Merge remote-tracking branch 'origin/master' into topic/bernhard/input-update

scripts/base/frameworks/analyzer/__load__.bro

@@ -0,0 +1 @@
+@load ./main

scripts/base/frameworks/analyzer/main.bro

@@ -0,0 +1,181 @@
+##! Framework for managing Bro's protocol analyzers.
+##!
+##! The analyzer framework allows to dynamically enable or disable analyzers, as
+##! well as to manage the well-known ports which automatically activate a
+##! particular analyzer for new connections.
+##!
+##! Protocol analyzers are identified by unique tags of type
+##! :bro:type:`Analyzer::Tag`, such as :bro:enum:`Analyzer::ANALYZER_HTTP` and
+##! :bro:enum:`Analyzer::ANALYZER_HTTP`. These tags are defined internally by
+##! the analyzers themselves, and documented in their analyzer-specific
+##! description along with the events that they generate.
+##!
+##! .. todo: ``The ANALYZER_*`` are in fact not yet documented, we need to
+##!    add that to Broxygen.
+module Analyzer;
+
+export {
+	## If true, all available analyzers are initially disabled at startup. One
+	## can then selectively enable them with
+	## :bro:id:`Analyzer::enable_analyzer`.
+	global disable_all = F &redef;
+
+	## Enables an analyzer. Once enabled, the analyzer may be used for analysis
+	## of future connections as decided by Bro's dynamic protocol detection.
+	##
+	## tag: The tag of the analyzer to enable.
+	##
+	## Returns: True if the analyzer was successfully enabled.
+	global enable_analyzer: function(tag: Analyzer::Tag) : bool;
+
+	## Disables an analyzer. Once disabled, the analyzer will not be used
+	## further for analysis of future connections.
+	##
+	## tag: The tag of the analyzer to disable.
+	##
+	## Returns: True if the analyzer was successfully disabled.
+	global disable_analyzer: function(tag: Analyzer::Tag) : bool;
+
+	## Registers a set of well-known ports for an analyzer. If a future
+	## connection on one of these ports is seen, the analyzer will be
+	## automatically assigned to parsing it. The function *adds* to all ports
+	## already registered, it doesn't replace them.
+	##
+	## tag: The tag of the analyzer.
+	##
+	## ports: The set of well-known ports to associate with the analyzer.
+	##
+	## Returns: True if the ports were sucessfully registered.
+	global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool;
+
+	## Registers an individual well-known port for an analyzer. If a future
+	## connection on this port is seen, the analyzer will be automatically
+	## assigned to parsing it. The function *adds* to all ports already
+	## registered, it doesn't replace them.
+	##
+	## tag: The tag of the analyzer.
+	##
+	## p: The well-known port to associate with the analyzer.
+	##
+	## Returns: True if the port was sucessfully registered.
+	global register_for_port: function(tag: Analyzer::Tag, p: port) : bool;
+
+	## Returns a set of all well-known ports currently registered for a
+	## specific analyzer.
+	##
+	## tag: The tag of the analyzer.
+	##
+	## Returns: The set of ports.
+	global registered_ports: function(tag: Analyzer::Tag) : set[port];
+
+	## Returns a table of all ports-to-analyzer mappings currently registered.
+	##
+	## Returns: A table mapping each analyzer to the set of ports
+	##          registered for it.
+	global all_registered_ports: function() : table[Analyzer::Tag] of set[port];
+
+	## Translates an analyzer type to a string with the analyzer's name.
+	##
+	## tag: The analyzer tag.
+	##
+	## Returns: The analyzer name corresponding to the tag.
+	global name: function(tag: Analyzer::Tag) : string;
+
+	## Schedules an analyzer for a future connection originating from a given IP
+	## address and port.
+	##
+	## orig: The IP address originating a connection in the future.
+	##       0.0.0.0 can be used as a wildcard to match any originator address.
+	##
+	## resp: The IP address responding to a connection from *orig*.
+	##
+	## resp_p: The destination port at *resp*.
+	##
+	## analyzer: The analyzer ID.
+	##
+	## tout: A timeout interval after which the scheduling request will be
+	##       discarded if the connection has not yet been seen.
+	##
+	## Returns: True if succesful.
+	global schedule_analyzer: function(orig: addr, resp: addr, resp_p: port,
+					   analyzer: Analyzer::Tag, tout: interval) : bool;
+
+	## A set of analyzers to disable by default at startup. The default set
+	## contains legacy analyzers that are no longer supported.
+	global disabled_analyzers: set[Analyzer::Tag] = {
+		ANALYZER_INTERCONN,
+		ANALYZER_STEPPINGSTONE,
+		ANALYZER_BACKDOOR,
+		ANALYZER_TCPSTATS,
+	} &redef;
+}
+
+@load base/bif/analyzer.bif
+
+global ports: table[Analyzer::Tag] of set[port];
+
+event bro_init() &priority=5
+	{
+	if ( disable_all )
+		__disable_all_analyzers();
+
+	for ( a in disabled_analyzers )
+		disable_analyzer(a);
+	}
+
+function enable_analyzer(tag: Analyzer::Tag) : bool
+	{
+	return __enable_analyzer(tag);
+	}
+
+function disable_analyzer(tag: Analyzer::Tag) : bool
+	{
+	return __disable_analyzer(tag);
+	}
+
+function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
+	{
+	local rc = T;
+
+	for ( p in ports )
+		{
+		if ( ! register_for_port(tag, p) )
+			rc = F;
+		}
+
+	return rc;
+	}
+
+function register_for_port(tag: Analyzer::Tag, p: port) : bool
+	{
+	if ( ! __register_for_port(tag, p) )
+		return F;
+
+	if ( tag !in ports )
+		ports[tag] = set();
+
+	add ports[tag][p];
+	return T;
+	}
+
+function registered_ports(tag: Analyzer::Tag) : set[port]
+	{
+	return tag in ports ? ports[tag] : set();
+	}
+
+function all_registered_ports(): table[Analyzer::Tag] of set[port]
+	{
+	return ports;
+	}
+
+function name(atype: Analyzer::Tag) : string
+	{
+	return __name(atype);
+	}
+
+function schedule_analyzer(orig: addr, resp: addr, resp_p: port,
+			   analyzer: Analyzer::Tag, tout: interval) : bool
+	{
+	return __schedule_analyzer(orig, resp, resp_p, analyzer, tout);
+	}
+

scripts/base/frameworks/dpd/main.bro

@@ -23,12 +23,12 @@ export {
 		analyzer:       string          &log;
 		## The textual reason for the analysis failure.
 		failure_reason: string          &log;
-		
-		## Disabled analyzer IDs.  This is only for internal tracking 
+
+		## Disabled analyzer IDs.  This is only for internal tracking
 		## so as to not attempt to disable analyzers multiple times.
 		disabled_aids:  set[count];
 	};
-	
+
 	## Ignore violations which go this many bytes into the connection.
 	## Set to 0 to never ignore protocol violations.
 	const ignore_violations_after = 10 * 1024 &redef;
@@ -41,41 +41,30 @@ redef record connection += {
 event bro_init() &priority=5
 	{
 	Log::create_stream(DPD::LOG, [$columns=Info]);
-	
-	# Populate the internal DPD analysis variable.
-	for ( a in dpd_config )
-		{
-		for ( p in dpd_config[a]$ports )
-			{
-			if ( p !in dpd_analyzer_ports )
-				dpd_analyzer_ports[p] = set();
-			add dpd_analyzer_ports[p][a];
-			}
-		}
 	}
 
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=10
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
 	{
-	local analyzer = analyzer_name(atype);
-	
+	local analyzer = Analyzer::name(atype);
+
 	if ( fmt("-%s",analyzer) in c$service )
 		delete c$service[fmt("-%s", analyzer)];
 
 	add c$service[analyzer];
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                          reason: string) &priority=10
 	{
-	local analyzer = analyzer_name(atype);
+	local analyzer = Analyzer::name(atype);
 	# If the service hasn't been confirmed yet, don't generate a log message
 	# for the protocol violation.
 	if ( analyzer !in c$service )
 		return;
-		
+
 	delete c$service[analyzer];
 	add c$service[fmt("-%s", analyzer)];
-	
+
 	local info: Info;
 	info$ts=network_time();
 	info$uid=c$uid;
@@ -86,7 +75,7 @@ event protocol_violation(c: connection, atype: count, aid: count,
 	c$dpd = info;
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count, reason: string) &priority=5
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
 	{
 	if ( !c?$dpd || aid in c$dpd$disabled_aids )
 		return;
@@ -94,13 +83,13 @@ event protocol_violation(c: connection, atype: count, aid: count, reason: string
 	local size = c$orig$size + c$resp$size;
 	if ( ignore_violations_after > 0 && size > ignore_violations_after )
 		return;
-	
+
 	# Disable the analyzer that raised the last core-generated event.
 	disable_analyzer(c$id, aid);
 	add c$dpd$disabled_aids[aid];
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
 				reason: string) &priority=-5
 	{
 	if ( c?$dpd )

scripts/base/frameworks/file-analysis/main.bro

@@ -1,7 +1,7 @@
 ##! An interface for driving the analysis of files, possibly independent of
 ##! any network protocol over which they're transported.
 
-@load base/file_analysis.bif
+@load base/bif/file_analysis.bif
 @load base/frameworks/logging
 
 module FileAnalysis;
@@ -104,7 +104,7 @@ export {
 
 	## A table that can be used to disable file analysis completely for
 	## any files transferred over given network protocol analyzers.
-	const disable: table[AnalyzerTag] of bool = table() &redef;
+	const disable: table[Analyzer::Tag] of bool = table() &redef;
 
 	## Event that can be handled to access the Info record as it is sent on
 	## to the logging framework.

scripts/base/frameworks/input/main.bro

@@ -149,7 +149,7 @@ export {
 	global end_of_data: event(name: string, source:string);
 }
 
-@load base/input.bif
+@load base/bif/input.bif
 
 
 module Input;

scripts/base/frameworks/logging/main.bro

@@ -366,7 +366,7 @@ export {
 # We keep a script-level copy of all filters so that we can manipulate them.
 global filters: table[ID, string] of Filter;
 
-@load base/logging.bif # Needs Filter and Stream defined.
+@load base/bif/logging.bif # Needs Filter and Stream defined.
 
 module Log;
 

scripts/base/frameworks/reporter/main.bro

@@ -9,7 +9,7 @@
 ##! Note that this framework deals with the handling of internally generated
 ##! reporter messages, for the interface in to actually creating interface
 ##! into actually creating reporter messages from the scripting layer, use
-##! the built-in functions in :doc:`/scripts/base/reporter.bif`.
+##! the built-in functions in :doc:`/scripts/base/bif/reporter.bif`.
 
 module Reporter;
 

scripts/base/frameworks/tunnels/main.bro

@@ -83,19 +83,17 @@ export {
 }
 
 const ayiya_ports = { 5072/udp };
-redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ayiya_ports] };
-
 const teredo_ports = { 3544/udp };
-redef dpd_config += { [ANALYZER_TEREDO] = [$ports = teredo_ports] };
-
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef dpd_config += { [ANALYZER_GTPV1] = [$ports = gtpv1_ports] };
-
 redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info]);
+
+	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	}
 
 function register_all(ecv: EncapsulatingConnVector)

scripts/base/init-bare.bro

@@ -1,5 +1,5 @@
-@load base/const.bif
-@load base/types.bif
+@load base/bif/const.bif.bro
+@load base/bif/types.bif
 
 # Type declarations
 
@@ -226,7 +226,7 @@ type endpoint_stats: record {
 ## for a connection, it assigns it a unique ID that can be used to reference
 ## that instance.
 ##
-## .. bro:see:: analyzer_name disable_analyzer protocol_confirmation
+## .. bro:see:: Analyzer::name Analyzer::disable_analyzer protocol_confirmation
 ##    protocol_violation
 ##
 ## .. todo::While we declare an alias for the type here, the events/functions still
@@ -713,9 +713,9 @@ type entropy_test_result: record {
 };
 
 # Prototypes of Bro built-in functions.
-@load base/strings.bif
-@load base/bro.bif
-@load base/reporter.bif
+@load base/bif/strings.bif
+@load base/bif/bro.bif
+@load base/bif/reporter.bif
 
 ## Deprecated. This is superseded by the new logging framework.
 global log_file_name: function(tag: string): string &redef;
@@ -2723,7 +2723,7 @@ export {
 }
 module GLOBAL;
 
-@load base/event.bif
+@load base/bif/event.bif
 
 ## BPF filter the user has set via the -f command line options. Empty if none.
 const cmd_line_bpf_filter = "" &redef;
@@ -2913,34 +2913,11 @@ const remote_trace_sync_peers = 0 &redef;
 ## consistency check.
 const remote_check_sync_consistency = F &redef;
 
-## Analyzer tags. The core automatically defines constants
-## ``ANALYZER_<analyzer-name>*``, e.g., ``ANALYZER_HTTP``.
-##
-## .. bro:see:: dpd_config
-##
-## .. todo::We should autodoc these automaticallty generated constants.
-type AnalyzerTag: count;
-
-## Set of ports activating a particular protocol analysis.
-##
-## .. bro:see:: dpd_config
-type dpd_protocol_config: record {
-	ports: set[port] &optional;	##< Set of ports.
-};
-
-## Port configuration for Bro's "dynamic protocol detection". Protocol
-## analyzers can be activated via either well-known ports or content analysis.
-## This table defines the ports.
-##
-## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_match_only_beginning dpd_ignore_ports
-const dpd_config: table[AnalyzerTag] of dpd_protocol_config = {} &redef;
-
 ## Reassemble the beginning of all TCP connections before doing
 ## signature-matching. Enabling this provides more accurate matching at the
 ## expensive of CPU cycles.
 ##
-## .. bro:see:: dpd_config dpd_buffer_size
+## .. bro:see:: dpd_buffer_size
 ##    dpd_match_only_beginning dpd_ignore_ports
 ##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
@@ -2955,24 +2932,24 @@ const dpd_reassemble_first_packets = T &redef;
 ## activated afterwards. Then only analyzers that can deal with partial
 ## connections will be able to analyze the session.
 ##
-## .. bro:see:: dpd_reassemble_first_packets dpd_config dpd_match_only_beginning
+## .. bro:see:: dpd_reassemble_first_packets dpd_match_only_beginning
 ##    dpd_ignore_ports
 const dpd_buffer_size = 1024 &redef;
 
 ## If true, stops signature matching if dpd_buffer_size has been reached.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_config dpd_ignore_ports
+##    dpd_ignore_ports
 ##
 ## .. note:: Despite the name, this option affects *all* signature matching, not
 ##    only signatures used for dynamic protocol detection.
 const dpd_match_only_beginning = T &redef;
 
 ## If true, don't consider any ports for deciding which protocol analyzer to
-## use. If so, the value of :bro:see:`dpd_config` is ignored.
+## use.
 ##
 ## .. bro:see:: dpd_reassemble_first_packets dpd_buffer_size
-##    dpd_match_only_beginning dpd_config
+##    dpd_match_only_beginning
 const dpd_ignore_ports = F &redef;
 
 ## Ports which the core considers being likely used by servers. For ports in
@@ -2980,13 +2957,6 @@ const dpd_ignore_ports = F &redef;
 ## connection if it misses the initial handshake.
 const likely_server_ports: set[port] &redef;
 
-## Deprated. Set of all ports for which we know an analyzer, built by
-## :doc:`/scripts/base/frameworks/dpd/main`.
-##
-## .. todo::This should be defined by :doc:`/scripts/base/frameworks/dpd/main`
-##    itself we still need it.
-global dpd_analyzer_ports: table[port] of set[AnalyzerTag];
-
 ## Per-incident timer managers are drained after this amount of inactivity.
 const timer_mgr_inactivity_timeout = 1 min &redef;
 
@@ -3095,10 +3065,12 @@ module GLOBAL;
 ## Number of bytes per packet to capture from live interfaces.
 const snaplen = 8192 &redef;
 
-# Load the logging framework here because it uses fairly deep integration with
+# Load these frameworks here because they use fairly deep integration with
 # BiFs and script-land defined types.
 @load base/frameworks/logging
-
 @load base/frameworks/input
-
+@load base/frameworks/analyzer
 @load base/frameworks/file-analysis
+
+# Load BiFs defined by plugins.
+@load base/bif/plugins

scripts/base/init-default.bro

@@ -22,6 +22,7 @@
 # loaded in base/init-bare.bro
 #@load base/frameworks/logging
 @load base/frameworks/notice
+@load base/frameworks/analyzer
 @load base/frameworks/dpd
 @load base/frameworks/signatures
 @load base/frameworks/packet-filter

scripts/base/protocols/conn/inactivity.bro

@@ -6,9 +6,9 @@ module Conn;
 export {
 	## Define inactivity timeouts by the service detected being used over
 	## the connection.
-	const analyzer_inactivity_timeouts: table[AnalyzerTag] of interval = {
+	const analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
 		# For interactive services, allow longer periods of inactivity.
-		[[ANALYZER_SSH, ANALYZER_FTP]] = 1 hrs,
+		[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
 	} &redef;
 	
 	## Define inactivity timeouts based on common protocol ports.
@@ -18,7 +18,7 @@ export {
 	
 }
 	
-event protocol_confirmation(c: connection, atype: count, aid: count)
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
 	{
 	if ( atype in analyzer_inactivity_timeouts )
 		set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]);

scripts/base/protocols/dns/main.bro

@@ -130,19 +130,13 @@ redef capture_filters += {
 	["netbios-ns"] = "udp port 137",
 };
 
-const dns_ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
-redef dpd_config += { [ANALYZER_DNS] = [$ports = dns_ports] };
-
-const dns_udp_ports = { 53/udp, 137/udp, 5353/udp, 5355/udp };
-const dns_tcp_ports = { 53/tcp };
-redef dpd_config += { [ANALYZER_DNS_UDP_BINPAC] = [$ports = dns_udp_ports] };
-redef dpd_config += { [ANALYZER_DNS_TCP_BINPAC] = [$ports = dns_tcp_ports] };
-
-redef likely_server_ports += { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+const ports = { 53/udp, 53/tcp, 137/udp, 5353/udp, 5355/udp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(DNS::LOG, [$columns=Info, $ev=log_dns]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, ports);
 	}
 
 function new_session(c: connection, trans_id: count): Info

scripts/base/protocols/ftp/file-analysis.bro

@@ -11,7 +11,7 @@ export {
 
 function get_handle_string(c: connection): string
 	{
-	return cat(ANALYZER_FTP_DATA, " ", c$start_time, " ", id_string(c$id));
+	return cat(Analyzer::ANALYZER_FTP_DATA, " ", c$start_time, " ", id_string(c$id));
 	}
 
 function get_file_handle(c: connection, is_orig: bool): string
@@ -40,8 +40,8 @@ function get_file_handle(c: connection, is_orig: bool): string
 
 module GLOBAL;
 
-event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
+event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool)
 	{
-	if ( tag != ANALYZER_FTP_DATA ) return;
+	if ( tag != Analyzer::ANALYZER_FTP_DATA ) return;
 	set_file_handle(FTP::get_file_handle(c, is_orig));
 	}

scripts/base/protocols/ftp/main.bro

@@ -1,6 +1,6 @@
 ##! The logging this script does is primarily focused on logging FTP commands
 ##! along with metadata.  For example, if files are transferred, the argument
-##! will take on the full path that the client is at along with the requested 
+##! will take on the full path that the client is at along with the requested
 ##! file name.
 
 @load ./utils-commands
@@ -13,16 +13,16 @@ module FTP;
 export {
 	## The FTP protocol logging stream identifier.
 	redef enum Log::ID += { LOG };
-	
+
 	## List of commands that should have their command/response pairs logged.
 	const logged_commands = {
 		"APPE", "DELE", "RETR", "STOR", "STOU", "ACCT", "PORT", "PASV", "EPRT",
 		"EPSV"
 	} &redef;
-	
+
 	## This setting changes if passwords used in FTP sessions are captured or not.
 	const default_capture_password = F &redef;
-	
+
 	## User IDs that can be considered "anonymous".
 	const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
 
@@ -37,7 +37,7 @@ export {
 		## The port at which the acceptor is listening for the data connection.
 		resp_p: port &log;
 	};
-	
+
 	type Info: record {
 		## Time when the command was sent.
 		ts:               time        &log;
@@ -53,12 +53,12 @@ export {
 		command:          string      &log &optional;
 		## Argument for the command if one is given.
 		arg:              string      &log &optional;
-		
+
 		## Libmagic "sniffed" file type if the command indicates a file transfer.
 		mime_type:        string      &log &optional;
 		## Size of the file if the command indicates a file transfer.
 		file_size:        count       &log &optional;
-		
+
 		## Reply code from the server in response to the command.
 		reply_code:       count       &log &optional;
 		## Reply message from the server in response to the command.
@@ -74,31 +74,31 @@ export {
 		## more concrete is discovered that the existing but unknown
 		## directory is ok to use.
 		cwd:                string  &default=".";
-		
+
 		## Command that is currently waiting for a response.
 		cmdarg:             CmdArg  &optional;
-		## Queue for commands that have been sent but not yet responded to 
+		## Queue for commands that have been sent but not yet responded to
 		## are tracked here.
 		pending_commands:   PendingCmds;
-		
+
 		## Indicates if the session is in active or passive mode.
 		passive:            bool &default=F;
-		
+
 		## Determines if the password will be captured for this request.
 		capture_password:   bool &default=default_capture_password;
 	};
 
-	## This record is to hold a parsed FTP reply code.  For example, for the 
+	## This record is to hold a parsed FTP reply code.  For example, for the
 	## 201 status code, the digits would be parsed as: x->2, y->0, z=>1.
 	type ReplyCode: record {
 		x: count;
 		y: count;
 		z: count;
 	};
-	
+
 	## Parse FTP reply codes into the three constituent single digit values.
 	global parse_ftp_reply_code: function(code: count): ReplyCode;
-	
+
 	## Event that can be handled to access the :bro:type:`FTP::Info`
 	## record as it is sent on to the logging framework.
 	global log_ftp: event(rec: Info);
@@ -111,11 +111,10 @@ redef record connection += {
 };
 
 # Configure DPD
-const ports = { 21/tcp, 2811/tcp } &redef; # 2811/tcp is GridFTP.
 redef capture_filters += { ["ftp"] = "port 21 and port 2811" };
-redef dpd_config += { [ANALYZER_FTP] = [$ports = ports] };
 
-redef likely_server_ports += { 21/tcp, 2811/tcp };
+const ports = { 21/tcp, 2811/tcp };
+redef likely_server_ports += { ports };
 
 # Establish the variable for tracking expected connections.
 global ftp_data_expected: table[addr, port] of Info &read_expire=5mins;
@@ -123,6 +122,7 @@ global ftp_data_expected: table[addr, port] of Info &read_expire=5mins;
 event bro_init() &priority=5
 	{
 	Log::create_stream(FTP::LOG, [$columns=Info, $ev=log_ftp]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, ports);
 	}
 
 ## A set of commands where the argument can be expected to refer
@@ -166,7 +166,7 @@ function set_ftp_session(c: connection)
 		s$uid=c$uid;
 		s$id=c$id;
 		c$ftp=s;
-		
+
 		# Add a shim command so the server can respond with some init response.
 		add_pending_cmd(c$ftp$pending_commands, "<init>", "");
 		}
@@ -178,13 +178,13 @@ function ftp_message(s: Info)
 	# or it's a deliberately logged command.
 	if ( |s$tags| > 0 || (s?$cmdarg && s$cmdarg$cmd in logged_commands) )
 		{
-		if ( s?$password && 
-		     ! s$capture_password && 
+		if ( s?$password &&
+		     ! s$capture_password &&
 		     to_lower(s$user) !in guest_ids )
 			{
 			s$password = "<hidden>";
 			}
-		
+
 		local arg = s$cmdarg$arg;
 		if ( s$cmdarg$cmd in file_cmds )
 			{
@@ -194,7 +194,7 @@ function ftp_message(s: Info)
 
 			arg = fmt("ftp://%s%s", addr_to_uri(s$id$resp_h), comp_path);
 			}
-		
+
 		s$ts=s$cmdarg$ts;
 		s$command=s$cmdarg$cmd;
 		if ( arg == "" )
@@ -204,9 +204,9 @@ function ftp_message(s: Info)
 
 		Log::write(FTP::LOG, s);
 		}
-	
-	# The MIME and file_size fields are specific to file transfer commands 
-	# and may not be used in all commands so they need reset to "blank" 
+
+	# The MIME and file_size fields are specific to file transfer commands
+	# and may not be used in all commands so they need reset to "blank"
 	# values after logging.
 	delete s$mime_type;
 	delete s$file_size;
@@ -221,8 +221,8 @@ function add_expected_data_channel(s: Info, chan: ExpectedDataChannel)
 	s$passive = chan$passive;
 	s$data_channel = chan;
 	ftp_data_expected[chan$resp_h, chan$resp_p] = s;
-	expect_connection(chan$orig_h, chan$resp_h, chan$resp_p, ANALYZER_FTP_DATA,
-	                  5mins);
+	Analyzer::schedule_analyzer(chan$orig_h, chan$resp_h, chan$resp_p, Analyzer::ANALYZER_FTP_DATA,
+				    5mins);
 	}
 
 event ftp_request(c: connection, command: string, arg: string) &priority=5
@@ -237,19 +237,19 @@ event ftp_request(c: connection, command: string, arg: string) &priority=5
 		remove_pending_cmd(c$ftp$pending_commands, c$ftp$cmdarg);
 		ftp_message(c$ftp);
 		}
-	
+
 	local id = c$id;
 	set_ftp_session(c);
-		
+
 	# Queue up the new command and argument
 	add_pending_cmd(c$ftp$pending_commands, command, arg);
-	
+
 	if ( command == "USER" )
 		c$ftp$user = arg;
-	
+
 	else if ( command == "PASS" )
 		c$ftp$password = arg;
-	
+
 	else if ( command == "PORT" || command == "EPRT" )
 		{
 		local data = (command == "PORT") ?
@@ -277,7 +277,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 
 	# TODO: figure out what to do with continued FTP response (not used much)
 	if ( cont_resp ) return;
-	
+
 	# TODO: do some sort of generic clear text login processing here.
 	local response_xyz = parse_ftp_reply_code(code);
 	#if ( response_xyz$x == 2 &&  # successful
@@ -293,17 +293,17 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		#       if that's given as well which would be more correct.
 		c$ftp$file_size = extract_count(msg);
 		}
-		
+
 	# PASV and EPSV processing
 	else if ( (code == 227 || code == 229) &&
 	          (c$ftp$cmdarg$cmd == "PASV" || c$ftp$cmdarg$cmd == "EPSV") )
 		{
 		local data = (code == 227) ? parse_ftp_pasv(msg) : parse_ftp_epsv(msg);
-		
+
 		if ( data$valid )
 			{
 			c$ftp$passive=T;
-			
+
 			if ( code == 229 && data$h == [::] )
 				data$h = c$id$resp_h;
 
@@ -327,9 +327,9 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		else if ( c$ftp$cmdarg$cmd == "PWD" || c$ftp$cmdarg$cmd == "XPWD" )
 			c$ftp$cwd = extract_path(msg);
 		}
-	
+
 	# In case there are multiple commands queued, go ahead and remove the
-	# command here and log because we can't do the normal processing pipeline 
+	# command here and log because we can't do the normal processing pipeline
 	# to wait for a new command before logging the command/response pair.
 	if ( |c$ftp$pending_commands| > 1 )
 		{
@@ -338,7 +338,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		}
 	}
 
-event expected_connection_seen(c: connection, a: count) &priority=10
+event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
 	{
 	local id = c$id;
 	if ( [id$resp_h, id$resp_p] in ftp_data_expected )
@@ -361,7 +361,7 @@ event connection_reused(c: connection) &priority=5
 	if ( "ftp-data" in c$service )
 		c$ftp_data_reuse = T;
 	}
-	
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c$ftp_data_reuse ) return;

scripts/base/protocols/http/file-analysis.bro

@@ -15,17 +15,17 @@ function get_file_handle(c: connection, is_orig: bool): string
 	if ( ! c?$http ) return "";
 
 	if ( c$http$range_request )
-		return cat(ANALYZER_HTTP, " ", is_orig, " ", c$id$orig_h, " ",
+		return cat(Analyzer::ANALYZER_HTTP, " ", is_orig, " ", c$id$orig_h, " ",
 		           build_url(c$http));
 
-	return cat(ANALYZER_HTTP, " ", c$start_time, " ", is_orig, " ",
+	return cat(Analyzer::ANALYZER_HTTP, " ", c$start_time, " ", is_orig, " ",
 	           c$http$trans_depth, " ", id_string(c$id));
 	}
 
 module GLOBAL;
 
-event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
+event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool)
 	{
-	if ( tag != ANALYZER_HTTP ) return;
+	if ( tag != Analyzer::ANALYZER_HTTP ) return;
 	set_file_handle(HTTP::get_file_handle(c, is_orig));
 	}

scripts/base/protocols/http/main.bro

@@ -123,29 +123,26 @@ redef record connection += {
 	http_state:  State &optional;
 };
 
-# Initialize the HTTP logging stream.
-event bro_init() &priority=5
-	{
-	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
-	}
-
 # DPD configuration.
-const ports = {
-	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
-	8000/tcp, 8080/tcp, 8888/tcp,
-};
-redef dpd_config += { 
-	[[ANALYZER_HTTP, ANALYZER_HTTP_BINPAC]] = [$ports = ports],
-};
 redef capture_filters +=  {
 	["http"] = "tcp and port (80 or 81 or 631 or 1080 or 3138 or 8000 or 8080 or 8888)"
 };
 
-redef likely_server_ports += { 
-	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
+const ports = {
+	80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3128/tcp,
 	8000/tcp, 8080/tcp, 8888/tcp,
 };
 
+redef likely_server_ports += { ports };
+
+
+# Initialize the HTTP logging stream and ports.
+event bro_init() &priority=5
+	{
+	Log::create_stream(HTTP::LOG, [$columns=Info, $ev=log_http]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, ports);
+	}
+
 function code_in_range(c: count, min: count, max: count) : bool
 	{
 	return c >= min && c <= max;

scripts/base/protocols/irc/dcc-send.bro

@@ -175,11 +175,11 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	c$irc$dcc_file_name = argument;
 	c$irc$dcc_file_size = size;
 	local p = count_to_port(dest_port, tcp);
-	expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_IRC_DATA, 5 min);
+	Analyzer::schedule_analyzer(0.0.0.0, address, p, Analyzer::ANALYZER_IRC_DATA, 5 min);
 	dcc_expected_transfers[address, p] = c$irc;
 	}
 
-event expected_connection_seen(c: connection, a: count) &priority=10
+event expected_connection_seen(c: connection, a: Analyzer::Tag) &priority=10
 	{
 	local id = c$id;
 	if ( [id$resp_h, id$resp_p] in dcc_expected_transfers )

scripts/base/protocols/irc/file-analysis.bro

@@ -12,13 +12,13 @@ export {
 function get_file_handle(c: connection, is_orig: bool): string
 	{
 	if ( is_orig ) return "";
-	return cat(ANALYZER_IRC_DATA, " ", c$start_time, " ", id_string(c$id));
+	return cat(Analyzer::ANALYZER_IRC_DATA, " ", c$start_time, " ", id_string(c$id));
 	}
 
 module GLOBAL;
 
-event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
+event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool)
 	{
-	if ( tag != ANALYZER_IRC_DATA ) return;
+	if ( tag != Analyzer::ANALYZER_IRC_DATA ) return;
 	set_file_handle(IRC::get_file_handle(c, is_orig));
 	}

scripts/base/protocols/irc/main.bro

@@ -45,14 +45,13 @@ redef capture_filters += { ["irc-6668"] = "port 6668" };
 redef capture_filters += { ["irc-6669"] = "port 6669" };
 
 # DPD configuration.
-const irc_ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
-redef dpd_config += { [ANALYZER_IRC] = [$ports = irc_ports] };
-
-redef likely_server_ports += { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+const ports = { 6666/tcp, 6667/tcp, 6668/tcp, 6669/tcp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
 	}
 	
 function new_session(c: connection): Info

scripts/base/protocols/modbus/main.bro

@@ -31,12 +31,14 @@ redef record connection += {
 
 # Configure DPD and the packet filter.
 redef capture_filters += { ["modbus"] = "tcp port 502" };
-redef dpd_config += { [ANALYZER_MODBUS] = [$ports = set(502/tcp)] };
-redef likely_server_ports += { 502/tcp };
+
+const ports = { 502/tcp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(Modbus::LOG, [$columns=Info, $ev=log_modbus]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_MODBUS, ports);
 	}
 
 event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool) &priority=5

scripts/base/protocols/smtp/file-analysis.bro

@@ -13,14 +13,14 @@ export {
 function get_file_handle(c: connection, is_orig: bool): string
 	{
 	if ( ! c?$smtp ) return "";
-	return cat(ANALYZER_SMTP, " ", c$start_time, " ", c$smtp$trans_depth, " ",
+	return cat(Analyzer::ANALYZER_SMTP, " ", c$start_time, " ", c$smtp$trans_depth, " ",
 	           c$smtp_state$mime_level);
 	}
 
 module GLOBAL;
 
-event get_file_handle(tag: AnalyzerTag, c: connection, is_orig: bool)
+event get_file_handle(tag: Analyzer::Tag, c: connection, is_orig: bool)
 	{
-	if ( tag != ANALYZER_SMTP ) return;
+	if ( tag != Analyzer::ANALYZER_SMTP ) return;
 	set_file_handle(SMTP::get_file_handle(c, is_orig));
 	}

scripts/base/protocols/smtp/main.bro

@@ -74,9 +74,6 @@ export {
 	const mail_path_capture = ALL_HOSTS &redef;
 		
 	global log_smtp: event(rec: Info);
-	
-	## Configure the default ports for SMTP analysis.
-	const ports = { 25/tcp, 587/tcp } &redef;
 }
 
 redef record connection += { 
@@ -86,13 +83,14 @@ redef record connection += {
 
 # Configure DPD
 redef capture_filters += { ["smtp"] = "tcp port 25 or tcp port 587" };
-redef dpd_config += { [ANALYZER_SMTP] = [$ports = ports] };
 
-redef likely_server_ports += { 25/tcp, 587/tcp };
+const ports = { 25/tcp, 587/tcp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
 	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
 	}
 	
 function find_address_in_smtp_header(header: string): string

scripts/base/protocols/socks/main.bro

@@ -34,9 +34,13 @@ export {
 	global log_socks: event(rec: Info);
 }
 
+const ports = { 1080/tcp };
+redef likely_server_ports += { ports };
+
 event bro_init() &priority=5
 	{
 	Log::create_stream(SOCKS::LOG, [$columns=Info, $ev=log_socks]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, ports);
 	}
 
 redef record connection += {
@@ -45,7 +49,6 @@ redef record connection += {
 
 # Configure DPD
 redef capture_filters += { ["socks"] = "tcp port 1080" };
-redef dpd_config += { [ANALYZER_SOCKS] = [$ports = set(1080/tcp)] };
 redef likely_server_ports += { 1080/tcp };
 
 function set_session(c: connection, version: count)

scripts/base/protocols/ssh/main.bro

@@ -71,10 +71,11 @@ export {
 }
 
 # Configure DPD and the packet filter
-redef capture_filters += { ["ssh"] = "tcp port 22" };
-redef dpd_config += { [ANALYZER_SSH] = [$ports = set(22/tcp)] };
 
-redef likely_server_ports += { 22/tcp };
+const ports = { 22/tcp };
+ 
+redef capture_filters += { ["ssh"] = "tcp port 22" };
+redef likely_server_ports += { ports };
 
 redef record connection += {
 	ssh: Info &optional;
@@ -83,6 +84,7 @@ redef record connection += {
 event bro_init() &priority=5
 {
 	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
 }
 
 function set_session(c: connection)

scripts/base/protocols/ssl/main.bro

@@ -94,11 +94,6 @@ redef record Info += {
 		delay_tokens: set[string] &optional;
 };
 
-event bro_init() &priority=5
-	{
-	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
-	}
-
 redef capture_filters += {
 	["ssl"] = "tcp port 443",
 	["nntps"] = "tcp port 563",
@@ -117,16 +112,9 @@ redef capture_filters += {
 const ports = {
 	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
 	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-};
+} &redef;
 
-redef dpd_config += {
-	[[ANALYZER_SSL]] = [$ports = ports]
-};
-
-redef likely_server_ports += {
-	443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
-	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
-};
+redef likely_server_ports += { ports };
 
 # A queue that buffers log records.
 global log_delay_queue: table[count] of Info;
@@ -135,6 +123,12 @@ global log_delay_queue_head = 0;
 # The bottom queue index that points to the next record to be flushed.
 global log_delay_queue_tail = 0;
 
+event bro_init() &priority=5
+	{
+	Log::create_stream(SSL::LOG, [$columns=Info, $ev=log_ssl]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, ports);
+	}
+
 function set_session(c: connection)
 	{
 	if ( ! c?$ssl )
@@ -288,14 +282,14 @@ event ssl_established(c: connection) &priority=-5
 	finish(c);
 	}
 
-event protocol_confirmation(c: connection, atype: count, aid: count) &priority=5
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
 	{
 	# Check by checking for existence of c$ssl record.
-	if ( c?$ssl && analyzer_name(atype) == "SSL" )
+	if ( c?$ssl && atype == Analyzer::ANALYZER_SSL )
 		c$ssl$analyzer_id = aid;
 	}
 
-event protocol_violation(c: connection, atype: count, aid: count,
+event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                          reason: string) &priority=5
 	{
 	if ( c?$ssl )

scripts/base/protocols/syslog/main.bro

@@ -27,10 +27,9 @@ export {
 }
 
 redef capture_filters += { ["syslog"] = "port 514" };
-const ports = { 514/udp } &redef;
-redef dpd_config += { [ANALYZER_SYSLOG_BINPAC] = [$ports = ports] };
 
-redef likely_server_ports += { 514/udp };
+const ports = { 514/udp };
+redef likely_server_ports += { ports };
 
 redef record connection += {
 	syslog: Info &optional;
@@ -39,6 +38,7 @@ redef record connection += {
 event bro_init() &priority=5
 	{
 	Log::create_stream(Syslog::LOG, [$columns=Info]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, ports);
 	}
 
 event syslog_message(c: connection, facility: count, severity: count, msg: string) &priority=5