Val: record {
+        srcp: port &type_column = "proto";
+        msg: string;
+    };
+
+.. zeek:attr:: &backend
+
+&backend
+--------
+
+Used for persisting tables/sets and/or synchronizing them over a cluster.
+
+This attribute binds a table to a Broker store. Changes to the table
+are sent to the Broker store, and changes to the Broker store are applied
+back to the table.
+
+Since Broker stores are synchronized over a cluster, this sends
+table changes to all other nodes in the cluster. When using a persistent Broker
+store backend, the content of the tables/sets will be restored on startup.
+
+This attribute expects the type of backend you want to use for the table. For
+example, to bind a table to a memory-backed Broker store, use:
+
+.. code-block:: zeek
+
+    global t: table[string] of count &backend=Broker::MEMORY;
+
+.. zeek:attr:: &broker_store
+
+&broker_store
+-------------
+
+This attribute is similar to :zeek:attr:`&backend` in allowing a Zeek table to
+bind to a Broker store. It differs from :zeek:attr:`&backend` as this attribute
+allows you to specify the Broker store you want to bind, without creating it.
+
+Use this if you want to bind a table to a Broker store with special options.
+
+Example:
+
+.. code-block:: zeek
+
+     global teststore: opaque of Broker::Store;
+
+     global t: table[string] of count &broker_store="teststore";
+
+     event zeek_init()
+         {
+         teststore = Broker::create_master("teststore");
+         }
+
+.. zeek:attr:: &broker_allow_complex_type
+
+&broker_allow_complex_type
+--------------------------
+
+By default only tables containing atomic types can be bound to Broker stores.
+Specifying this attribute before :zeek:attr:`&backend` or :zeek:attr:`&broker_store`
+disables this safety feature and allows complex types to be stored in a Broker backed
+table.
+
+.. warning::
+
+    Storing complex types in Broker backed store comes with severe restrictions.
+    When you modify a stored complex type after inserting it into a table, that change in a stored complex type
+    will *not propagate* to Broker. Hence to send out the new value, so that it will be persisted/synchronized
+    over the cluster, you will have to re-insert the complex type into the local zeek table.
+
+    For example:
+
+    .. code-block:: zeek
+
+            type testrec: record {
+                a: count;
+            };
+
+            global t: table[string] of testrec &broker_allow_complex_type &backend=Broker::MEMORY;
+
+            event zeek_init()
+                {
+                local rec = testrec($a=5);
+                t["test"] = rec;
+                rec$a = 6; # This will not propagate to Broker! You have to re-insert.
+                # Propagate new value to Broker:
+                t["test"] = rec;
+                }
+
+.. zeek:attr:: &ordered
+
+&ordered
+--------
+
+Used on tables and sets, this attribute ensures that iteration yields members in
+the order they were inserted. Without this attribute, the iteration order remains
+undefined. The following is guaranteed to print "foo", "bar", and "baz", in that
+order:
+
+.. code-block:: zeek
+
+    global sset: set[string] &ordered;
+
+    event zeek_init()
+        {
+        add sset["foo"];
+        add sset["bar"];
+        add sset["baz"];
+
+        for ( s in sset )
+            print s;
+        }
+
+.. zeek:attr:: &deprecated
+
+&deprecated
+-----------
+
+The associated identifier is marked as deprecated and will be
+removed in a future version of Zeek.  Look in the :file:`NEWS` file for more
+instructions to migrate code that uses deprecated functionality.
+This attribute can be assigned an optional string literal value to
+print along with the deprecation warning. The preferred format of
+this warning message should include the version number in which
+the identifier will be removed:
+
+.. code-block:: zeek
+
+    type warned: string &deprecated="Remove in vX.Y.  This type is deprecated because of reasons, use 'foo' instead.";
+
+.. zeek:attr:: &is_assigned
+
+&is_assigned
+------------
+
+Zeek has static analysis capabilities
+for detecting locations in a script that attempt to use a
+local variable before it is necessarily defined/assigned.  You activate
+this using the ``-u`` command-line flag.
+
+However the static analysis lacks sufficient power to tell that some
+values are being used safely (guaranteed to have been assigned).  In order to
+enable users to employ ``-u`` on their own scripts without being
+distracted by these false positives, the ``&is_assigned`` attribute can be
+associated with a variable to inform Zeek's analysis that the
+script writer asserts the value will be set, suppressing the associated
+warnings.
+
+.. code-block:: zeek
+  :caption: test1.zeek
+  :linenos:
+
+    event zeek_init()
+        {
+        local a: count;
+        print a;
+        }
+
+.. code-block:: console
+
+  $ zeek -b -u test1.zeek
+
+::
+
+  warning in ./test1.zeek, line 4: possibly used without definition (a)
+  expression error in ./test1.zeek, line 4: value used but not set (a)
+
+.. code-block:: zeek
+  :caption: test2.zeek
+  :linenos:
+
+    event zeek_init()
+        {
+        # Note this is not a real place to want to use &is_assigned since it's
+        # clearly a bug, but it demonstrates suppression of warning.
+        local a: count &is_assigned;
+        print a;
+        }
+
+.. code-block:: console
+
+  $ zeek -b -u test2.zeek
+
+::
+
+  expression error in ./test2.zeek, line 6: value used but not set (a)
+
+.. zeek:attr:: &is_used
+
+&is_used
+--------
+
+Zeek has static analysis capabilities for detecting locations in a script where
+local variables are assigned values that are not subsequently used (i.e. "dead
+code").
+
+It can also warn about unused functions, hooks, and event handlers.  The intent
+behind these checks is to catch instances where the script writer has introduced
+typos in names, or has forgotten to remove code that's no longer needed.  For
+functions and hooks, "unused" means the function/hook is neither exported nor in the
+global scope, and no "live" (i.e., not "unused") function/hook/event handler
+calls it.  For event handlers, "unused" means that the event engine does not
+generate the event, nor do any "live" functions/hooks/event handlers generate it.
+
+Zeek never reports any functions/hooks/event handlers that are marked deprecated
+(via :zeek:attr:`&deprecated`) as unused.
+
+For cases where it's desirable to suppress the warning, the
+``&is_used`` attribute may be applied, for example:
+
+.. code-block:: zeek
+  :caption: test.zeek
+  :linenos:
+
+    module Test;
+
+    export {
+        global baz: function();
+    }
+
+    function foo()
+        {
+        }
+
+    function bar() &is_used
+        {
+        }
+
+    function baz()
+        {
+        }
+
+    event zeek_init()
+        {
+        local please_warn: string = "test";
+        local please_no_warning: string = "test" &is_used;
+        }
+
+.. code-block:: console
+
+  $ zeek -a -b -u test.zeek
+
+::
+
+  warning in ./test.zeek, line 7: non-exported function does not have any callers (Test::foo)
+  warning: Test::please_warn assignment unused: Test::please_warn = test; ./test.zeek, line 21
+
+.. zeek:attr:: &group
+
+&group
+------
+
+The ``&group`` attribute can be used on event handlers and hooks to add them
+into event groups.
+By default, all event groups are enabled. Disabling an event group disables
+all event handlers and hooks with a matching ``&group`` attribute. When an
+event handler or hook is part of multiple groups it is enabled only if all
+groups are enabled.
+
+.. code-block:: zeek
+
+     event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) &group="my-http-group"
+         {
+         ...
+         }
+
+     event zeek_init()
+         {
+         disable_event_group("my-http-group");
+         }
+
+See also the documentation for the functions :zeek:see:`enable_event_group`
+and :zeek:see:`disable_event_group`.
--- a/doc/script-reference/autogenerated-file-analyzer-index.rst
+++ b/doc/script-reference/autogenerated-file-analyzer-index.rst
--- a/doc/script-reference/autogenerated-package-index.rst
+++ b/doc/script-reference/autogenerated-package-index.rst
@ -0,0 +1,447 @@
+:doc:`base/packet-protocols </scripts/base/packet-protocols/index>`
+
+
+:doc:`base/packet-protocols/root </scripts/base/packet-protocols/root/index>`
+
+
+:doc:`base/packet-protocols/ip </scripts/base/packet-protocols/ip/index>`
+
+
+:doc:`base/packet-protocols/skip </scripts/base/packet-protocols/skip/index>`
+
+
+:doc:`base/packet-protocols/ethernet </scripts/base/packet-protocols/ethernet/index>`
+
+
+:doc:`base/packet-protocols/fddi </scripts/base/packet-protocols/fddi/index>`
+
+
+:doc:`base/packet-protocols/ieee802_11 </scripts/base/packet-protocols/ieee802_11/index>`
+
+
+:doc:`base/packet-protocols/ieee802_11_radio </scripts/base/packet-protocols/ieee802_11_radio/index>`
+
+
+:doc:`base/packet-protocols/linux_sll </scripts/base/packet-protocols/linux_sll/index>`
+
+
+:doc:`base/packet-protocols/linux_sll2 </scripts/base/packet-protocols/linux_sll2/index>`
+
+
+:doc:`base/packet-protocols/nflog </scripts/base/packet-protocols/nflog/index>`
+
+
+:doc:`base/packet-protocols/null </scripts/base/packet-protocols/null/index>`
+
+
+:doc:`base/packet-protocols/ppp </scripts/base/packet-protocols/ppp/index>`
+
+
+:doc:`base/packet-protocols/ppp_serial </scripts/base/packet-protocols/ppp_serial/index>`
+
+
+:doc:`base/packet-protocols/pppoe </scripts/base/packet-protocols/pppoe/index>`
+
+
+:doc:`base/packet-protocols/vlan </scripts/base/packet-protocols/vlan/index>`
+
+
+:doc:`base/packet-protocols/mpls </scripts/base/packet-protocols/mpls/index>`
+
+
+:doc:`base/packet-protocols/pbb </scripts/base/packet-protocols/pbb/index>`
+
+
+:doc:`base/packet-protocols/vntag </scripts/base/packet-protocols/vntag/index>`
+
+
+:doc:`base/packet-protocols/udp </scripts/base/packet-protocols/udp/index>`
+
+
+:doc:`base/packet-protocols/tcp </scripts/base/packet-protocols/tcp/index>`
+
+
+:doc:`base/packet-protocols/icmp </scripts/base/packet-protocols/icmp/index>`
+
+
+:doc:`base/packet-protocols/llc </scripts/base/packet-protocols/llc/index>`
+
+
+:doc:`base/packet-protocols/novell_802_3 </scripts/base/packet-protocols/novell_802_3/index>`
+
+
+:doc:`base/packet-protocols/snap </scripts/base/packet-protocols/snap/index>`
+
+
+:doc:`base/packet-protocols/gre </scripts/base/packet-protocols/gre/index>`
+
+
+:doc:`base/packet-protocols/iptunnel </scripts/base/packet-protocols/iptunnel/index>`
+
+
+:doc:`base/packet-protocols/ayiya </scripts/base/packet-protocols/ayiya/index>`
+
+
+:doc:`base/packet-protocols/geneve </scripts/base/packet-protocols/geneve/index>`
+
+
+:doc:`base/packet-protocols/vxlan </scripts/base/packet-protocols/vxlan/index>`
+
+
+:doc:`base/packet-protocols/teredo </scripts/base/packet-protocols/teredo/index>`
+
+
+:doc:`base/packet-protocols/gtpv1 </scripts/base/packet-protocols/gtpv1/index>`
+
+
+:doc:`base/frameworks/logging </scripts/base/frameworks/logging/index>`
+
+   The logging framework provides a flexible key-value based logging interface.
+
+:doc:`base/frameworks/logging/postprocessors </scripts/base/frameworks/logging/postprocessors/index>`
+
+   Support for postprocessors in the logging framework.
+
+:doc:`base/frameworks/broker </scripts/base/frameworks/broker/index>`
+
+   The Broker communication framework facilitates connecting to remote Zeek
+   instances to share state and transfer events.
+
+:doc:`base/frameworks/supervisor </scripts/base/frameworks/supervisor/index>`
+
+
+:doc:`base/frameworks/input </scripts/base/frameworks/input/index>`
+
+   The input framework provides a way to read previously stored data either as
+   an event stream or into a Zeek table.
+
+:doc:`base/frameworks/cluster </scripts/base/frameworks/cluster/index>`
+
+   The cluster framework provides for establishing and controlling a cluster
+   of Zeek instances.
+
+:doc:`base/frameworks/control </scripts/base/frameworks/control/index>`
+
+   The control framework provides the foundation for providing "commands"
+   that can be taken remotely at runtime to modify a running Zeek instance
+   or collect information from the running instance.
+
+:doc:`base/frameworks/config </scripts/base/frameworks/config/index>`
+
+   The configuration framework provides a way to change the Zeek configuration
+   in "option" values at run-time.
+
+:doc:`base/frameworks/analyzer </scripts/base/frameworks/analyzer/index>`
+
+   The analyzer framework allows to dynamically enable or disable Zeek's
+   protocol analyzers, as well as to manage the well-known ports which
+   automatically activate a particular analyzer for new connections.
+
+:doc:`base/frameworks/files </scripts/base/frameworks/files/index>`
+
+   The file analysis framework provides an interface for driving the analysis
+   of files, possibly independent of any network protocol over which they're
+   transported.
+
+:doc:`base/frameworks/files/magic </scripts/base/frameworks/files/magic/index>`
+
+
+:doc:`base/bif </scripts/base/bif/index>`
+
+
+:doc:`base/bif/plugins </scripts/base/bif/plugins/index>`
+
+
+:doc:`base/frameworks/reporter </scripts/base/frameworks/reporter/index>`
+
+   This framework is intended to create an output and filtering path for
+   internally generated messages/warnings/errors.
+
+:doc:`base/frameworks/notice </scripts/base/frameworks/notice/index>`
+
+   The notice framework enables Zeek to "notice" things which are odd or
+   potentially bad, leaving it to the local configuration to define which
+   of them are actionable.  This decoupling of detection and reporting allows
+   Zeek to be customized to the different needs that sites have.
+
+:doc:`base/frameworks/signatures </scripts/base/frameworks/signatures/index>`
+
+   The signature framework provides for doing low-level pattern matching.  While
+   signatures are not Zeek's preferred detection tool, they sometimes come in
+   handy and are closer to what many people are familiar with from using
+   other NIDS.
+
+:doc:`base/frameworks/packet-filter </scripts/base/frameworks/packet-filter/index>`
+
+   The packet filter framework supports how Zeek sets its BPF capture filter.
+
+:doc:`base/frameworks/software </scripts/base/frameworks/software/index>`
+
+   The software framework provides infrastructure for maintaining a table
+   of software versions seen on the network. The version parsing itself
+   is carried out by external protocol-specific scripts that feed into
+   this framework.
+
+:doc:`base/frameworks/intel </scripts/base/frameworks/intel/index>`
+
+   The intelligence framework provides a way to store and query intelligence
+   data (such as IP addresses or strings). Metadata can also be associated
+   with the intelligence.
+
+:doc:`base/frameworks/sumstats </scripts/base/frameworks/sumstats/index>`
+
+   The summary statistics framework provides a way to summarize large streams
+   of data into simple reduced measurements.
+
+:doc:`base/frameworks/sumstats/plugins </scripts/base/frameworks/sumstats/plugins/index>`
+
+   Plugins for the summary statistics framework.
+
+:doc:`base/frameworks/tunnels </scripts/base/frameworks/tunnels/index>`
+
+   The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo,
+   AYIYA, or IP-in-IP such as 6to4 where "IP" is either IPv4 or IPv6).
+
+:doc:`base/frameworks/openflow </scripts/base/frameworks/openflow/index>`
+
+   The OpenFlow framework exposes the data structures and functions
+   necessary to interface to OpenFlow capable hardware.
+
+:doc:`base/frameworks/openflow/plugins </scripts/base/frameworks/openflow/plugins/index>`
+
+   Plugins for the OpenFlow framework.
+
+:doc:`base/frameworks/netcontrol </scripts/base/frameworks/netcontrol/index>`
+
+   The NetControl framework provides a way for Zeek to interact with networking
+   hard- and software, e.g. for dropping and shunting IP addresses/connections,
+   etc.
+
+:doc:`base/frameworks/netcontrol/plugins </scripts/base/frameworks/netcontrol/plugins/index>`
+
+   Plugins for the NetControl framework.
+
+:doc:`base/frameworks/telemetry </scripts/base/frameworks/telemetry/index>`
+
+
+:doc:`base/frameworks/storage </scripts/base/frameworks/storage/index>`
+
+
+:doc:`base/frameworks/spicy </scripts/base/frameworks/spicy/index>`
+
+
+:doc:`base/protocols/conn </scripts/base/protocols/conn/index>`
+
+   Support for connection (TCP, UDP, or ICMP) analysis.
+
+:doc:`base/protocols/dce-rpc </scripts/base/protocols/dce-rpc/index>`
+
+   Support for DCE/RPC (Distributed Computing Environment/Remote Procedure
+   Calls) protocol analysis.
+
+:doc:`base/protocols/dhcp </scripts/base/protocols/dhcp/index>`
+
+   Support for Dynamic Host Configuration Protocol (DHCP) analysis.
+
+:doc:`base/protocols/dnp3 </scripts/base/protocols/dnp3/index>`
+
+   Support for Distributed Network Protocol (DNP3) analysis.
+
+:doc:`base/protocols/dns </scripts/base/protocols/dns/index>`
+
+   Support for Domain Name System (DNS) protocol analysis.
+
+:doc:`base/protocols/finger </scripts/base/protocols/finger/index>`
+
+
+:doc:`base/protocols/ftp </scripts/base/protocols/ftp/index>`
+
+   Support for File Transfer Protocol (FTP) analysis.
+
+:doc:`base/protocols/ssl </scripts/base/protocols/ssl/index>`
+
+   Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
+
+:doc:`base/files/x509 </scripts/base/files/x509/index>`
+
+   Support for X509 certificates with the file analysis framework.
+   Also supports parsing OCSP requests and responses.
+
+:doc:`base/files/hash </scripts/base/files/hash/index>`
+
+   Support for file hashes with the file analysis framework.
+
+:doc:`base/protocols/http </scripts/base/protocols/http/index>`
+
+   Support for Hypertext Transfer Protocol (HTTP) analysis.
+
+:doc:`base/protocols/imap </scripts/base/protocols/imap/index>`
+
+   Support for the Internet Message Access Protocol (IMAP).
+   
+   Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+   until they do or do not switch to TLS using StartTLS. Hence, we do not get
+   mails from IMAP sessions, only X509 certificates.
+
+:doc:`base/protocols/irc </scripts/base/protocols/irc/index>`
+
+   Support for Internet Relay Chat (IRC) protocol analysis.
+
+:doc:`base/protocols/krb </scripts/base/protocols/krb/index>`
+
+   Support for Kerberos protocol analysis.
+
+:doc:`base/protocols/ldap </scripts/base/protocols/ldap/index>`
+
+
+:doc:`base/protocols/modbus </scripts/base/protocols/modbus/index>`
+
+   Support for Modbus protocol analysis.
+
+:doc:`base/protocols/mqtt </scripts/base/protocols/mqtt/index>`
+
+   Support for MQTT protocol analysis.
+
+:doc:`base/protocols/mysql </scripts/base/protocols/mysql/index>`
+
+   Support for MySQL protocol analysis.
+
+:doc:`base/protocols/ntlm </scripts/base/protocols/ntlm/index>`
+
+   Support for NT LAN Manager (NTLM) protocol analysis.
+
+:doc:`base/protocols/ntp </scripts/base/protocols/ntp/index>`
+
+
+:doc:`base/protocols/pop3 </scripts/base/protocols/pop3/index>`
+
+   Support for POP3 (Post Office Protocol) protocol analysis.
+
+:doc:`base/protocols/postgresql </scripts/base/protocols/postgresql/index>`
+
+
+:doc:`base/protocols/quic </scripts/base/protocols/quic/index>`
+
+
+:doc:`base/protocols/radius </scripts/base/protocols/radius/index>`
+
+   Support for RADIUS protocol analysis.
+
+:doc:`base/protocols/rdp </scripts/base/protocols/rdp/index>`
+
+   Support for Remote Desktop Protocol (RDP) analysis.
+
+:doc:`base/protocols/redis </scripts/base/protocols/redis/index>`
+
+
+:doc:`base/protocols/rfb </scripts/base/protocols/rfb/index>`
+
+   Support for Remote FrameBuffer analysis.  This includes all VNC servers.
+
+:doc:`base/protocols/sip </scripts/base/protocols/sip/index>`
+
+   Support for Session Initiation Protocol (SIP) analysis.
+
+:doc:`base/protocols/snmp </scripts/base/protocols/snmp/index>`
+
+   Support for Simple Network Management Protocol (SNMP) analysis.
+
+:doc:`base/protocols/smb </scripts/base/protocols/smb/index>`
+
+   Support for SMB protocol analysis.
+
+:doc:`base/protocols/smtp </scripts/base/protocols/smtp/index>`
+
+   Support for Simple Mail Transfer Protocol (SMTP) analysis.
+
+:doc:`base/protocols/socks </scripts/base/protocols/socks/index>`
+
+   Support for Socket Secure (SOCKS) protocol analysis.
+
+:doc:`base/protocols/ssh </scripts/base/protocols/ssh/index>`
+
+   Support for SSH protocol analysis.
+
+:doc:`base/protocols/syslog </scripts/base/protocols/syslog/index>`
+
+   Support for Syslog protocol analysis.
+
+:doc:`base/protocols/websocket </scripts/base/protocols/websocket/index>`
+
+
+:doc:`base/protocols/tunnels </scripts/base/protocols/tunnels/index>`
+
+   Provides DPD signatures for tunneling protocols that otherwise
+   wouldn't be detected at all.
+
+:doc:`base/protocols/xmpp </scripts/base/protocols/xmpp/index>`
+
+   Support for the Extensible Messaging and Presence Protocol (XMPP).
+   
+   Note that currently the XMPP analyzer only supports analyzing XMPP sessions
+   until they do or do not switch to TLS using StartTLS. Hence, we do not get
+   actual chat information from XMPP sessions, only X509 certificates.
+
+:doc:`base/files/pe </scripts/base/files/pe/index>`
+
+   Support for Portable Executable (PE) file analysis.
+
+:doc:`base/files/extract </scripts/base/files/extract/index>`
+
+   Support for extracting files with the file analysis framework.
+
+:doc:`builtin-plugins </scripts/builtin-plugins/index>`
+
+
+:doc:`builtin-plugins/Zeek_JavaScript </scripts/builtin-plugins/Zeek_JavaScript/index>`
+
+
+:doc:`zeekygen </scripts/zeekygen/index>`
+
+   This package is loaded during the process which automatically generates
+   reference documentation for all Zeek scripts (i.e. "Zeekygen").  Its only
+   purpose is to provide an easy way to load all known Zeek scripts plus any
+   extra scripts needed or used by the documentation process.
+
+:doc:`policy/frameworks/cluster/backend/zeromq </scripts/policy/frameworks/cluster/backend/zeromq/index>`
+
+
+:doc:`policy/frameworks/management/agent </scripts/policy/frameworks/management/agent/index>`
+
+
+:doc:`policy/frameworks/management </scripts/policy/frameworks/management/index>`
+
+
+:doc:`policy/frameworks/management/controller </scripts/policy/frameworks/management/controller/index>`
+
+
+:doc:`policy/frameworks/management/supervisor </scripts/policy/frameworks/management/supervisor/index>`
+
+
+:doc:`policy/frameworks/intel/seen </scripts/policy/frameworks/intel/seen/index>`
+
+   Scripts that send data to the intelligence framework.
+
+:doc:`policy/frameworks/notice </scripts/policy/frameworks/notice/index>`
+
+
+:doc:`policy/frameworks/storage/backend/redis </scripts/policy/frameworks/storage/backend/redis/index>`
+
+
+:doc:`policy/frameworks/storage/backend/sqlite </scripts/policy/frameworks/storage/backend/sqlite/index>`
+
+
+:doc:`policy/integration/collective-intel </scripts/policy/integration/collective-intel/index>`
+
+   The scripts in this module are for deeper integration with the
+   Collective Intelligence Framework (CIF) since Zeek's Intel framework
+   doesn't natively behave the same as CIF nor does it store and maintain
+   the same data in all cases.
+
+:doc:`policy/misc/detect-traceroute </scripts/policy/misc/detect-traceroute/index>`
+
+   Detect hosts that are running traceroute.
+
+:doc:`policy/frameworks/management/node </scripts/policy/frameworks/management/node/index>`
+
+
--- a/doc/script-reference/autogenerated-packet-analyzer-index.rst
+++ b/doc/script-reference/autogenerated-packet-analyzer-index.rst
@ -0,0 +1,850 @@
+Packet Analyzers
+================
+
+.. zeek:type:: PacketAnalyzer::Tag
+
+   :Type: :zeek:type:`enum`
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ARP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_AYIYA PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ETHERNET PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_FDDI PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_GENEVE PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_GRE PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_GTPV1 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ICMP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IEEE802_11 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IEEE802_11_RADIO PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_IPTUNNEL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_LINUXSLL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_LINUXSLL2 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_LLC PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_MPLS PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_NFLOG PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_NOVELL_802_3 PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_NULL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PBB PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PPP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PPPOE PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_PPPSERIAL PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_ROOT PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_SKIP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_SNAP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_TCP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_TEREDO PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_UDP PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_VLAN PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_VNTAG PacketAnalyzer::Tag
+
+      .. zeek:enum:: PacketAnalyzer::ANALYZER_VXLAN PacketAnalyzer::Tag
+
+.. _plugin-zeek-arp:
+
+Zeek::ARP
+---------
+
+ARP packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_ARP`
+
+Events
++++++
+
+.. zeek:id:: arp_request
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 22 22
+
+   :Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
+
+   Generated for ARP requests.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+   for more information about the ARP protocol.
+   
+
+   :param mac_src: The request's source MAC address.
+   
+
+   :param mac_dst: The request's destination MAC address.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+   .. zeek:see:: arp_reply  bad_arp
+
+.. zeek:id:: arp_reply
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 43 43
+
+   :Type: :zeek:type:`event` (mac_src: :zeek:type:`string`, mac_dst: :zeek:type:`string`, SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`)
+
+   Generated for ARP replies.
+   
+   See `Wikipedia <http://en.wikipedia.org/wiki/Address_Resolution_Protocol>`__
+   for more information about the ARP protocol.
+   
+
+   :param mac_src: The reply's source MAC address.
+   
+
+   :param mac_dst: The reply's destination MAC address.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+   .. zeek:see::  arp_request bad_arp
+
+.. zeek:id:: bad_arp
+   :source-code: base/bif/plugins/Zeek_ARP.events.bif.zeek 66 66
+
+   :Type: :zeek:type:`event` (SPA: :zeek:type:`addr`, SHA: :zeek:type:`string`, TPA: :zeek:type:`addr`, THA: :zeek:type:`string`, explanation: :zeek:type:`string`)
+
+   Generated for ARP packets that Zeek cannot interpret. Examples are packets
+   with non-standard hardware address formats or hardware addresses that do not
+   match the originator of the packet.
+   
+
+   :param SPA: The sender protocol address.
+   
+
+   :param SHA: The sender hardware address.
+   
+
+   :param TPA: The target protocol address.
+   
+
+   :param THA: The target hardware address.
+   
+
+   :param explanation: A short description of why the ARP packet is considered "bad".
+   
+   .. zeek:see:: arp_reply arp_request
+   
+   .. todo:: Zeek's current default configuration does not activate the protocol
+      analyzer that generates this event; the corresponding script has not yet
+      been ported. To still enable this event, one needs to
+      register a port for it or add a DPD payload signature.
+
+.. _plugin-zeek-ayiya:
+
+Zeek::AYIYA
+-----------
+
+AYIYA packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_AYIYA`
+
+.. _plugin-zeek-ethernet:
+
+Zeek::Ethernet
+--------------
+
+Ethernet packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_ETHERNET`
+
+.. _plugin-zeek-fddi:
+
+Zeek::FDDI
+----------
+
+FDDI packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_FDDI`
+
+.. _plugin-zeek-geneve:
+
+Zeek::Geneve
+------------
+
+Geneve packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_GENEVE`
+
+Events
++++++
+
+.. zeek:id:: geneve_packet
+   :source-code: base/bif/plugins/Zeek_Geneve.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
+
+   Generated for any packet encapsulated in a Geneve tunnel.
+   See :rfc:`8926` for more information about the Geneve protocol.
+   
+
+   :param outer: The Geneve tunnel connection.
+   
+
+   :param inner: The Geneve-encapsulated Ethernet packet header and transport header.
+   
+
+   :param vni: Geneve Network Identifier.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+Functions
+++++++++
+
+.. zeek:id:: PacketAnalyzer::Geneve::get_options
+   :source-code: base/bif/plugins/Zeek_Geneve.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` () : :zeek:type:`geneve_options_vec_vec`
+
+   Returns all Geneve options from all layers of the current packet.
+   
+   The last entry in the outer vector are the options of the most
+   inner Geneve header.
+   
+   Returns a vector of vector of :zeek:see:`PacketAnalyzer::Geneve::Option` records.
+
+.. _plugin-zeek-gre:
+
+Zeek::GRE
+---------
+
+GRE packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_GRE`
+
+.. _plugin-zeek-gtpv1:
+
+Zeek::GTPv1
+-----------
+
+GTPv1 analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_GTPV1`
+
+Events
++++++
+
+.. zeek:id:: new_gtpv1_state
+   :source-code: base/packet-protocols/gtpv1/main.zeek 35 38
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when a new GTP analyzer is instantiated for a connection.
+   
+   This event exists to install a connection removal hook to clear
+   internal per-connection GTPv1 state.
+   
+
+   :param c: The connection for which the analyzer is instantiated.
+
+.. zeek:id:: gtpv1_message
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 21 21
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`)
+
+   Generated for any GTP message with a GTPv1 header.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+
+.. zeek:id:: gtpv1_g_pdu_packet
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 35 35
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner_gtp: :zeek:type:`gtpv1_hdr`, inner_ip: :zeek:type:`pkt_hdr`)
+
+   Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+   that includes a GTP header followed by an IPv4 or IPv6 packet.
+   
+
+   :param outer: The GTP outer tunnel connection.
+   
+
+   :param inner_gtp: The GTP header.
+   
+
+   :param inner_ip: The inner IP and transport layer packet headers.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: gtpv1_create_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 45 45
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Create PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_create_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 55 55
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_create_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Create PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_update_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 65 65
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Update PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_update_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 75 75
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_update_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Update PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_delete_pdp_ctx_request
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 85 85
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_request_elements`)
+
+   Generated for GTPv1-C Delete PDP Context Request messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+.. zeek:id:: gtpv1_delete_pdp_ctx_response
+   :source-code: base/bif/plugins/Zeek_GTPv1.events.bif.zeek 95 95
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`, hdr: :zeek:type:`gtpv1_hdr`, elements: :zeek:type:`gtp_delete_pdp_ctx_response_elements`)
+
+   Generated for GTPv1-C Delete PDP Context Response messages.
+   
+
+   :param c: The connection over which the message is sent.
+   
+
+   :param hdr: The GTPv1 header.
+   
+
+   :param elements: The set of Information Elements comprising the message.
+
+Functions
+++++++++
+
+.. zeek:id:: PacketAnalyzer::GTPV1::remove_gtpv1_connection
+   :source-code: base/bif/plugins/Zeek_GTPv1.functions.bif.zeek 9 9
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+
+.. _plugin-zeek-ieee802-11:
+
+Zeek::IEEE802_11
+----------------
+
+IEEE 802.11 packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IEEE802_11`
+
+.. _plugin-zeek-ieee802-11-radio:
+
+Zeek::IEEE802_11_Radio
+----------------------
+
+IEEE 802.11 Radiotap packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IEEE802_11_RADIO`
+
+.. _plugin-zeek-ip:
+
+Zeek::IP
+--------
+
+Packet analyzer for IP fallback (v4 or v6)
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IP`
+
+.. _plugin-zeek-iptunnel:
+
+Zeek::IPTunnel
+--------------
+
+IPTunnel packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_IPTUNNEL`
+
+.. _plugin-zeek-linuxsll:
+
+Zeek::LinuxSLL
+--------------
+
+Linux cooked capture (SLL) packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_LINUXSLL`
+
+.. _plugin-zeek-linuxsll2:
+
+Zeek::LinuxSLL2
+---------------
+
+Linux cooked capture version 2 (SLL2) packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_LINUXSLL2`
+
+.. _plugin-zeek-llc:
+
+Zeek::LLC
+---------
+
+LLC packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_LLC`
+
+.. _plugin-zeek-mpls:
+
+Zeek::MPLS
+----------
+
+MPLS packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_MPLS`
+
+.. _plugin-zeek-nflog:
+
+Zeek::NFLog
+-----------
+
+NFLog packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_NFLOG`
+
+.. _plugin-zeek-novell-802-3:
+
+Zeek::NOVELL_802_3
+------------------
+
+Novell 802.3 variantx packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_NOVELL_802_3`
+
+.. _plugin-zeek-null:
+
+Zeek::Null
+----------
+
+Null packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_NULL`
+
+.. _plugin-zeek-pbb:
+
+Zeek::PBB
+---------
+
+PBB packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PBB`
+
+.. _plugin-zeek-ppp:
+
+Zeek::PPP
+---------
+
+PPP packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PPP`
+
+.. _plugin-zeek-pppoe:
+
+Zeek::PPPoE
+-----------
+
+PPPoE packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PPPOE`
+
+Functions
+++++++++
+
+.. zeek:id:: PacketAnalyzer::PPPoE::session_id
+   :source-code: base/bif/plugins/Zeek_PPPoE.functions.bif.zeek 15 15
+
+   :Type: :zeek:type:`function` () : :zeek:type:`count`
+
+   Returns the PPPoE Session ID of the current packet, if present.
+   
+   If no PPPoE Session ID is present, 0xFFFFFFFF is returned, which
+   is out of range of the session ID.
+   
+
+   :returns: The PPPoE session ID if present, 0xFFFFFFFF otherwise.
+
+.. _plugin-zeek-pppserial:
+
+Zeek::PPPSerial
+---------------
+
+PPPSerial packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_PPPSERIAL`
+
+.. _plugin-zeek-root:
+
+Zeek::Root
+----------
+
+Root packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_ROOT`
+
+.. _plugin-zeek-skip:
+
+Zeek::Skip
+----------
+
+Skip packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_SKIP`
+
+.. _plugin-zeek-snap:
+
+Zeek::SNAP
+----------
+
+SNAP packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_SNAP`
+
+.. _plugin-zeek-teredo:
+
+Zeek::Teredo
+------------
+
+Teredo packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_TEREDO`
+
+Events
++++++
+
+.. zeek:id:: teredo_packet
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 18 18
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for any IPv6 packet encapsulated in a Teredo tunnel.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: new_teredo_state
+   :source-code: base/packet-protocols/teredo/main.zeek 36 39
+
+   :Type: :zeek:type:`event` (c: :zeek:type:`connection`)
+
+   Generated when per connection Teredo state is created.
+   
+   This is primarily useful to install a connection removal hook to clear
+   internal per-connection Teredo state.
+   
+
+   :param c: The Teredo tunnel connection.
+
+.. zeek:id:: teredo_authentication
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 42 42
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for IPv6 packets encapsulated in a Teredo tunnel that
+   use the Teredo authentication encapsulation method.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: teredo_origin_indication
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 57 57
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for IPv6 packets encapsulated in a Teredo tunnel that
+   use the Teredo origin indication encapsulation method.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_authentication teredo_bubble
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+.. zeek:id:: teredo_bubble
+   :source-code: base/bif/plugins/Zeek_Teredo.events.bif.zeek 72 72
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`teredo_hdr`)
+
+   Generated for Teredo bubble packets.  That is, IPv6 packets encapsulated
+   in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`.
+   See :rfc:`4380` for more information about the Teredo protocol.
+   
+
+   :param outer: The Teredo tunnel connection.
+   
+
+   :param inner: The Teredo-encapsulated IPv6 packet header and transport header.
+   
+   .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
+Functions
+++++++++
+
+.. zeek:id:: PacketAnalyzer::TEREDO::remove_teredo_connection
+   :source-code: base/bif/plugins/Zeek_Teredo.functions.bif.zeek 9 9
+
+   :Type: :zeek:type:`function` (cid: :zeek:type:`conn_id`) : :zeek:type:`bool`
+
+
+.. _plugin-zeek-vlan:
+
+Zeek::VLAN
+----------
+
+VLAN packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_VLAN`
+
+.. _plugin-zeek-vntag:
+
+Zeek::VNTag
+-----------
+
+VNTag packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_VNTAG`
+
+.. _plugin-zeek-vxlan:
+
+Zeek::VXLAN
+-----------
+
+VXLAN packet analyzer
+
+Components
++++++++++
+
+:zeek:enum:`PacketAnalyzer::ANALYZER_VXLAN`
+
+Events
++++++
+
+.. zeek:id:: vxlan_packet
+   :source-code: base/bif/plugins/Zeek_VXLAN.events.bif.zeek 15 15
+
+   :Type: :zeek:type:`event` (outer: :zeek:type:`connection`, inner: :zeek:type:`pkt_hdr`, vni: :zeek:type:`count`)
+
+   Generated for any packet encapsulated in a VXLAN tunnel.
+   See :rfc:`7348` for more information about the VXLAN protocol.
+   
+
+   :param outer: The VXLAN tunnel connection.
+   
+
+   :param inner: The VXLAN-encapsulated Ethernet packet header and transport header.
+   
+
+   :param vni: VXLAN Network Identifier.
+   
+   .. note:: Since this event may be raised on a per-packet basis, handling
+      it may become particularly expensive for real-time analysis.
+
--- a/doc/script-reference/autogenerated-protocol-analyzer-index.rst
+++ b/doc/script-reference/autogenerated-protocol-analyzer-index.rst
--- a/doc/script-reference/autogenerated-script-index.rst
+++ b/doc/script-reference/autogenerated-script-index.rst
@ -0,0 +1,658 @@
+.. toctree::
+   :maxdepth: 1
+
+   base/init-bare.zeek </scripts/base/init-bare.zeek>
+   base/bif/const.bif.zeek </scripts/base/bif/const.bif.zeek>
+   base/bif/types.bif.zeek </scripts/base/bif/types.bif.zeek>
+   base/bif/zeek.bif.zeek </scripts/base/bif/zeek.bif.zeek>
+   base/bif/communityid.bif.zeek </scripts/base/bif/communityid.bif.zeek>
+   base/bif/stats.bif.zeek </scripts/base/bif/stats.bif.zeek>
+   base/bif/reporter.bif.zeek </scripts/base/bif/reporter.bif.zeek>
+   base/bif/strings.bif.zeek </scripts/base/bif/strings.bif.zeek>
+   base/bif/option.bif.zeek </scripts/base/bif/option.bif.zeek>
+   base/frameworks/supervisor/api.zeek </scripts/base/frameworks/supervisor/api.zeek>
+   base/bif/supervisor.bif.zeek </scripts/base/bif/supervisor.bif.zeek>
+   base/bif/packet_analysis.bif.zeek </scripts/base/bif/packet_analysis.bif.zeek>
+   base/bif/CPP-load.bif.zeek </scripts/base/bif/CPP-load.bif.zeek>
+   base/bif/mmdb.bif.zeek </scripts/base/bif/mmdb.bif.zeek>
+   base/bif/plugins/Zeek_SNMP.types.bif.zeek </scripts/base/bif/plugins/Zeek_SNMP.types.bif.zeek>
+   base/bif/plugins/Zeek_KRB.types.bif.zeek </scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek>
+   base/bif/telemetry_functions.bif.zeek </scripts/base/bif/telemetry_functions.bif.zeek>
+   base/bif/telemetry_types.bif.zeek </scripts/base/bif/telemetry_types.bif.zeek>
+   base/bif/event.bif.zeek </scripts/base/bif/event.bif.zeek>
+   base/packet-protocols/__load__.zeek </scripts/base/packet-protocols/__load__.zeek>
+   base/packet-protocols/main.zeek </scripts/base/packet-protocols/main.zeek>
+   base/frameworks/analyzer/main.zeek </scripts/base/frameworks/analyzer/main.zeek>
+   base/frameworks/packet-filter/utils.zeek </scripts/base/frameworks/packet-filter/utils.zeek>
+   base/bif/analyzer.bif.zeek </scripts/base/bif/analyzer.bif.zeek>
+   base/bif/file_analysis.bif.zeek </scripts/base/bif/file_analysis.bif.zeek>
+   base/packet-protocols/root/__load__.zeek </scripts/base/packet-protocols/root/__load__.zeek>
+   base/packet-protocols/root/main.zeek </scripts/base/packet-protocols/root/main.zeek>
+   base/packet-protocols/ip/__load__.zeek </scripts/base/packet-protocols/ip/__load__.zeek>
+   base/packet-protocols/ip/main.zeek </scripts/base/packet-protocols/ip/main.zeek>
+   base/packet-protocols/skip/__load__.zeek </scripts/base/packet-protocols/skip/__load__.zeek>
+   base/packet-protocols/skip/main.zeek </scripts/base/packet-protocols/skip/main.zeek>
+   base/packet-protocols/ethernet/__load__.zeek </scripts/base/packet-protocols/ethernet/__load__.zeek>
+   base/packet-protocols/ethernet/main.zeek </scripts/base/packet-protocols/ethernet/main.zeek>
+   base/packet-protocols/fddi/__load__.zeek </scripts/base/packet-protocols/fddi/__load__.zeek>
+   base/packet-protocols/fddi/main.zeek </scripts/base/packet-protocols/fddi/main.zeek>
+   base/packet-protocols/ieee802_11/__load__.zeek </scripts/base/packet-protocols/ieee802_11/__load__.zeek>
+   base/packet-protocols/ieee802_11/main.zeek </scripts/base/packet-protocols/ieee802_11/main.zeek>
+   base/packet-protocols/ieee802_11_radio/__load__.zeek </scripts/base/packet-protocols/ieee802_11_radio/__load__.zeek>
+   base/packet-protocols/ieee802_11_radio/main.zeek </scripts/base/packet-protocols/ieee802_11_radio/main.zeek>
+   base/packet-protocols/linux_sll/__load__.zeek </scripts/base/packet-protocols/linux_sll/__load__.zeek>
+   base/packet-protocols/linux_sll/main.zeek </scripts/base/packet-protocols/linux_sll/main.zeek>
+   base/packet-protocols/linux_sll2/__load__.zeek </scripts/base/packet-protocols/linux_sll2/__load__.zeek>
+   base/packet-protocols/linux_sll2/main.zeek </scripts/base/packet-protocols/linux_sll2/main.zeek>
+   base/packet-protocols/nflog/__load__.zeek </scripts/base/packet-protocols/nflog/__load__.zeek>
+   base/packet-protocols/nflog/main.zeek </scripts/base/packet-protocols/nflog/main.zeek>
+   base/packet-protocols/null/__load__.zeek </scripts/base/packet-protocols/null/__load__.zeek>
+   base/packet-protocols/null/main.zeek </scripts/base/packet-protocols/null/main.zeek>
+   base/packet-protocols/ppp/__load__.zeek </scripts/base/packet-protocols/ppp/__load__.zeek>
+   base/packet-protocols/ppp/main.zeek </scripts/base/packet-protocols/ppp/main.zeek>
+   base/packet-protocols/ppp_serial/__load__.zeek </scripts/base/packet-protocols/ppp_serial/__load__.zeek>
+   base/packet-protocols/ppp_serial/main.zeek </scripts/base/packet-protocols/ppp_serial/main.zeek>
+   base/packet-protocols/pppoe/__load__.zeek </scripts/base/packet-protocols/pppoe/__load__.zeek>
+   base/packet-protocols/pppoe/main.zeek </scripts/base/packet-protocols/pppoe/main.zeek>
+   base/packet-protocols/vlan/__load__.zeek </scripts/base/packet-protocols/vlan/__load__.zeek>
+   base/packet-protocols/vlan/main.zeek </scripts/base/packet-protocols/vlan/main.zeek>
+   base/packet-protocols/mpls/__load__.zeek </scripts/base/packet-protocols/mpls/__load__.zeek>
+   base/packet-protocols/mpls/main.zeek </scripts/base/packet-protocols/mpls/main.zeek>
+   base/packet-protocols/pbb/__load__.zeek </scripts/base/packet-protocols/pbb/__load__.zeek>
+   base/packet-protocols/pbb/main.zeek </scripts/base/packet-protocols/pbb/main.zeek>
+   base/packet-protocols/vntag/__load__.zeek </scripts/base/packet-protocols/vntag/__load__.zeek>
+   base/packet-protocols/vntag/main.zeek </scripts/base/packet-protocols/vntag/main.zeek>
+   base/packet-protocols/udp/__load__.zeek </scripts/base/packet-protocols/udp/__load__.zeek>
+   base/packet-protocols/udp/main.zeek </scripts/base/packet-protocols/udp/main.zeek>
+   base/packet-protocols/tcp/__load__.zeek </scripts/base/packet-protocols/tcp/__load__.zeek>
+   base/packet-protocols/tcp/main.zeek </scripts/base/packet-protocols/tcp/main.zeek>
+   base/packet-protocols/icmp/__load__.zeek </scripts/base/packet-protocols/icmp/__load__.zeek>
+   base/packet-protocols/icmp/main.zeek </scripts/base/packet-protocols/icmp/main.zeek>
+   base/packet-protocols/llc/__load__.zeek </scripts/base/packet-protocols/llc/__load__.zeek>
+   base/packet-protocols/llc/main.zeek </scripts/base/packet-protocols/llc/main.zeek>
+   base/packet-protocols/novell_802_3/__load__.zeek </scripts/base/packet-protocols/novell_802_3/__load__.zeek>
+   base/packet-protocols/novell_802_3/main.zeek </scripts/base/packet-protocols/novell_802_3/main.zeek>
+   base/packet-protocols/snap/__load__.zeek </scripts/base/packet-protocols/snap/__load__.zeek>
+   base/packet-protocols/snap/main.zeek </scripts/base/packet-protocols/snap/main.zeek>
+   base/packet-protocols/gre/__load__.zeek </scripts/base/packet-protocols/gre/__load__.zeek>
+   base/packet-protocols/gre/main.zeek </scripts/base/packet-protocols/gre/main.zeek>
+   base/packet-protocols/iptunnel/__load__.zeek </scripts/base/packet-protocols/iptunnel/__load__.zeek>
+   base/packet-protocols/iptunnel/main.zeek </scripts/base/packet-protocols/iptunnel/main.zeek>
+   base/packet-protocols/ayiya/__load__.zeek </scripts/base/packet-protocols/ayiya/__load__.zeek>
+   base/packet-protocols/ayiya/main.zeek </scripts/base/packet-protocols/ayiya/main.zeek>
+   base/packet-protocols/geneve/__load__.zeek </scripts/base/packet-protocols/geneve/__load__.zeek>
+   base/packet-protocols/geneve/main.zeek </scripts/base/packet-protocols/geneve/main.zeek>
+   base/packet-protocols/vxlan/__load__.zeek </scripts/base/packet-protocols/vxlan/__load__.zeek>
+   base/packet-protocols/vxlan/main.zeek </scripts/base/packet-protocols/vxlan/main.zeek>
+   base/packet-protocols/teredo/__load__.zeek </scripts/base/packet-protocols/teredo/__load__.zeek>
+   base/packet-protocols/teredo/main.zeek </scripts/base/packet-protocols/teredo/main.zeek>
+   base/bif/plugins/Zeek_Teredo.events.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek>
+   base/bif/plugins/Zeek_Teredo.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek>
+   base/protocols/conn/removal-hooks.zeek </scripts/base/protocols/conn/removal-hooks.zeek>
+   base/packet-protocols/gtpv1/__load__.zeek </scripts/base/packet-protocols/gtpv1/__load__.zeek>
+   base/packet-protocols/gtpv1/main.zeek </scripts/base/packet-protocols/gtpv1/main.zeek>
+   base/bif/plugins/Zeek_GTPv1.events.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek>
+   base/bif/plugins/Zeek_GTPv1.functions.bif.zeek </scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek>
+   base/frameworks/spicy/init-bare.zeek </scripts/base/frameworks/spicy/init-bare.zeek>
+   builtin-plugins/__preload__.zeek </scripts/builtin-plugins/__preload__.zeek>
+   base/init-frameworks-and-bifs.zeek </scripts/base/init-frameworks-and-bifs.zeek>
+   base/frameworks/logging/__load__.zeek </scripts/base/frameworks/logging/__load__.zeek>
+   base/frameworks/logging/main.zeek </scripts/base/frameworks/logging/main.zeek>
+   base/bif/logging.bif.zeek </scripts/base/bif/logging.bif.zeek>
+   base/frameworks/logging/postprocessors/__load__.zeek </scripts/base/frameworks/logging/postprocessors/__load__.zeek>
+   base/frameworks/logging/postprocessors/scp.zeek </scripts/base/frameworks/logging/postprocessors/scp.zeek>
+   base/frameworks/logging/postprocessors/sftp.zeek </scripts/base/frameworks/logging/postprocessors/sftp.zeek>
+   base/frameworks/logging/writers/ascii.zeek </scripts/base/frameworks/logging/writers/ascii.zeek>
+   base/frameworks/logging/writers/sqlite.zeek </scripts/base/frameworks/logging/writers/sqlite.zeek>
+   base/frameworks/logging/writers/none.zeek </scripts/base/frameworks/logging/writers/none.zeek>
+   base/frameworks/broker/__load__.zeek </scripts/base/frameworks/broker/__load__.zeek>
+   base/frameworks/broker/main.zeek </scripts/base/frameworks/broker/main.zeek>
+   base/bif/comm.bif.zeek </scripts/base/bif/comm.bif.zeek>
+   base/bif/messaging.bif.zeek </scripts/base/bif/messaging.bif.zeek>
+   base/frameworks/broker/store.zeek </scripts/base/frameworks/broker/store.zeek>
+   base/bif/data.bif.zeek </scripts/base/bif/data.bif.zeek>
+   base/bif/store.bif.zeek </scripts/base/bif/store.bif.zeek>
+   base/frameworks/broker/log.zeek </scripts/base/frameworks/broker/log.zeek>
+   base/frameworks/broker/backpressure.zeek </scripts/base/frameworks/broker/backpressure.zeek>
+   base/frameworks/supervisor/__load__.zeek </scripts/base/frameworks/supervisor/__load__.zeek>
+   base/frameworks/supervisor/control.zeek </scripts/base/frameworks/supervisor/control.zeek>
+   base/frameworks/supervisor/main.zeek </scripts/base/frameworks/supervisor/main.zeek>
+   base/frameworks/input/__load__.zeek </scripts/base/frameworks/input/__load__.zeek>
+   base/frameworks/input/main.zeek </scripts/base/frameworks/input/main.zeek>
+   base/bif/input.bif.zeek </scripts/base/bif/input.bif.zeek>
+   base/frameworks/input/readers/ascii.zeek </scripts/base/frameworks/input/readers/ascii.zeek>
+   base/frameworks/input/readers/raw.zeek </scripts/base/frameworks/input/readers/raw.zeek>
+   base/frameworks/input/readers/benchmark.zeek </scripts/base/frameworks/input/readers/benchmark.zeek>
+   base/frameworks/input/readers/binary.zeek </scripts/base/frameworks/input/readers/binary.zeek>
+   base/frameworks/input/readers/config.zeek </scripts/base/frameworks/input/readers/config.zeek>
+   base/frameworks/input/readers/sqlite.zeek </scripts/base/frameworks/input/readers/sqlite.zeek>
+   base/frameworks/cluster/__load__.zeek </scripts/base/frameworks/cluster/__load__.zeek>
+   base/frameworks/cluster/main.zeek </scripts/base/frameworks/cluster/main.zeek>
+   base/frameworks/control/__load__.zeek </scripts/base/frameworks/control/__load__.zeek>
+   base/frameworks/control/main.zeek </scripts/base/frameworks/control/main.zeek>
+   base/bif/cluster.bif.zeek </scripts/base/bif/cluster.bif.zeek>
+   base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek </scripts/base/bif/plugins/Zeek_Cluster_WebSocket.events.bif.zeek>
+   base/frameworks/cluster/pools.zeek </scripts/base/frameworks/cluster/pools.zeek>
+   base/utils/hash_hrw.zeek </scripts/base/utils/hash_hrw.zeek>
+   base/frameworks/cluster/telemetry.zeek </scripts/base/frameworks/cluster/telemetry.zeek>
+   base/frameworks/config/__load__.zeek </scripts/base/frameworks/config/__load__.zeek>
+   base/frameworks/config/main.zeek </scripts/base/frameworks/config/main.zeek>
+   base/frameworks/config/input.zeek </scripts/base/frameworks/config/input.zeek>
+   base/frameworks/config/weird.zeek </scripts/base/frameworks/config/weird.zeek>
+   base/frameworks/analyzer/__load__.zeek </scripts/base/frameworks/analyzer/__load__.zeek>
+   base/frameworks/analyzer/dpd.zeek </scripts/base/frameworks/analyzer/dpd.zeek>
+   base/frameworks/analyzer/logging.zeek </scripts/base/frameworks/analyzer/logging.zeek>
+   base/frameworks/files/__load__.zeek </scripts/base/frameworks/files/__load__.zeek>
+   base/frameworks/files/main.zeek </scripts/base/frameworks/files/main.zeek>
+   base/utils/site.zeek </scripts/base/utils/site.zeek>
+   base/utils/patterns.zeek </scripts/base/utils/patterns.zeek>
+   base/frameworks/files/magic/__load__.zeek </scripts/base/frameworks/files/magic/__load__.zeek>
+   base/frameworks/telemetry/options.zeek </scripts/base/frameworks/telemetry/options.zeek>
+   base/bif/__load__.zeek </scripts/base/bif/__load__.zeek>
+   base/bif/telemetry_consts.bif.zeek </scripts/base/bif/telemetry_consts.bif.zeek>
+   base/bif/zeekygen.bif.zeek </scripts/base/bif/zeekygen.bif.zeek>
+   base/bif/pcap.bif.zeek </scripts/base/bif/pcap.bif.zeek>
+   base/bif/bloom-filter.bif.zeek </scripts/base/bif/bloom-filter.bif.zeek>
+   base/bif/cardinality-counter.bif.zeek </scripts/base/bif/cardinality-counter.bif.zeek>
+   base/bif/top-k.bif.zeek </scripts/base/bif/top-k.bif.zeek>
+   base/bif/storage.bif.zeek </scripts/base/bif/storage.bif.zeek>
+   base/bif/storage-async.bif.zeek </scripts/base/bif/storage-async.bif.zeek>
+   base/bif/storage-events.bif.zeek </scripts/base/bif/storage-events.bif.zeek>
+   base/bif/storage-sync.bif.zeek </scripts/base/bif/storage-sync.bif.zeek>
+   base/bif/spicy.bif.zeek </scripts/base/bif/spicy.bif.zeek>
+   base/bif/plugins/__load__.zeek </scripts/base/bif/plugins/__load__.zeek>
+   base/bif/plugins/Zeek_BitTorrent.events.bif.zeek </scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek>
+   base/bif/plugins/Zeek_ConnSize.events.bif.zeek </scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek>
+   base/bif/plugins/Zeek_ConnSize.functions.bif.zeek </scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek>
+   base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.consts.bif.zeek>
+   base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.types.bif.zeek>
+   base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek </scripts/base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek>
+   base/bif/plugins/Zeek_DHCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_DHCP.events.bif.zeek>
+   base/bif/plugins/Zeek_DHCP.types.bif.zeek </scripts/base/bif/plugins/Zeek_DHCP.types.bif.zeek>
+   base/bif/plugins/Zeek_DNP3.events.bif.zeek </scripts/base/bif/plugins/Zeek_DNP3.events.bif.zeek>
+   base/bif/plugins/Zeek_DNS.events.bif.zeek </scripts/base/bif/plugins/Zeek_DNS.events.bif.zeek>
+   base/bif/plugins/Zeek_File.events.bif.zeek </scripts/base/bif/plugins/Zeek_File.events.bif.zeek>
+   base/bif/plugins/Zeek_FTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek>
+   base/bif/plugins/Zeek_FTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek>
+   base/bif/plugins/Zeek_Gnutella.events.bif.zeek </scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek>
+   base/bif/plugins/Zeek_GSSAPI.events.bif.zeek </scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek>
+   base/bif/plugins/Zeek_HTTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek>
+   base/bif/plugins/Zeek_HTTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek>
+   base/bif/plugins/Zeek_Ident.events.bif.zeek </scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek>
+   base/bif/plugins/Zeek_IMAP.events.bif.zeek </scripts/base/bif/plugins/Zeek_IMAP.events.bif.zeek>
+   base/bif/plugins/Zeek_IRC.events.bif.zeek </scripts/base/bif/plugins/Zeek_IRC.events.bif.zeek>
+   base/bif/plugins/Zeek_KRB.events.bif.zeek </scripts/base/bif/plugins/Zeek_KRB.events.bif.zeek>
+   base/bif/plugins/Zeek_Login.events.bif.zeek </scripts/base/bif/plugins/Zeek_Login.events.bif.zeek>
+   base/bif/plugins/Zeek_Login.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Login.functions.bif.zeek>
+   base/bif/plugins/Zeek_MIME.consts.bif.zeek </scripts/base/bif/plugins/Zeek_MIME.consts.bif.zeek>
+   base/bif/plugins/Zeek_MIME.events.bif.zeek </scripts/base/bif/plugins/Zeek_MIME.events.bif.zeek>
+   base/bif/plugins/Zeek_Modbus.events.bif.zeek </scripts/base/bif/plugins/Zeek_Modbus.events.bif.zeek>
+   base/bif/plugins/Zeek_MQTT.types.bif.zeek </scripts/base/bif/plugins/Zeek_MQTT.types.bif.zeek>
+   base/bif/plugins/Zeek_MQTT.events.bif.zeek </scripts/base/bif/plugins/Zeek_MQTT.events.bif.zeek>
+   base/bif/plugins/Zeek_MySQL.events.bif.zeek </scripts/base/bif/plugins/Zeek_MySQL.events.bif.zeek>
+   base/bif/plugins/Zeek_NCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_NCP.events.bif.zeek>
+   base/bif/plugins/Zeek_NCP.consts.bif.zeek </scripts/base/bif/plugins/Zeek_NCP.consts.bif.zeek>
+   base/bif/plugins/Zeek_NetBIOS.events.bif.zeek </scripts/base/bif/plugins/Zeek_NetBIOS.events.bif.zeek>
+   base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek </scripts/base/bif/plugins/Zeek_NetBIOS.functions.bif.zeek>
+   base/bif/plugins/Zeek_NTLM.types.bif.zeek </scripts/base/bif/plugins/Zeek_NTLM.types.bif.zeek>
+   base/bif/plugins/Zeek_NTLM.events.bif.zeek </scripts/base/bif/plugins/Zeek_NTLM.events.bif.zeek>
+   base/bif/plugins/Zeek_NTP.types.bif.zeek </scripts/base/bif/plugins/Zeek_NTP.types.bif.zeek>
+   base/bif/plugins/Zeek_NTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_NTP.events.bif.zeek>
+   base/bif/plugins/Zeek_POP3.consts.bif.zeek </scripts/base/bif/plugins/Zeek_POP3.consts.bif.zeek>
+   base/bif/plugins/Zeek_POP3.events.bif.zeek </scripts/base/bif/plugins/Zeek_POP3.events.bif.zeek>
+   base/bif/plugins/Zeek_RADIUS.events.bif.zeek </scripts/base/bif/plugins/Zeek_RADIUS.events.bif.zeek>
+   base/bif/plugins/Zeek_RDP.events.bif.zeek </scripts/base/bif/plugins/Zeek_RDP.events.bif.zeek>
+   base/bif/plugins/Zeek_RDP.types.bif.zeek </scripts/base/bif/plugins/Zeek_RDP.types.bif.zeek>
+   base/bif/plugins/Zeek_RFB.events.bif.zeek </scripts/base/bif/plugins/Zeek_RFB.events.bif.zeek>
+   base/bif/plugins/Zeek_RPC.events.bif.zeek </scripts/base/bif/plugins/Zeek_RPC.events.bif.zeek>
+   base/bif/plugins/Zeek_SIP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SIP.events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_check_directory.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_close.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_create_directory.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_echo.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_logoff_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_negotiate.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_nt_cancel.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_query_information.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_read_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_com_write_andx.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb1_events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_close.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_create.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_negotiate.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_read.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_session_setup.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_set_info.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_connect.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_write.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_com_transform_header.bif.zeek>
+   base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.smb2_events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.events.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.events.bif.zeek>
+   base/bif/plugins/Zeek_SMB.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.consts.bif.zeek>
+   base/bif/plugins/Zeek_SMB.types.bif.zeek </scripts/base/bif/plugins/Zeek_SMB.types.bif.zeek>
+   base/bif/plugins/Zeek_SMTP.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.consts.bif.zeek>
+   base/bif/plugins/Zeek_SMTP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.events.bif.zeek>
+   base/bif/plugins/Zeek_SMTP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_SMTP.functions.bif.zeek>
+   base/bif/plugins/Zeek_SNMP.events.bif.zeek </scripts/base/bif/plugins/Zeek_SNMP.events.bif.zeek>
+   base/bif/plugins/Zeek_SOCKS.events.bif.zeek </scripts/base/bif/plugins/Zeek_SOCKS.events.bif.zeek>
+   base/bif/plugins/Zeek_SSH.types.bif.zeek </scripts/base/bif/plugins/Zeek_SSH.types.bif.zeek>
+   base/bif/plugins/Zeek_SSH.events.bif.zeek </scripts/base/bif/plugins/Zeek_SSH.events.bif.zeek>
+   base/bif/plugins/Zeek_SSL.types.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.types.bif.zeek>
+   base/bif/plugins/Zeek_SSL.events.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek>
+   base/bif/plugins/Zeek_SSL.functions.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek>
+   base/bif/plugins/Zeek_SSL.consts.bif.zeek </scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek>
+   base/bif/plugins/Zeek_StreamEvent.events.bif.zeek </scripts/base/bif/plugins/Zeek_StreamEvent.events.bif.zeek>
+   base/bif/plugins/Zeek_TCP.events.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek>
+   base/bif/plugins/Zeek_TCP.types.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek>
+   base/bif/plugins/Zeek_TCP.functions.bif.zeek </scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.consts.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.consts.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.events.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.events.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.functions.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.functions.bif.zeek>
+   base/bif/plugins/Zeek_WebSocket.types.bif.zeek </scripts/base/bif/plugins/Zeek_WebSocket.types.bif.zeek>
+   base/bif/plugins/Zeek_XMPP.events.bif.zeek </scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek>
+   base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek </scripts/base/bif/plugins/Zeek_Cluster_Backend_ZeroMQ.cluster_backend_zeromq.bif.zeek>
+   base/bif/plugins/Zeek_PPPoE.functions.bif.zeek </scripts/base/bif/plugins/Zeek_PPPoE.functions.bif.zeek>
+   base/bif/plugins/Zeek_ARP.events.bif.zeek </scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek>
+   base/bif/plugins/Zeek_UDP.events.bif.zeek </scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek>
+   base/bif/plugins/Zeek_ICMP.events.bif.zeek </scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek>
+   base/bif/plugins/Zeek_Geneve.events.bif.zeek </scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek>
+   base/bif/plugins/Zeek_Geneve.functions.bif.zeek </scripts/base/bif/plugins/Zeek_Geneve.functions.bif.zeek>
+   base/bif/plugins/Zeek_VXLAN.events.bif.zeek </scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek>
+   base/bif/plugins/Zeek_FileEntropy.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek>
+   base/bif/plugins/Zeek_FileExtract.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek>
+   base/bif/plugins/Zeek_FileExtract.functions.bif.zeek </scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek>
+   base/bif/plugins/Zeek_FileHash.events.bif.zeek </scripts/base/bif/plugins/Zeek_FileHash.events.bif.zeek>
+   base/bif/plugins/Zeek_PE.events.bif.zeek </scripts/base/bif/plugins/Zeek_PE.events.bif.zeek>
+   base/bif/plugins/Zeek_X509.events.bif.zeek </scripts/base/bif/plugins/Zeek_X509.events.bif.zeek>
+   base/bif/plugins/Zeek_X509.types.bif.zeek </scripts/base/bif/plugins/Zeek_X509.types.bif.zeek>
+   base/bif/plugins/Zeek_X509.functions.bif.zeek </scripts/base/bif/plugins/Zeek_X509.functions.bif.zeek>
+   base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek </scripts/base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek>
+   base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek </scripts/base/bif/plugins/Zeek_AsciiReader.ascii.bif.zeek>
+   base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek </scripts/base/bif/plugins/Zeek_BenchmarkReader.benchmark.bif.zeek>
+   base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek </scripts/base/bif/plugins/Zeek_BinaryReader.binary.bif.zeek>
+   base/bif/plugins/Zeek_ConfigReader.config.bif.zeek </scripts/base/bif/plugins/Zeek_ConfigReader.config.bif.zeek>
+   base/bif/plugins/Zeek_RawReader.raw.bif.zeek </scripts/base/bif/plugins/Zeek_RawReader.raw.bif.zeek>
+   base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek </scripts/base/bif/plugins/Zeek_SQLiteReader.sqlite.bif.zeek>
+   base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek </scripts/base/bif/plugins/Zeek_AF_Packet.af_packet.bif.zeek>
+   base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek </scripts/base/bif/plugins/Zeek_AsciiWriter.ascii.bif.zeek>
+   base/bif/plugins/Zeek_NoneWriter.none.bif.zeek </scripts/base/bif/plugins/Zeek_NoneWriter.none.bif.zeek>
+   base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek </scripts/base/bif/plugins/Zeek_SQLiteWriter.sqlite.bif.zeek>
+   base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek </scripts/base/bif/plugins/Zeek_JavaScript.zeekjs.bif.zeek>
+   base/frameworks/spicy/init-framework.zeek </scripts/base/frameworks/spicy/init-framework.zeek>
+   base/init-default.zeek </scripts/base/init-default.zeek>
+   base/utils/active-http.zeek </scripts/base/utils/active-http.zeek>
+   base/utils/exec.zeek </scripts/base/utils/exec.zeek>
+   base/utils/addrs.zeek </scripts/base/utils/addrs.zeek>
+   base/utils/backtrace.zeek </scripts/base/utils/backtrace.zeek>
+   base/utils/conn-ids.zeek </scripts/base/utils/conn-ids.zeek>
+   base/utils/dir.zeek </scripts/base/utils/dir.zeek>
+   base/frameworks/reporter/__load__.zeek </scripts/base/frameworks/reporter/__load__.zeek>
+   base/frameworks/reporter/main.zeek </scripts/base/frameworks/reporter/main.zeek>
+   base/utils/paths.zeek </scripts/base/utils/paths.zeek>
+   base/utils/directions-and-hosts.zeek </scripts/base/utils/directions-and-hosts.zeek>
+   base/utils/email.zeek </scripts/base/utils/email.zeek>
+   base/utils/files.zeek </scripts/base/utils/files.zeek>
+   base/utils/geoip-distance.zeek </scripts/base/utils/geoip-distance.zeek>
+   base/utils/numbers.zeek </scripts/base/utils/numbers.zeek>
+   base/utils/packages.zeek </scripts/base/utils/packages.zeek>
+   base/utils/queue.zeek </scripts/base/utils/queue.zeek>
+   base/utils/strings.zeek </scripts/base/utils/strings.zeek>
+   base/utils/thresholds.zeek </scripts/base/utils/thresholds.zeek>
+   base/utils/time.zeek </scripts/base/utils/time.zeek>
+   base/utils/urls.zeek </scripts/base/utils/urls.zeek>
+   base/frameworks/notice/__load__.zeek </scripts/base/frameworks/notice/__load__.zeek>
+   base/frameworks/notice/main.zeek </scripts/base/frameworks/notice/main.zeek>
+   base/frameworks/notice/weird.zeek </scripts/base/frameworks/notice/weird.zeek>
+   base/frameworks/notice/actions/email_admin.zeek </scripts/base/frameworks/notice/actions/email_admin.zeek>
+   base/frameworks/notice/actions/page.zeek </scripts/base/frameworks/notice/actions/page.zeek>
+   base/frameworks/notice/actions/add-geodata.zeek </scripts/base/frameworks/notice/actions/add-geodata.zeek>
+   base/frameworks/notice/actions/pp-alarms.zeek </scripts/base/frameworks/notice/actions/pp-alarms.zeek>
+   base/frameworks/signatures/__load__.zeek </scripts/base/frameworks/signatures/__load__.zeek>
+   base/frameworks/signatures/main.zeek </scripts/base/frameworks/signatures/main.zeek>
+   base/frameworks/packet-filter/__load__.zeek </scripts/base/frameworks/packet-filter/__load__.zeek>
+   base/frameworks/packet-filter/main.zeek </scripts/base/frameworks/packet-filter/main.zeek>
+   base/frameworks/packet-filter/netstats.zeek </scripts/base/frameworks/packet-filter/netstats.zeek>
+   base/frameworks/software/__load__.zeek </scripts/base/frameworks/software/__load__.zeek>
+   base/frameworks/software/main.zeek </scripts/base/frameworks/software/main.zeek>
+   base/frameworks/intel/__load__.zeek </scripts/base/frameworks/intel/__load__.zeek>
+   base/frameworks/intel/main.zeek </scripts/base/frameworks/intel/main.zeek>
+   base/frameworks/intel/files.zeek </scripts/base/frameworks/intel/files.zeek>
+   base/frameworks/intel/input.zeek </scripts/base/frameworks/intel/input.zeek>
+   base/frameworks/sumstats/__load__.zeek </scripts/base/frameworks/sumstats/__load__.zeek>
+   base/frameworks/sumstats/main.zeek </scripts/base/frameworks/sumstats/main.zeek>
+   base/frameworks/sumstats/plugins/__load__.zeek </scripts/base/frameworks/sumstats/plugins/__load__.zeek>
+   base/frameworks/sumstats/plugins/average.zeek </scripts/base/frameworks/sumstats/plugins/average.zeek>
+   base/frameworks/sumstats/plugins/hll_unique.zeek </scripts/base/frameworks/sumstats/plugins/hll_unique.zeek>
+   base/frameworks/sumstats/plugins/last.zeek </scripts/base/frameworks/sumstats/plugins/last.zeek>
+   base/frameworks/sumstats/plugins/max.zeek </scripts/base/frameworks/sumstats/plugins/max.zeek>
+   base/frameworks/sumstats/plugins/min.zeek </scripts/base/frameworks/sumstats/plugins/min.zeek>
+   base/frameworks/sumstats/plugins/sample.zeek </scripts/base/frameworks/sumstats/plugins/sample.zeek>
+   base/frameworks/sumstats/plugins/std-dev.zeek </scripts/base/frameworks/sumstats/plugins/std-dev.zeek>
+   base/frameworks/sumstats/plugins/variance.zeek </scripts/base/frameworks/sumstats/plugins/variance.zeek>
+   base/frameworks/sumstats/plugins/sum.zeek </scripts/base/frameworks/sumstats/plugins/sum.zeek>
+   base/frameworks/sumstats/plugins/topk.zeek </scripts/base/frameworks/sumstats/plugins/topk.zeek>
+   base/frameworks/sumstats/plugins/unique.zeek </scripts/base/frameworks/sumstats/plugins/unique.zeek>
+   base/frameworks/sumstats/non-cluster.zeek </scripts/base/frameworks/sumstats/non-cluster.zeek>
+   base/frameworks/tunnels/__load__.zeek </scripts/base/frameworks/tunnels/__load__.zeek>
+   base/frameworks/tunnels/main.zeek </scripts/base/frameworks/tunnels/main.zeek>
+   base/frameworks/openflow/__load__.zeek </scripts/base/frameworks/openflow/__load__.zeek>
+   base/frameworks/openflow/consts.zeek </scripts/base/frameworks/openflow/consts.zeek>
+   base/frameworks/openflow/types.zeek </scripts/base/frameworks/openflow/types.zeek>
+   base/frameworks/openflow/main.zeek </scripts/base/frameworks/openflow/main.zeek>
+   base/frameworks/openflow/plugins/__load__.zeek </scripts/base/frameworks/openflow/plugins/__load__.zeek>
+   base/frameworks/openflow/plugins/ryu.zeek </scripts/base/frameworks/openflow/plugins/ryu.zeek>
+   base/frameworks/openflow/plugins/log.zeek </scripts/base/frameworks/openflow/plugins/log.zeek>
+   base/frameworks/openflow/plugins/broker.zeek </scripts/base/frameworks/openflow/plugins/broker.zeek>
+   base/frameworks/openflow/non-cluster.zeek </scripts/base/frameworks/openflow/non-cluster.zeek>
+   base/frameworks/netcontrol/__load__.zeek </scripts/base/frameworks/netcontrol/__load__.zeek>
+   base/frameworks/netcontrol/types.zeek </scripts/base/frameworks/netcontrol/types.zeek>
+   base/frameworks/netcontrol/main.zeek </scripts/base/frameworks/netcontrol/main.zeek>
+   base/frameworks/netcontrol/plugin.zeek </scripts/base/frameworks/netcontrol/plugin.zeek>
+   base/frameworks/netcontrol/plugins/__load__.zeek </scripts/base/frameworks/netcontrol/plugins/__load__.zeek>
+   base/frameworks/netcontrol/plugins/debug.zeek </scripts/base/frameworks/netcontrol/plugins/debug.zeek>
+   base/frameworks/netcontrol/plugins/openflow.zeek </scripts/base/frameworks/netcontrol/plugins/openflow.zeek>
+   base/frameworks/netcontrol/plugins/packetfilter.zeek </scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek>
+   base/frameworks/netcontrol/plugins/broker.zeek </scripts/base/frameworks/netcontrol/plugins/broker.zeek>
+   base/frameworks/netcontrol/plugins/acld.zeek </scripts/base/frameworks/netcontrol/plugins/acld.zeek>
+   base/frameworks/netcontrol/drop.zeek </scripts/base/frameworks/netcontrol/drop.zeek>
+   base/frameworks/netcontrol/shunt.zeek </scripts/base/frameworks/netcontrol/shunt.zeek>
+   base/frameworks/netcontrol/non-cluster.zeek </scripts/base/frameworks/netcontrol/non-cluster.zeek>
+   base/frameworks/telemetry/__load__.zeek </scripts/base/frameworks/telemetry/__load__.zeek>
+   base/frameworks/telemetry/main.zeek </scripts/base/frameworks/telemetry/main.zeek>
+   base/misc/version.zeek </scripts/base/misc/version.zeek>
+   base/frameworks/storage/__load__.zeek </scripts/base/frameworks/storage/__load__.zeek>
+   base/frameworks/storage/async.zeek </scripts/base/frameworks/storage/async.zeek>
+   base/frameworks/storage/main.zeek </scripts/base/frameworks/storage/main.zeek>
+   base/frameworks/storage/sync.zeek </scripts/base/frameworks/storage/sync.zeek>
+   base/frameworks/spicy/__load__.zeek </scripts/base/frameworks/spicy/__load__.zeek>
+   base/frameworks/spicy/main.zeek </scripts/base/frameworks/spicy/main.zeek>
+   base/protocols/conn/__load__.zeek </scripts/base/protocols/conn/__load__.zeek>
+   base/protocols/conn/main.zeek </scripts/base/protocols/conn/main.zeek>
+   base/protocols/conn/contents.zeek </scripts/base/protocols/conn/contents.zeek>
+   base/protocols/conn/inactivity.zeek </scripts/base/protocols/conn/inactivity.zeek>
+   base/protocols/conn/polling.zeek </scripts/base/protocols/conn/polling.zeek>
+   base/protocols/conn/thresholds.zeek </scripts/base/protocols/conn/thresholds.zeek>
+   base/protocols/dce-rpc/__load__.zeek </scripts/base/protocols/dce-rpc/__load__.zeek>
+   base/protocols/dce-rpc/consts.zeek </scripts/base/protocols/dce-rpc/consts.zeek>
+   base/protocols/dce-rpc/main.zeek </scripts/base/protocols/dce-rpc/main.zeek>
+   base/protocols/dhcp/__load__.zeek </scripts/base/protocols/dhcp/__load__.zeek>
+   base/protocols/dhcp/consts.zeek </scripts/base/protocols/dhcp/consts.zeek>
+   base/protocols/dhcp/main.zeek </scripts/base/protocols/dhcp/main.zeek>
+   base/protocols/dnp3/__load__.zeek </scripts/base/protocols/dnp3/__load__.zeek>
+   base/protocols/dnp3/main.zeek </scripts/base/protocols/dnp3/main.zeek>
+   base/protocols/dnp3/consts.zeek </scripts/base/protocols/dnp3/consts.zeek>
+   base/protocols/dns/__load__.zeek </scripts/base/protocols/dns/__load__.zeek>
+   base/protocols/dns/consts.zeek </scripts/base/protocols/dns/consts.zeek>
+   base/protocols/dns/main.zeek </scripts/base/protocols/dns/main.zeek>
+   base/protocols/dns/check-event-handlers.zeek </scripts/base/protocols/dns/check-event-handlers.zeek>
+   base/protocols/finger/__load__.zeek </scripts/base/protocols/finger/__load__.zeek>
+   base/protocols/finger/spicy-events.zeek </scripts/base/protocols/finger/spicy-events.zeek>
+   base/protocols/finger/main.zeek </scripts/base/protocols/finger/main.zeek>
+   base/protocols/ftp/__load__.zeek </scripts/base/protocols/ftp/__load__.zeek>
+   base/protocols/ftp/utils-commands.zeek </scripts/base/protocols/ftp/utils-commands.zeek>
+   base/protocols/ftp/info.zeek </scripts/base/protocols/ftp/info.zeek>
+   base/protocols/ftp/main.zeek </scripts/base/protocols/ftp/main.zeek>
+   base/protocols/ftp/utils.zeek </scripts/base/protocols/ftp/utils.zeek>
+   base/protocols/ftp/files.zeek </scripts/base/protocols/ftp/files.zeek>
+   base/protocols/ftp/gridftp.zeek </scripts/base/protocols/ftp/gridftp.zeek>
+   base/protocols/ssl/__load__.zeek </scripts/base/protocols/ssl/__load__.zeek>
+   base/protocols/ssl/consts.zeek </scripts/base/protocols/ssl/consts.zeek>
+   base/protocols/ssl/main.zeek </scripts/base/protocols/ssl/main.zeek>
+   base/protocols/ssl/mozilla-ca-list.zeek </scripts/base/protocols/ssl/mozilla-ca-list.zeek>
+   base/protocols/ssl/ct-list.zeek </scripts/base/protocols/ssl/ct-list.zeek>
+   base/protocols/ssl/files.zeek </scripts/base/protocols/ssl/files.zeek>
+   base/files/x509/__load__.zeek </scripts/base/files/x509/__load__.zeek>
+   base/files/x509/main.zeek </scripts/base/files/x509/main.zeek>
+   base/files/hash/__load__.zeek </scripts/base/files/hash/__load__.zeek>
+   base/files/hash/main.zeek </scripts/base/files/hash/main.zeek>
+   base/files/x509/certificate-event-cache.zeek </scripts/base/files/x509/certificate-event-cache.zeek>
+   base/files/x509/log-ocsp.zeek </scripts/base/files/x509/log-ocsp.zeek>
+   base/protocols/http/__load__.zeek </scripts/base/protocols/http/__load__.zeek>
+   base/protocols/http/main.zeek </scripts/base/protocols/http/main.zeek>
+   base/protocols/http/entities.zeek </scripts/base/protocols/http/entities.zeek>
+   base/protocols/http/utils.zeek </scripts/base/protocols/http/utils.zeek>
+   base/protocols/http/files.zeek </scripts/base/protocols/http/files.zeek>
+   base/protocols/imap/__load__.zeek </scripts/base/protocols/imap/__load__.zeek>
+   base/protocols/imap/main.zeek </scripts/base/protocols/imap/main.zeek>
+   base/protocols/irc/__load__.zeek </scripts/base/protocols/irc/__load__.zeek>
+   base/protocols/irc/main.zeek </scripts/base/protocols/irc/main.zeek>
+   base/protocols/irc/dcc-send.zeek </scripts/base/protocols/irc/dcc-send.zeek>
+   base/protocols/irc/files.zeek </scripts/base/protocols/irc/files.zeek>
+   base/protocols/krb/__load__.zeek </scripts/base/protocols/krb/__load__.zeek>
+   base/protocols/krb/main.zeek </scripts/base/protocols/krb/main.zeek>
+   base/protocols/krb/consts.zeek </scripts/base/protocols/krb/consts.zeek>
+   base/protocols/krb/files.zeek </scripts/base/protocols/krb/files.zeek>
+   base/protocols/ldap/__load__.zeek </scripts/base/protocols/ldap/__load__.zeek>
+   base/protocols/ldap/spicy-events.zeek </scripts/base/protocols/ldap/spicy-events.zeek>
+   base/protocols/ldap/consts.zeek </scripts/base/protocols/ldap/consts.zeek>
+   base/protocols/ldap/main.zeek </scripts/base/protocols/ldap/main.zeek>
+   base/protocols/modbus/__load__.zeek </scripts/base/protocols/modbus/__load__.zeek>
+   base/protocols/modbus/consts.zeek </scripts/base/protocols/modbus/consts.zeek>
+   base/protocols/modbus/main.zeek </scripts/base/protocols/modbus/main.zeek>
+   base/protocols/mqtt/__load__.zeek </scripts/base/protocols/mqtt/__load__.zeek>
+   base/protocols/mqtt/consts.zeek </scripts/base/protocols/mqtt/consts.zeek>
+   base/protocols/mqtt/main.zeek </scripts/base/protocols/mqtt/main.zeek>
+   base/protocols/mysql/__load__.zeek </scripts/base/protocols/mysql/__load__.zeek>
+   base/protocols/mysql/main.zeek </scripts/base/protocols/mysql/main.zeek>
+   base/protocols/mysql/consts.zeek </scripts/base/protocols/mysql/consts.zeek>
+   base/protocols/ntlm/__load__.zeek </scripts/base/protocols/ntlm/__load__.zeek>
+   base/protocols/ntlm/main.zeek </scripts/base/protocols/ntlm/main.zeek>
+   base/protocols/ntp/__load__.zeek </scripts/base/protocols/ntp/__load__.zeek>
+   base/protocols/ntp/main.zeek </scripts/base/protocols/ntp/main.zeek>
+   base/protocols/ntp/consts.zeek </scripts/base/protocols/ntp/consts.zeek>
+   base/protocols/pop3/__load__.zeek </scripts/base/protocols/pop3/__load__.zeek>
+   base/protocols/postgresql/__load__.zeek </scripts/base/protocols/postgresql/__load__.zeek>
+   base/protocols/postgresql/consts.zeek </scripts/base/protocols/postgresql/consts.zeek>
+   base/protocols/postgresql/spicy-events.zeek </scripts/base/protocols/postgresql/spicy-events.zeek>
+   base/protocols/postgresql/main.zeek </scripts/base/protocols/postgresql/main.zeek>
+   base/protocols/quic/__load__.zeek </scripts/base/protocols/quic/__load__.zeek>
+   base/protocols/quic/spicy-events.zeek </scripts/base/protocols/quic/spicy-events.zeek>
+   base/protocols/quic/consts.zeek </scripts/base/protocols/quic/consts.zeek>
+   base/protocols/quic/main.zeek </scripts/base/protocols/quic/main.zeek>
+   base/protocols/radius/__load__.zeek </scripts/base/protocols/radius/__load__.zeek>
+   base/protocols/radius/main.zeek </scripts/base/protocols/radius/main.zeek>
+   base/protocols/radius/consts.zeek </scripts/base/protocols/radius/consts.zeek>
+   base/protocols/rdp/__load__.zeek </scripts/base/protocols/rdp/__load__.zeek>
+   base/protocols/rdp/consts.zeek </scripts/base/protocols/rdp/consts.zeek>
+   base/protocols/rdp/main.zeek </scripts/base/protocols/rdp/main.zeek>
+   base/protocols/redis/__load__.zeek </scripts/base/protocols/redis/__load__.zeek>
+   base/protocols/redis/spicy-events.zeek </scripts/base/protocols/redis/spicy-events.zeek>
+   base/protocols/redis/main.zeek </scripts/base/protocols/redis/main.zeek>
+   base/protocols/rfb/__load__.zeek </scripts/base/protocols/rfb/__load__.zeek>
+   base/protocols/rfb/main.zeek </scripts/base/protocols/rfb/main.zeek>
+   base/protocols/sip/__load__.zeek </scripts/base/protocols/sip/__load__.zeek>
+   base/protocols/sip/main.zeek </scripts/base/protocols/sip/main.zeek>
+   base/protocols/snmp/__load__.zeek </scripts/base/protocols/snmp/__load__.zeek>
+   base/protocols/snmp/main.zeek </scripts/base/protocols/snmp/main.zeek>
+   base/protocols/smb/__load__.zeek </scripts/base/protocols/smb/__load__.zeek>
+   base/protocols/smb/consts.zeek </scripts/base/protocols/smb/consts.zeek>
+   base/protocols/smb/const-dos-error.zeek </scripts/base/protocols/smb/const-dos-error.zeek>
+   base/protocols/smb/const-nt-status.zeek </scripts/base/protocols/smb/const-nt-status.zeek>
+   base/protocols/smb/main.zeek </scripts/base/protocols/smb/main.zeek>
+   base/protocols/smb/smb1-main.zeek </scripts/base/protocols/smb/smb1-main.zeek>
+   base/protocols/smb/smb2-main.zeek </scripts/base/protocols/smb/smb2-main.zeek>
+   base/protocols/smb/files.zeek </scripts/base/protocols/smb/files.zeek>
+   base/protocols/smtp/__load__.zeek </scripts/base/protocols/smtp/__load__.zeek>
+   base/protocols/smtp/main.zeek </scripts/base/protocols/smtp/main.zeek>
+   base/protocols/smtp/entities.zeek </scripts/base/protocols/smtp/entities.zeek>
+   base/protocols/smtp/files.zeek </scripts/base/protocols/smtp/files.zeek>
+   base/protocols/socks/__load__.zeek </scripts/base/protocols/socks/__load__.zeek>
+   base/protocols/socks/consts.zeek </scripts/base/protocols/socks/consts.zeek>
+   base/protocols/socks/main.zeek </scripts/base/protocols/socks/main.zeek>
+   base/protocols/ssh/__load__.zeek </scripts/base/protocols/ssh/__load__.zeek>
+   base/protocols/ssh/main.zeek </scripts/base/protocols/ssh/main.zeek>
+   base/protocols/syslog/__load__.zeek </scripts/base/protocols/syslog/__load__.zeek>
+   base/protocols/syslog/spicy-events.zeek </scripts/base/protocols/syslog/spicy-events.zeek>
+   base/protocols/syslog/consts.zeek </scripts/base/protocols/syslog/consts.zeek>
+   base/protocols/syslog/main.zeek </scripts/base/protocols/syslog/main.zeek>
+   base/protocols/websocket/__load__.zeek </scripts/base/protocols/websocket/__load__.zeek>
+   base/protocols/websocket/consts.zeek </scripts/base/protocols/websocket/consts.zeek>
+   base/protocols/websocket/main.zeek </scripts/base/protocols/websocket/main.zeek>
+   base/protocols/tunnels/__load__.zeek </scripts/base/protocols/tunnels/__load__.zeek>
+   base/protocols/xmpp/__load__.zeek </scripts/base/protocols/xmpp/__load__.zeek>
+   base/protocols/xmpp/main.zeek </scripts/base/protocols/xmpp/main.zeek>
+   base/files/pe/__load__.zeek </scripts/base/files/pe/__load__.zeek>
+   base/files/pe/consts.zeek </scripts/base/files/pe/consts.zeek>
+   base/files/pe/main.zeek </scripts/base/files/pe/main.zeek>
+   base/files/extract/__load__.zeek </scripts/base/files/extract/__load__.zeek>
+   base/files/extract/main.zeek </scripts/base/files/extract/main.zeek>
+   base/misc/find-checksum-offloading.zeek </scripts/base/misc/find-checksum-offloading.zeek>
+   base/misc/find-filtered-trace.zeek </scripts/base/misc/find-filtered-trace.zeek>
+   base/misc/installation.zeek </scripts/base/misc/installation.zeek>
+   builtin-plugins/__load__.zeek </scripts/builtin-plugins/__load__.zeek>
+   builtin-plugins/Zeek_JavaScript/__load__.zeek </scripts/builtin-plugins/Zeek_JavaScript/__load__.zeek>
+   zeekygen/__load__.zeek </scripts/zeekygen/__load__.zeek>
+   test-all-policy.zeek </scripts/test-all-policy.zeek>
+   policy/frameworks/analyzer/debug-logging.zeek </scripts/policy/frameworks/analyzer/debug-logging.zeek>
+   policy/frameworks/analyzer/detect-protocols.zeek </scripts/policy/frameworks/analyzer/detect-protocols.zeek>
+   policy/frameworks/analyzer/packet-segment-logging.zeek </scripts/policy/frameworks/analyzer/packet-segment-logging.zeek>
+   policy/frameworks/cluster/backend/zeromq/__load__.zeek </scripts/policy/frameworks/cluster/backend/zeromq/__load__.zeek>
+   policy/frameworks/cluster/backend/zeromq/main.zeek </scripts/policy/frameworks/cluster/backend/zeromq/main.zeek>
+   policy/frameworks/cluster/experimental.zeek </scripts/policy/frameworks/cluster/experimental.zeek>
+   policy/frameworks/management/agent/__load__.zeek </scripts/policy/frameworks/management/agent/__load__.zeek>
+   policy/frameworks/management/agent/api.zeek </scripts/policy/frameworks/management/agent/api.zeek>
+   policy/frameworks/management/types.zeek </scripts/policy/frameworks/management/types.zeek>
+   policy/frameworks/management/agent/boot.zeek </scripts/policy/frameworks/management/agent/boot.zeek>
+   policy/frameworks/management/agent/config.zeek </scripts/policy/frameworks/management/agent/config.zeek>
+   policy/frameworks/management/__load__.zeek </scripts/policy/frameworks/management/__load__.zeek>
+   policy/frameworks/management/config.zeek </scripts/policy/frameworks/management/config.zeek>
+   policy/frameworks/management/log.zeek </scripts/policy/frameworks/management/log.zeek>
+   policy/frameworks/management/persistence.zeek </scripts/policy/frameworks/management/persistence.zeek>
+   policy/frameworks/management/request.zeek </scripts/policy/frameworks/management/request.zeek>
+   policy/frameworks/management/util.zeek </scripts/policy/frameworks/management/util.zeek>
+   policy/frameworks/management/controller/config.zeek </scripts/policy/frameworks/management/controller/config.zeek>
+   policy/frameworks/management/controller/__load__.zeek </scripts/policy/frameworks/management/controller/__load__.zeek>
+   policy/frameworks/management/controller/api.zeek </scripts/policy/frameworks/management/controller/api.zeek>
+   policy/frameworks/management/controller/boot.zeek </scripts/policy/frameworks/management/controller/boot.zeek>
+   policy/frameworks/management/node/api.zeek </scripts/policy/frameworks/management/node/api.zeek>
+   policy/frameworks/management/node/config.zeek </scripts/policy/frameworks/management/node/config.zeek>
+   policy/frameworks/management/supervisor/__load__.zeek </scripts/policy/frameworks/management/supervisor/__load__.zeek>
+   policy/frameworks/management/supervisor/main.zeek </scripts/policy/frameworks/management/supervisor/main.zeek>
+   policy/frameworks/management/supervisor/api.zeek </scripts/policy/frameworks/management/supervisor/api.zeek>
+   policy/frameworks/management/supervisor/config.zeek </scripts/policy/frameworks/management/supervisor/config.zeek>
+   policy/frameworks/intel/do_notice.zeek </scripts/policy/frameworks/intel/do_notice.zeek>
+   policy/frameworks/intel/do_expire.zeek </scripts/policy/frameworks/intel/do_expire.zeek>
+   policy/frameworks/intel/whitelist.zeek </scripts/policy/frameworks/intel/whitelist.zeek>
+   policy/frameworks/intel/removal.zeek </scripts/policy/frameworks/intel/removal.zeek>
+   policy/frameworks/intel/seen/__load__.zeek </scripts/policy/frameworks/intel/seen/__load__.zeek>
+   policy/frameworks/intel/seen/conn-established.zeek </scripts/policy/frameworks/intel/seen/conn-established.zeek>
+   policy/frameworks/intel/seen/where-locations.zeek </scripts/policy/frameworks/intel/seen/where-locations.zeek>
+   policy/frameworks/intel/seen/dns.zeek </scripts/policy/frameworks/intel/seen/dns.zeek>
+   policy/frameworks/intel/seen/file-hashes.zeek </scripts/policy/frameworks/intel/seen/file-hashes.zeek>
+   policy/frameworks/intel/seen/file-names.zeek </scripts/policy/frameworks/intel/seen/file-names.zeek>
+   policy/frameworks/intel/seen/http-headers.zeek </scripts/policy/frameworks/intel/seen/http-headers.zeek>
+   policy/frameworks/intel/seen/http-url.zeek </scripts/policy/frameworks/intel/seen/http-url.zeek>
+   policy/frameworks/intel/seen/pubkey-hashes.zeek </scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek>
+   policy/frameworks/intel/seen/ssl.zeek </scripts/policy/frameworks/intel/seen/ssl.zeek>
+   policy/frameworks/intel/seen/smb-filenames.zeek </scripts/policy/frameworks/intel/seen/smb-filenames.zeek>
+   policy/frameworks/intel/seen/smtp.zeek </scripts/policy/frameworks/intel/seen/smtp.zeek>
+   policy/frameworks/intel/seen/smtp-url-extraction.zeek </scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek>
+   policy/frameworks/intel/seen/x509.zeek </scripts/policy/frameworks/intel/seen/x509.zeek>
+   policy/frameworks/intel/seen/manage-event-groups.zeek </scripts/policy/frameworks/intel/seen/manage-event-groups.zeek>
+   policy/frameworks/netcontrol/catch-and-release.zeek </scripts/policy/frameworks/netcontrol/catch-and-release.zeek>
+   policy/frameworks/files/detect-MHR.zeek </scripts/policy/frameworks/files/detect-MHR.zeek>
+   policy/frameworks/files/hash-all-files.zeek </scripts/policy/frameworks/files/hash-all-files.zeek>
+   policy/frameworks/files/entropy-test-all-files.zeek </scripts/policy/frameworks/files/entropy-test-all-files.zeek>
+   policy/frameworks/notice/__load__.zeek </scripts/policy/frameworks/notice/__load__.zeek>
+   policy/frameworks/notice/extend-email/hostnames.zeek </scripts/policy/frameworks/notice/extend-email/hostnames.zeek>
+   policy/frameworks/notice/actions/drop.zeek </scripts/policy/frameworks/notice/actions/drop.zeek>
+   policy/frameworks/notice/community-id.zeek </scripts/policy/frameworks/notice/community-id.zeek>
+   policy/protocols/conn/community-id-logging.zeek </scripts/policy/protocols/conn/community-id-logging.zeek>
+   policy/files/x509/disable-certificate-events-known-certs.zeek </scripts/policy/files/x509/disable-certificate-events-known-certs.zeek>
+   policy/frameworks/packet-filter/shunt.zeek </scripts/policy/frameworks/packet-filter/shunt.zeek>
+   policy/frameworks/software/version-changes.zeek </scripts/policy/frameworks/software/version-changes.zeek>
+   policy/frameworks/software/vulnerable.zeek </scripts/policy/frameworks/software/vulnerable.zeek>
+   policy/frameworks/software/windows-version-detection.zeek </scripts/policy/frameworks/software/windows-version-detection.zeek>
+   policy/frameworks/storage/backend/redis/__load__.zeek </scripts/policy/frameworks/storage/backend/redis/__load__.zeek>
+   policy/frameworks/storage/backend/redis/main.zeek </scripts/policy/frameworks/storage/backend/redis/main.zeek>
+   policy/frameworks/storage/backend/sqlite/__load__.zeek </scripts/policy/frameworks/storage/backend/sqlite/__load__.zeek>
+   policy/frameworks/storage/backend/sqlite/main.zeek </scripts/policy/frameworks/storage/backend/sqlite/main.zeek>
+   policy/frameworks/telemetry/log.zeek </scripts/policy/frameworks/telemetry/log.zeek>
+   policy/integration/collective-intel/__load__.zeek </scripts/policy/integration/collective-intel/__load__.zeek>
+   policy/integration/collective-intel/main.zeek </scripts/policy/integration/collective-intel/main.zeek>
+   policy/misc/capture-loss.zeek </scripts/policy/misc/capture-loss.zeek>
+   policy/misc/detect-traceroute/__load__.zeek </scripts/policy/misc/detect-traceroute/__load__.zeek>
+   policy/misc/detect-traceroute/main.zeek </scripts/policy/misc/detect-traceroute/main.zeek>
+   policy/misc/loaded-scripts.zeek </scripts/policy/misc/loaded-scripts.zeek>
+   policy/misc/profiling.zeek </scripts/policy/misc/profiling.zeek>
+   policy/misc/stats.zeek </scripts/policy/misc/stats.zeek>
+   policy/misc/weird-stats.zeek </scripts/policy/misc/weird-stats.zeek>
+   policy/misc/trim-trace-file.zeek </scripts/policy/misc/trim-trace-file.zeek>
+   policy/misc/unknown-protocols.zeek </scripts/policy/misc/unknown-protocols.zeek>
+   policy/protocols/conn/disable-unknown-ip-proto-support.zeek </scripts/policy/protocols/conn/disable-unknown-ip-proto-support.zeek>
+   policy/protocols/conn/failed-service-logging.zeek </scripts/policy/protocols/conn/failed-service-logging.zeek>
+   policy/protocols/conn/ip-proto-name-logging.zeek </scripts/policy/protocols/conn/ip-proto-name-logging.zeek>
+   policy/protocols/conn/known-hosts.zeek </scripts/policy/protocols/conn/known-hosts.zeek>
+   policy/protocols/conn/known-services.zeek </scripts/policy/protocols/conn/known-services.zeek>
+   policy/protocols/conn/mac-logging.zeek </scripts/policy/protocols/conn/mac-logging.zeek>
+   policy/protocols/conn/vlan-logging.zeek </scripts/policy/protocols/conn/vlan-logging.zeek>
+   policy/protocols/conn/pppoe-session-id-logging.zeek </scripts/policy/protocols/conn/pppoe-session-id-logging.zeek>
+   policy/protocols/conn/weirds.zeek </scripts/policy/protocols/conn/weirds.zeek>
+   policy/protocols/dhcp/msg-orig.zeek </scripts/policy/protocols/dhcp/msg-orig.zeek>
+   policy/protocols/dhcp/software.zeek </scripts/policy/protocols/dhcp/software.zeek>
+   policy/protocols/dhcp/sub-opts.zeek </scripts/policy/protocols/dhcp/sub-opts.zeek>
+   policy/protocols/dns/auth-addl.zeek </scripts/policy/protocols/dns/auth-addl.zeek>
+   policy/protocols/dns/detect-external-names.zeek </scripts/policy/protocols/dns/detect-external-names.zeek>
+   policy/protocols/dns/log-original-query-case.zeek </scripts/policy/protocols/dns/log-original-query-case.zeek>
+   policy/protocols/ftp/detect-bruteforcing.zeek </scripts/policy/protocols/ftp/detect-bruteforcing.zeek>
+   policy/protocols/ftp/detect.zeek </scripts/policy/protocols/ftp/detect.zeek>
+   policy/protocols/ftp/software.zeek </scripts/policy/protocols/ftp/software.zeek>
+   policy/protocols/http/detect-sql-injection.zeek </scripts/policy/protocols/http/detect-sql-injection.zeek>
+   policy/protocols/http/detect-webapps.zeek </scripts/policy/protocols/http/detect-webapps.zeek>
+   policy/protocols/http/header-names.zeek </scripts/policy/protocols/http/header-names.zeek>
+   policy/protocols/http/software-browser-plugins.zeek </scripts/policy/protocols/http/software-browser-plugins.zeek>
+   policy/protocols/http/software.zeek </scripts/policy/protocols/http/software.zeek>
+   policy/protocols/http/var-extraction-cookies.zeek </scripts/policy/protocols/http/var-extraction-cookies.zeek>
+   policy/protocols/http/var-extraction-uri.zeek </scripts/policy/protocols/http/var-extraction-uri.zeek>
+   policy/protocols/krb/ticket-logging.zeek </scripts/policy/protocols/krb/ticket-logging.zeek>
+   policy/protocols/modbus/known-masters-slaves.zeek </scripts/policy/protocols/modbus/known-masters-slaves.zeek>
+   policy/protocols/modbus/track-memmap.zeek </scripts/policy/protocols/modbus/track-memmap.zeek>
+   policy/protocols/mysql/software.zeek </scripts/policy/protocols/mysql/software.zeek>
+   policy/protocols/rdp/indicate_ssl.zeek </scripts/policy/protocols/rdp/indicate_ssl.zeek>
+   policy/protocols/smb/log-cmds.zeek </scripts/policy/protocols/smb/log-cmds.zeek>
+   policy/protocols/smtp/blocklists.zeek </scripts/policy/protocols/smtp/blocklists.zeek>
+   policy/protocols/smtp/detect-suspicious-orig.zeek </scripts/policy/protocols/smtp/detect-suspicious-orig.zeek>
+   policy/protocols/smtp/entities-excerpt.zeek </scripts/policy/protocols/smtp/entities-excerpt.zeek>
+   policy/protocols/smtp/software.zeek </scripts/policy/protocols/smtp/software.zeek>
+   policy/protocols/ssh/detect-bruteforcing.zeek </scripts/policy/protocols/ssh/detect-bruteforcing.zeek>
+   policy/protocols/ssh/geo-data.zeek </scripts/policy/protocols/ssh/geo-data.zeek>
+   policy/protocols/ssh/interesting-hostnames.zeek </scripts/policy/protocols/ssh/interesting-hostnames.zeek>
+   policy/protocols/ssh/software.zeek </scripts/policy/protocols/ssh/software.zeek>
+   policy/protocols/ssl/certificate-request-info.zeek </scripts/policy/protocols/ssl/certificate-request-info.zeek>
+   policy/protocols/ssl/decryption.zeek </scripts/policy/protocols/ssl/decryption.zeek>
+   policy/protocols/ssl/expiring-certs.zeek </scripts/policy/protocols/ssl/expiring-certs.zeek>
+   policy/protocols/ssl/heartbleed.zeek </scripts/policy/protocols/ssl/heartbleed.zeek>
+   policy/protocols/ssl/known-certs.zeek </scripts/policy/protocols/ssl/known-certs.zeek>
+   policy/protocols/ssl/log-certs-base64.zeek </scripts/policy/protocols/ssl/log-certs-base64.zeek>
+   policy/protocols/ssl/ssl-log-ext.zeek </scripts/policy/protocols/ssl/ssl-log-ext.zeek>
+   policy/protocols/ssl/log-hostcerts-only.zeek </scripts/policy/protocols/ssl/log-hostcerts-only.zeek>
+   policy/protocols/ssl/validate-certs.zeek </scripts/policy/protocols/ssl/validate-certs.zeek>
+   policy/protocols/ssl/validate-ocsp.zeek </scripts/policy/protocols/ssl/validate-ocsp.zeek>
+   policy/protocols/ssl/validate-sct.zeek </scripts/policy/protocols/ssl/validate-sct.zeek>
+   policy/protocols/ssl/weak-keys.zeek </scripts/policy/protocols/ssl/weak-keys.zeek>
+   policy/tuning/json-logs.zeek </scripts/policy/tuning/json-logs.zeek>
+   policy/tuning/track-all-assets.zeek </scripts/policy/tuning/track-all-assets.zeek>
+   policy/frameworks/conn_key/vlan_fivetuple.zeek </scripts/policy/frameworks/conn_key/vlan_fivetuple.zeek>
+   policy/frameworks/cluster/backend/zeromq/connect.zeek </scripts/policy/frameworks/cluster/backend/zeromq/connect.zeek>
+   policy/frameworks/cluster/nodes-experimental/manager.zeek </scripts/policy/frameworks/cluster/nodes-experimental/manager.zeek>
+   policy/frameworks/control/controllee.zeek </scripts/policy/frameworks/control/controllee.zeek>
+   policy/frameworks/control/controller.zeek </scripts/policy/frameworks/control/controller.zeek>
+   policy/frameworks/management/agent/main.zeek </scripts/policy/frameworks/management/agent/main.zeek>
+   policy/frameworks/management/controller/main.zeek </scripts/policy/frameworks/management/controller/main.zeek>
+   policy/frameworks/management/node/__load__.zeek </scripts/policy/frameworks/management/node/__load__.zeek>
+   policy/frameworks/management/node/main.zeek </scripts/policy/frameworks/management/node/main.zeek>
+   policy/frameworks/files/extract-all-files.zeek </scripts/policy/frameworks/files/extract-all-files.zeek>
+   policy/frameworks/signatures/iso-9660.zeek </scripts/policy/frameworks/signatures/iso-9660.zeek>
+   policy/misc/dump-events.zeek </scripts/policy/misc/dump-events.zeek>
+   policy/protocols/conn/speculative-service.zeek </scripts/policy/protocols/conn/speculative-service.zeek>
+   policy/frameworks/spicy/resource-usage.zeek </scripts/policy/frameworks/spicy/resource-usage.zeek>
+   zeekygen/example.zeek </scripts/zeekygen/example.zeek>
--- a/doc/script-reference/directives.rst
+++ b/doc/script-reference/directives.rst
@ -0,0 +1,280 @@
+Directives
+==========
+
+The Zeek scripting language supports a number of directives that can
+affect which scripts will be loaded or which lines in a script will be
+executed.  Directives are evaluated before script execution begins.
+
+
+.. zeek:keyword:: @DIR
+
+@DIR
+----
+
+Expands to the directory pathname where the current script is located.
+
+Example:
+
+.. code-block:: zeek
+
+    print "Directory:", @DIR;
+
+
+.. zeek:keyword:: @FILENAME
+
+@FILENAME
+---------
+
+Expands to the filename of the current script.
+
+Example:
+
+.. code-block:: zeek
+
+    print "File:", @FILENAME;
+
+
+.. zeek:keyword:: @deprecated
+
+@deprecated
+-----------
+
+Marks the current script as deprecated. This can be placed anywhere in
+the script, but a good convention is to put it as the first line.
+You can also supply additional comments.
+
+Example:
+
+.. code-block:: zeek
+
+    @deprecated "Use '@load foo' instead"
+
+
+.. zeek:keyword:: @load
+
+@load
+-----
+
+Loads the specified Zeek script, specified as the relative pathname
+of the file (relative to one of the directories in Zeek's file search path).
+If the Zeek script filename ends with ``.zeek``, then you don't need to
+specify the file extension.  The filename cannot contain any whitespace.
+
+In this example, Zeek will try to load a script
+``policy/misc/capture-loss.zeek`` by looking in each directory in the file
+search path (the file search path can be changed by setting the ``ZEEKPATH``
+environment variable):
+
+.. code-block:: zeek
+
+    @load policy/misc/capture-loss
+
+If you specify the name of a directory instead of a filename, then
+Zeek will try to load a file in that directory called ``__load__.zeek``
+(presumably that file will contain additional ``@load`` directives).
+
+In this example, Zeek will try to load a file ``tuning/defaults/__load__.zeek``
+by looking in each directory in the file search path:
+
+.. code-block:: zeek
+
+    @load tuning/defaults
+
+The purpose of this directive is to ensure that all script dependencies
+are satisfied, and to avoid having to list every needed Zeek script
+on the command-line.  Zeek keeps track of which scripts have been
+loaded, so it is not an error to load a script more than once (once
+a script has been loaded, any subsequent ``load`` directives
+for that script are ignored).
+
+
+.. zeek:keyword:: @load-plugin
+
+@load-plugin
+------------
+
+Activate a dynamic plugin with the specified plugin name.  The specified
+plugin must be located in Zeek's plugin search path.  Example:
+
+.. code-block:: zeek
+
+    @load-plugin Demo::Rot13
+
+By default, Zeek will automatically activate all dynamic plugins found
+in the plugin search path (the search path can be changed by setting
+the environment variable ``ZEEK_PLUGIN_PATH`` to a colon-separated list of
+directories). However, in bare mode (``zeek -b`` dynamic plugins can be
+activated only by using ``load-plugin`` or by specifying the full
+plugin name on the Zeek command-line (e.g., ``zeek Demo::Rot13`` or by
+setting the environment variable ``ZEEK_PLUGIN_ACTIVATE`` to a
+comma-separated list of plugin names.
+
+
+.. zeek:keyword:: @load-sigs
+
+@load-sigs
+----------
+
+This works similarly to ``load`` except that in this case the filename
+represents a signature file (not a Zeek script).  If the signature filename
+ends with ``sig`` then you don't need to specify the file extension
+in the ``load-sigs`` directive.  The filename cannot contain any
+whitespace.
+
+In this example, Zeek will try to load a signature file
+``base/protocols/ssl/dpd.sig``
+
+.. code-block:: zeek
+
+    @load-sigs base/protocols/ssl/dpd
+
+The format for a signature file is explained in the documentation for the
+:doc:`Signature Framework </frameworks/signatures>`.
+
+
+.. zeek:keyword:: @unload
+
+@unload
+-------
+
+This specifies a Zeek script that we don't want to load (so a subsequent
+attempt to load the specified script will be skipped).  However,
+if the specified script has already been loaded, then this directive
+has no affect.
+
+In the following example, if the ``policy/misc/capture-loss.zeek`` script
+has not been loaded yet, then Zeek will not load it:
+
+.. code-block:: zeek
+
+    @unload policy/misc/capture-loss
+
+
+.. zeek:keyword:: @prefixes
+
+@prefixes
+---------
+
+Specifies a filename prefix to use when looking for script files
+to load automatically.  The prefix cannot contain any whitespace.
+
+In the following example, the prefix ``cluster`` is used and all prefixes
+that were previously specified are not used:
+
+.. code-block:: zeek
+
+    @prefixes = cluster
+
+In the following example, the prefix ``cluster-manager`` is used in
+addition to any previously-specified prefixes:
+
+.. code-block:: zeek
+
+    @prefixes += cluster-manager
+
+The way this works is that after Zeek parses all script files, then for each
+loaded script Zeek will take the absolute path of the script and then
+it removes the portion of the directory path that is in Zeek's file
+search path.  Then it replaces each ``/`` character with a period ``.``
+and then prepends the prefix (specified in the ``@prefixes`` directive)
+followed by a period.  The resulting filename is searched for in each
+directory in Zeek's file search path.  If a matching file is found, then
+the file is automatically loaded.
+
+For example, if a script called ``local.zeek`` has been loaded, and a prefix
+of ``test`` was specified, then Zeek will look for a file named
+``test.local.zeek`` in each directory of Zeek's file search path.
+
+An alternative way to specify prefixes is to use the ``-p`` Zeek
+command-line option.
+
+
+.. zeek:keyword:: @if
+
+@if
+---
+
+The specified expression must evaluate to type :zeek:type:`bool`.  If the
+value is true, then the following script lines (up to the next ``@else``
+or ``@endif``) are available to be executed.
+
+Example:
+
+.. code-block:: zeek
+
+    @if ( ver == 2 )
+        print "version 2 detected";
+    @endif
+
+
+.. zeek:keyword:: @ifdef
+
+@ifdef
+------
+
+This works like ``@if``, except that the result is true if the specified
+identifier is defined.
+
+Example:
+
+.. code-block:: zeek
+
+    @ifdef ( pi )
+        print "pi is defined";
+    @endif
+
+
+.. zeek:keyword:: @ifndef
+
+@ifndef
+-------
+
+This works exactly like ``@ifdef``, except that the result is true if the
+specified identifier is not defined.
+
+Example:
+
+.. code-block:: zeek
+
+    @ifndef ( pi )
+        print "pi is not defined";
+    @endif
+
+
+.. zeek:keyword:: @else
+
+@else
+-----
+
+This directive is optional after an ``@if``, ``@ifdef``, or
+``@ifndef``.  If present, it provides an else clause.
+
+Example:
+
+.. code-block:: zeek
+
+    @ifdef ( pi )
+        print "pi is defined";
+    @else
+        print "pi is not defined";
+    @endif
+
+
+.. zeek:keyword:: @endif
+
+@endif
+------
+
+This directive is required to terminate each ``@if``, ``@ifdef``, or
+``@ifndef``.
+
+
+.. zeek:keyword:: @DEBUG
+
+@DEBUG
+------
+
+This directive is not meant to be used directly from user scripts.  Internally,
+it's used by interactive-debugger features (``zeek -d``) that allow arbitrary
+expressions to be parsed and evaluated on their own rather than incorporated
+into the usual Zeek syntax-tree formed from parsing script files.
--- a/doc/script-reference/file-analyzers.rst
+++ b/doc/script-reference/file-analyzers.rst
@ -0,0 +1 @@
+.. include:: autogenerated-file-analyzer-index.rst
--- a/doc/script-reference/index.rst
+++ b/doc/script-reference/index.rst
@ -0,0 +1,20 @@
+================
+Script Reference
+================
+
+.. toctree::
+   :maxdepth: 1
+
+   operators
+   types
+   attributes
+   statements
+   directives
+   log-files
+   notices
+   packet-analyzers
+   proto-analyzers
+   file-analyzers
+   packages
+   scripts
+   Zeekygen Example Script </scripts/zeekygen/example.zeek>
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@ -0,0 +1,370 @@
+.. _log-files:
+
+=========
+Log Files
+=========
+
+Listed below are the log files generated by Zeek, including a brief description
+of the log file and links to descriptions of the fields for each log
+type.
+
+Network Protocols
+-----------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`conn.log`
+    - TCP/UDP/ICMP connections
+    - :zeek:type:`Conn::Info`
+
+  * - :file:`dce_rpc.log`
+    - Distributed Computing Environment/RPC
+    - :zeek:type:`DCE_RPC::Info`
+
+  * - :file:`dhcp.log`
+    - DHCP leases
+    - :zeek:type:`DHCP::Info`
+
+  * - :file:`dnp3.log`
+    - DNP3 requests and replies
+    - :zeek:type:`DNP3::Info`
+
+  * - :file:`dns.log`
+    - DNS activity
+    - :zeek:type:`DNS::Info`
+
+  * - :file:`ftp.log`
+    - FTP activity
+    - :zeek:type:`FTP::Info`
+
+  * - :file:`http.log`
+    - HTTP requests and replies
+    - :zeek:type:`HTTP::Info`
+
+  * - :file:`irc.log`
+    - IRC commands and responses
+    - :zeek:type:`IRC::Info`
+
+  * - :file:`kerberos.log`
+    - Kerberos
+    - :zeek:type:`KRB::Info`
+
+  * - :file:`ldap.log`
+    - LDAP Messages
+    - :zeek:type:`LDAP::MessageInfo`
+
+  * - :file:`ldap_search.log`
+    - LDAP Searches
+    - :zeek:type:`LDAP::SearchInfo`
+
+  * - :file:`modbus.log`
+    - Modbus commands and responses
+    - :zeek:type:`Modbus::Info`
+
+  * - :file:`modbus_register_change.log`
+    - Tracks changes to Modbus holding registers
+    - :zeek:type:`Modbus::MemmapInfo`
+
+  * - :file:`mysql.log`
+    - MySQL
+    - :zeek:type:`MySQL::Info`
+
+  * - :file:`ntlm.log`
+    - NT LAN Manager (NTLM)
+    - :zeek:type:`NTLM::Info`
+
+  * - :file:`ntp.log`
+    - Network Time Protocol
+    - :zeek:type:`NTP::Info`
+
+  * - :file:`postgresql.log`
+    - PostgreSQL events
+    - :zeek:type:`PostgreSQL::Info`
+
+  * - :file:`quic.log`
+    - QUIC connections
+    - :zeek:type:`QUIC::Info`
+
+  * - :file:`radius.log`
+    - RADIUS authentication attempts
+    - :zeek:type:`RADIUS::Info`
+
+  * - :file:`redis.log`
+    - Redis commands
+    - :zeek:type:`Redis::Info`
+
+  * - :file:`rdp.log`
+    - RDP
+    - :zeek:type:`RDP::Info`
+
+  * - :file:`rfb.log`
+    - Remote Framebuffer (RFB)
+    - :zeek:type:`RFB::Info`
+
+  * - :file:`sip.log`
+    - SIP
+    - :zeek:type:`SIP::Info`
+
+  * - :file:`smb_cmd.log`
+    - SMB commands
+    - :zeek:type:`SMB::CmdInfo`
+
+  * - :file:`smb_files.log`
+    - SMB files
+    - :zeek:type:`SMB::FileInfo`
+
+  * - :file:`smb_mapping.log`
+    - SMB trees
+    - :zeek:type:`SMB::TreeInfo`
+
+  * - :file:`smtp.log`
+    - SMTP transactions
+    - :zeek:type:`SMTP::Info`
+
+  * - :file:`snmp.log`
+    - SNMP messages
+    - :zeek:type:`SNMP::Info`
+
+  * - :file:`socks.log`
+    - SOCKS proxy requests
+    - :zeek:type:`SOCKS::Info`
+
+  * - :file:`ssh.log`
+    - SSH connections
+    - :zeek:type:`SSH::Info`
+
+  * - :file:`ssl.log`
+    - SSL/TLS handshake info
+    - :zeek:type:`SSL::Info`
+
+  * - :file:`syslog.log`
+    - Syslog messages
+    - :zeek:type:`Syslog::Info`
+
+  * - :file:`tunnel.log`
+    - Tunneling protocol events
+    - :zeek:type:`Tunnel::Info`
+
+  * - :file:`websocket.log`
+    - WebSocket handshakes
+    - :zeek:type:`WebSocket::Info`
+
+
+Files
+-----
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`files.log`
+    - File analysis results
+    - :zeek:type:`Files::Info`
+
+  * - :file:`ocsp.log`
+    - Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.
+    - :zeek:type:`OCSP::Info`
+
+  * - :file:`pe.log`
+    - Portable Executable (PE)
+    - :zeek:type:`PE::Info`
+
+  * - :file:`x509.log`
+    - X.509 certificate info
+    - :zeek:type:`X509::Info`
+
+
+NetControl
+----------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`netcontrol.log`
+    - NetControl actions
+    - :zeek:type:`NetControl::Info`
+
+  * - :file:`netcontrol_drop.log`
+    - NetControl actions
+    - :zeek:type:`NetControl::DropInfo`
+
+  * - :file:`netcontrol_shunt.log`
+    - NetControl shunt actions
+    - :zeek:type:`NetControl::ShuntInfo`
+
+  * - :file:`netcontrol_catch_release.log`
+    - NetControl catch and release actions
+    - :zeek:type:`NetControl::CatchReleaseInfo`
+
+  * - :file:`openflow.log`
+    - OpenFlow debug log
+    - :zeek:type:`OpenFlow::Info`
+
+
+Detection
+---------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`intel.log`
+    - Intelligence data matches
+    - :zeek:type:`Intel::Info`
+
+  * - :file:`notice.log`
+    - Zeek notices
+    - :zeek:type:`Notice::Info`
+
+  * - :file:`notice_alarm.log`
+    - The alarm stream
+    - :zeek:type:`Notice::Info`
+
+  * - :file:`signatures.log`
+    - Signature matches
+    - :zeek:type:`Signatures::Info`
+
+  * - :file:`traceroute.log`
+    - Traceroute detection
+    - :zeek:type:`Traceroute::Info`
+
+
+Network Observations
+--------------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`known_certs.log`
+    - SSL certificates
+    - :zeek:type:`Known::CertsInfo`
+
+  * - :file:`known_hosts.log`
+    - Hosts that have completed TCP handshakes
+    - :zeek:type:`Known::HostsInfo`
+
+  * - :file:`known_modbus.log`
+    - Modbus masters and slaves
+    - :zeek:type:`Known::ModbusInfo`
+
+  * - :file:`known_services.log`
+    - Services running on hosts
+    - :zeek:type:`Known::ServicesInfo`
+
+  * - :file:`software.log`
+    - Software being used on the network
+    - :zeek:type:`Software::Info`
+
+
+Miscellaneous
+-------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`analyzer.log`
+    - Protocol, packet or file analyzer violations
+    - :zeek:type:`Analyzer::Logging::Info`
+
+  * - :file:`analyzer_debug.log`
+    - Protocol, packet or file analyzer debug information
+    - :zeek:type:`Analyzer::DebugLogging::Info`
+
+  * - :file:`telemetry.log`
+    - Zeek operational telemetry
+    - :zeek:type:`Telemetry::Info`
+
+  * - :file:`unknown_protocols.log`
+    - Information about packet protocols that Zeek doesn't know how to process
+    - :zeek:type:`UnknownProtocol::Info`
+
+  * - :file:`weird.log`
+    - Unexpected network-level activity
+    - :zeek:type:`Weird::Info`
+
+  * - :file:`weird_stats.log`
+    - Statistics about unexpected activity
+    - :zeek:type:`WeirdStats::Info`
+
+
+Zeek Diagnostics
+----------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Log File
+    - Description
+    - Field Descriptions
+
+  * - :file:`broker.log`
+    - Peering status events between Zeek or Broker-enabled processes
+    - :zeek:type:`Broker::Info`
+
+  * - :file:`capture_loss.log`
+    - Packet loss rate
+    - :zeek:type:`CaptureLoss::Info`
+
+  * - :file:`cluster.log`
+    - Zeek cluster messages
+    - :zeek:type:`Cluster::Info`
+
+  * - :file:`config.log`
+    - Configuration option changes
+    - :zeek:type:`Config::Info`
+
+  * - :file:`loaded_scripts.log`
+    - Shows all scripts loaded by Zeek
+    - :zeek:type:`LoadedScripts::Info`
+
+  * - :file:`packet_filter.log`
+    - List packet filters that were applied
+    - :zeek:type:`PacketFilter::Info`
+
+  * - :file:`print.log`
+    - Print statements that were redirected to a log stream.
+    - :zeek:type:`Log::PrintLogInfo`
+
+  * - :file:`prof.log`
+    - Profiling statistics (to create this log, load
+      :doc:`/scripts/policy/misc/profiling.zeek`)
+    - N/A
+
+  * - :file:`reporter.log`
+    - Internal error/warning/info messages
+    - :zeek:type:`Reporter::Info`
+
+  * - :file:`stats.log`
+    - Memory/event/packet/lag statistics
+    - :zeek:type:`Stats::Info`
+
+  * - :file:`stderr.log`
+    - Captures standard error when Zeek is started from ZeekControl
+    - N/A
+
+  * - :file:`stdout.log`
+    - Captures standard output when Zeek is started from ZeekControl
+    - N/A
--- a/doc/script-reference/notices.rst
+++ b/doc/script-reference/notices.rst
@ -0,0 +1,8 @@
+
+.. Not nice but I don't find a way to link to the notice index
+.. directly from the upper level TOC tree.
+
+Notices
+=======
+
+See the `Zeek Notice Index <../zeek-noticeindex.html>`_.
--- a/doc/script-reference/operators.rst
+++ b/doc/script-reference/operators.rst
@ -0,0 +1,420 @@
+Operators
+=========
+
+The Zeek scripting language supports the following operators.  Note that
+each data type only supports a subset of these operators.  For more
+details, see the documentation about the :doc:`data types <types>`.
+
+.. _relational-operators:
+
+Relational operators
+--------------------
+
+The relational operators evaluate to type :zeek:type:`bool`.
+
+In addition to numeric operands, the relational operators also work with
+operands of type :zeek:type:`interval`, :zeek:type:`time`, :zeek:type:`string`,
+:zeek:type:`port`, :zeek:type:`addr`, and :zeek:type:`set`.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Equality
+    - ``a == b``
+
+  * - Inquality
+    - ``a != b``
+
+  * - Less than
+    - ``a < b``
+
+  * - Less than or equal
+    - ``a <= b``
+
+  * - Greater than
+    - ``a > b``
+
+  * - Greater than or equal
+    - ``a >= b``
+
+.. _logical-operators:
+
+Logical operators
+-----------------
+
+The logical operators require operands of type :zeek:type:`bool`, and
+evaluate to type :zeek:type:`bool`.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Logical AND
+    - ``a && b``
+
+  * - Logical OR
+    - ``a || b``
+
+  * - Logical NOT
+    - ``! a``
+
+.. _arithmetic-operators:
+
+Arithmetic operators
+--------------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Addition
+    - ``a + b``
+    - For :zeek:type:`string` operands, this performs string concatenation.
+
+  * - Subtraction
+    - ``a - b``
+    -
+
+  * - Multiplication
+    - ``a * b``
+    -
+
+  * - Division
+    - ``a / b``
+    - For :zeek:type:`int` or :zeek:type:`count` operands, the fractional part
+      of the result is dropped.
+
+  * - Modulo
+    - ``a % b``
+    - Operand types cannot be :zeek:type:`double`.
+
+  * - Unary plus
+    - ``+a``
+    -
+
+  * - Unary minus
+    - ``-a``
+    -
+
+  * - Pre-increment
+    - ``++a``
+    - Operand type cannot be :zeek:type:`double`.
+
+  * - Pre-decrement
+    - ``--a``
+    - Operand type cannot be :zeek:type:`double`.
+
+  * - Absolute value
+    - ``|a|``
+    - If operand is  :zeek:type:`string`, :zeek:type:`set`, :zeek:type:`table`,
+      or  :zeek:type:`vector`, this evaluates to number of elements.
+
+.. _bitwise-operators:
+
+Bitwise operators
+-----------------
+
+The bitwise operators work with operands of type :zeek:type:`count` or ``vector
+of count``. The bitwise shift operators can also work with :zeek:type:`int`.
+The bitwise complement operator works with :zeek:type:`count` only.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Bitwise AND
+    - ``a & b``
+
+  * - Bitwise OR
+    - ``a | b``
+
+  * - Bitwise XOR
+    - ``a ^ b``
+
+  * - Bitwise left shift
+    - ``a << b``
+
+  * - Bitwise right shift
+    - ``a >> b``
+
+  * - Bitwise complement
+    - ``~a``
+
+.. _set-operators:
+
+Set operators
+-------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Set intersection
+    - ``s1 & s2``
+
+  * - Set union
+    - ``s1 | s2``
+
+  * - Set difference
+    - ``s1 - s2``
+
+.. _assignment-operators:
+
+Assignment operators
+--------------------
+
+The assignment operators evaluate to the result of the assignment.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+
+  * - Assignment
+    - ``a = b``
+
+  * - Addition assignment (more generally, "add to")
+    - ``a += b``
+
+  * - Subtraction assignment (more generally, "remove from")
+    - ``a -= b``
+
+Along with simple arithmetic, the ``+=`` operator supports adding elements to
+:zeek:type:`table`,
+:zeek:type:`set`,
+:zeek:type:`vector`, and
+:zeek:type:`pattern`
+values, providing the righthand operand (RHS) has the same type.
+For :zeek:type:`table` and :zeek:type:`set` values,
+each of the RHS elements are added to the
+table or set.  For :zeek:type:`vector`, the RHS elements are appended to
+the end of the vector.  For :zeek:type:`pattern` values, the pattern is
+modified to include the RHS pattern as an alternative (regular expression ``|``
+operator).
+
+The ``-=`` operator provides analogous functionality for :zeek:type:`table`
+and :zeek:type:`set` types, removing from the lefthand operand any elements
+it has in common with the RHS value.  (Note that for tables, only the
+indices are used; if the RHS value has an index in common with the lefthand
+operand's value, it's removed even if the "yield" values differ.)
+
+For all assignment operators, you can specify a comma-separated list of
+values within braces (``{`` ... ``}``).  These are treated as *constructor*
+arguments to create a corresponding :zeek:type:`table`, :zeek:type:`set`,
+or :zeek:type:`vector` value, with the type of constructor taken from
+the lefthand operand.  For example:
+
+.. code-block:: zeek
+
+    local t: table[count, string] of double;
+    ...
+    t += { [3, "three"] = 3.0, [9, "nine"] = 9.0 };
+
+will add those two elements to the table ``t``.  For :zeek:type:`table`
+and :zeek:type:`set` constructors, you can embed lists in the constructor
+arguments to produce a cross-product expansion.  For example:
+
+.. code-block:: zeek
+
+    local t: table[count, string] of double;
+    ...
+    t += { [[3, 4], ["three", "four"]] = 3.0, [9, "nine"] = 9.0 };
+
+results in ``t`` having five elements:
+
+.. code-block:: zeek
+
+    [3, three] = 3.0
+    [3, four] = 3.0
+    [4, three] = 3.0
+    [4, four] = 3.0
+    [9, nine] = 9.0
+
+Finally, you can also use the ``+=`` operator to
+append an element to the end of a
+vector.  For example, ``v += e`` is equivalent to ``v[|v|] = e``,
+providing that ``e``'s type corresponds to that of one of ``v``'s elements.
+
+.. _record-field-operators:
+
+Record field operators
+----------------------
+
+The record field operators take a :zeek:type:`record` as the first operand,
+and a field name as the second operand.  For both operators, the specified
+field name must be in the declaration of the record type.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Field access
+    - ``a$b``
+    -
+
+  * - Field value existence test
+    - ``a?$b``
+    - Evaluates to type :zeek:type:`bool`.  True if the specified field has
+      been assigned a value, or if not.
+
+.. _pattern-operators:
+
+Pattern operators
+-----------------
+
+In the table below, ``p`` is a pattern, and ``s`` is a string.
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Exact matching
+    - ``p == s``
+    - Evaluates to a boolean, indicating if the entire string exactly matches
+      the pattern.
+
+  * - Embedded matching
+    - ``p in s``
+    - Evaluates to a boolean, indicating if pattern is found somewhere in the
+      string.
+
+  * - Conjunction
+    - ``p1 & p2``
+    - Evaluates to a pattern that represents matching ``p1`` followed by
+      ``p2``.
+
+  * - Disjunction
+    - ``p1 | p2``
+    - Evaluates to a pattern that represents matching ``p1`` or ``p2``.
+
+Type casting
+------------
+
+The ``as`` operator performs type casting and the ``is`` operator checks if a
+type cast is supported or not.  For both operators, the first operand is a
+value and the second operand is the name of a Zeek script type (either built-in
+or user-defined).
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Type cast
+    - ``v as t``
+    - Cast value ``v`` into type ``t``. Evaluates to the value as cast to the
+      specified type.  If this is not a supported cast, then a runtime error
+      is triggered.
+
+  * - Check if a cast is supported
+    - ``v is t``
+    - Evaluates to :zeek:type:`bool`. If true,  then ``v as t`` would succeed.
+
+Only the following kinds of type casts are supported currently:
+
+- Broker values (i.e., :zeek:see:`Broker::Data` values returned from
+  functions such as :zeek:id:`Broker::data`) can be cast to their
+  corresponding Zeek script types.
+- A value of declared type :zeek:type:`any` can be cast to its actual
+  underlying type.
+- All values can be cast to their declared types (i.e., this is a no-op).
+- :zeek:type:`set` and :zeek:type:`vector` values can be converted into each
+  other, with the following limitations: (1) A :zeek:type:`set` being converted
+  into a :zeek:type:`vector` can only have a single index type.  Converting a
+  set with multiple index types will return an error. (2) The :zeek:type:`set`
+  and :zeek:type:`vector` types must have the same internal type.
+
+The function in this example tries to cast a value to a string:
+
+.. code-block:: zeek
+
+    function example(a: any)
+        {
+        local s: string;
+
+        if ( a is string )
+            s = (a as string);
+        }
+
+The function in this example converts a set to a vector:
+
+.. code-block:: zeek
+
+    function example()
+        {
+	local s: set[count] = { 1, 2, 3 };
+	local v = s as vector of count;
+        }
+
+Other operators
+---------------
+
+.. list-table::
+  :header-rows: 1
+
+  * - Name
+    - Syntax
+    - Notes
+
+  * - Membership test
+    - ``a in b``
+    - Evaluates to type :zeek:type:`bool`.  Works with :zeek:type:`string`,
+      :zeek:type:`pattern`, :zeek:type:`subnet`, :zeek:type:`set`,
+      :zeek:type:`table`, or :zeek:type:`vector` operands.  Do not confuse this
+      use of ``in`` with that used in a :zeek:keyword:`for`
+      statement.
+
+  * - Non-membership test
+    - ``a !in b``
+    - This is the logical NOT of the ``in`` operator.  For example:
+      ``a !in b`` is equivalent to ``!(a in b)``.
+
+  * - Table or vector element access
+    - ``a[b]``
+    - This operator can also be used with a :zeek:type:`set`, but only with the
+      :zeek:keyword:`add` or :zeek:keyword:`delete` statement.
+
+  * - Substring extraction
+    - ``a[b:c]``
+    - See the :zeek:type:`string` type for more details.
+
+  * - Create a deep copy
+    - ``copy(a)``
+    - This is relevant only for data types that are assigned by reference, such
+      as :zeek:type:`vector`, :zeek:type:`set`, :zeek:type:`table`, and
+      :zeek:type:`record`.
+
+  * - Module namespace access
+    - ``a::b``
+    - The first operand is the module name, and the second operand is an
+      identifier that refers to a global variable, enumeration constant, or
+      user-defined type that was exported from the module.
+
+  * - Conditional
+    - ``a ? b : c``
+    - The first operand must evaluate to type :zeek:type:`bool`.  If true, then
+      the second expression is evaluated and is the result of the entire
+      expression.  Otherwise, the third expression is evaluated and is the
+      result of the entire expression. The types of the second and third
+      operands must be compatible.  Known as the ternary operator.
--- a/doc/script-reference/packages.rst
+++ b/doc/script-reference/packages.rst
@ -0,0 +1,14 @@
+.. _script-packages:
+
+Zeek Package Index
+==================
+
+Zeek has the following script packages (e.g. collections of related scripts in
+a common directory).  If the package directory contains a ``__load__.zeek``
+script, it supports being loaded in mass as a whole directory for convenience.
+
+Packages/scripts in the ``base/`` directory are all loaded by default, while
+ones in ``policy/`` provide functionality and customization options that are
+more appropriate for users to decide whether they'd like to load it or not.
+
+.. include:: autogenerated-package-index.rst
--- a/doc/script-reference/packet-analyzers.rst
+++ b/doc/script-reference/packet-analyzers.rst
@ -0,0 +1 @@
+.. include:: autogenerated-packet-analyzer-index.rst
--- a/doc/script-reference/proto-analyzers.rst
+++ b/doc/script-reference/proto-analyzers.rst
@ -0,0 +1 @@
+.. include:: autogenerated-protocol-analyzer-index.rst
--- a/doc/script-reference/scripts.rst
+++ b/doc/script-reference/scripts.rst
@ -0,0 +1,5 @@
+=================
+Zeek Script Index
+=================
+
+.. include:: autogenerated-script-index.rst
--- a/doc/script-reference/statements.rst
+++ b/doc/script-reference/statements.rst
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
				`@ -0,0 +1 @@`
				`.. include:: autogenerated-file-analyzer-index.rst`
				`@ -0,0 +1 @@`
				`.. include:: autogenerated-packet-analyzer-index.rst`
				`@ -0,0 +1 @@`
				`.. include:: autogenerated-protocol-analyzer-index.rst`