Going over initial parts of the scripting overview.

I made a light pass over the text. Switched the includes over to the
new btest-include and adapted the other TEXT-EXECs a bit.

Also includes more tweaking all over the Sphinx setup.

aux/btest

@@ -1 +1 @@
-Subproject commit 35bb074c1c5173e44689df680a24ba13fea39a11
+Subproject commit 9726c5b982ee0e3e730a15dcd65f49bdee3fe458

doc/conf.py.in

@@ -41,10 +41,10 @@ btest_tests="doc/sphinx"
 
 # Add any Sphinx extension module names here, as strings. They can be extensions
 # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions += ['bro', 'rst_directive', 'sphinx.ext.todo', 'adapt-toc',
-               'rootedliteralinclude']
+extensions += ['bro', 'rst_directive', 'sphinx.ext.todo', 'adapt-toc']
 
 os.environ["BRO_SRC_ROOT"] = "@CMAKE_SOURCE_DIR@"
+os.environ["DOC_ROOT"] = "@CMAKE_SOURCE_DIR@/doc"
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['sphinx-sources/_templates', 'sphinx-sources/_static']
@@ -83,7 +83,7 @@ today_fmt = '%B %d, %Y'
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-exclude_patterns = []
+exclude_patterns = [".#*"]
 
 # The reST default role (used for this markup: `text`) to use for all documents.
 #default_role = None

doc/ext/rootedliteralinclude.py

@@ -1,25 +0,0 @@
-import os
-from sphinx.directives.code import LiteralInclude
-
-def setup(app):
-    app.add_directive('rootedliteralinclude', RootedLiteralInclude)
-
-class RootedLiteralInclude(LiteralInclude):
-    """
-    Like ``.. literalinclude::``, but the argument is an absolute path
-    which may contain environment variables which will be expanded when
-    generating documents.
-    """
-
-    def run(self):
-        document = self.state.document
-        if not document.settings.file_insertion_enabled:
-            return [document.reporter.warning('File insertion disabled',
-                                              line=self.lineno)]
-        env = document.settings.env
-
-        expanded_arg = os.path.expandvars(self.arguments[0])
-        sphinx_src_relation = os.path.relpath(expanded_arg, env.srcdir)
-        self.arguments[0] = os.path.join(os.sep, sphinx_src_relation)
-
-        return super(RootedLiteralInclude, self).run()

doc/index.rst

@@ -9,8 +9,8 @@ Bro Documentation
    :maxdepth: 2
 
    intro/index.rst
-   quickstart/index.rst
    install/index.rst
+   quickstart/index.rst
    using/index.rst
    scripting/index.rst
    frameworks/index.rst

doc/install/changes.rst

@@ -1,7 +1,7 @@
 
-===========================================
-Comprehensive Version History (aka CHANGES)
-===========================================
+========================
+Detailed Version History
+========================
 
 .. contents::
 

doc/quickstart/index.rst

@@ -7,9 +7,6 @@ Quick Start Guide
 
 .. contents::
 
-Installation
-============
-
 Bro works on most modern, Unix-based systems and requires no custom
 hardware.  It can be downloaded in either pre-built binary package or
 source code forms.  See :ref:`installing-bro` for instructions on how to

doc/scripting/connection_record_01.bro

@@ -0,0 +1,6 @@
+@load base/protocols/conn
+
+event connection_state_remove(c: connection)
+    {
+    print c;
+    }

doc/scripting/connection_record_02.bro

@@ -0,0 +1,7 @@
+@load base/protocols/conn
+@load base/protocols/dns
+
+event connection_state_remove(c: connection)
+    {
+    print c;
+    }

doc/scripting/data_struct_record_01.bro

@@ -0,0 +1,22 @@
+type Service: record {
+    name: string;
+    ports: set[port];
+    rfc: count;
+};
+
+function print_service(serv: Service): string
+    {
+    print fmt("Service: %s(RFC%d)",serv$name, serv$rfc);
+    
+    for ( p in serv$ports )
+        print fmt("  port: %s", p);
+    }
+
+event bro_init()
+    {
+    local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
+    local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
+    
+    print_service(dns);
+    print_service(http);
+    }

doc/scripting/data_struct_record_02.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 type Service: record {
     name: string;
     ports: set[port];
@@ -12,24 +9,21 @@ type System: record {
     services: set[Service];
     };
 
-
 function print_service(serv: Service): string
     {
     print fmt("  Service: %s(RFC%d)",serv$name, serv$rfc);
+    
     for ( p in serv$ports )
-        {
         print fmt("    port: %s", p);
     }
-    }
 
 function print_system(sys: System): string
     {
     print fmt("System: %s", sys$name);
+    
     for ( s in sys$services )
-        {
         print_service(s);
     }
-    }
 
 event bro_init()
     {

doc/scripting/data_struct_set_declaration.bro

@@ -1,10 +1,8 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 event bro_init()
     {
     local ssl_ports: set[port];
     local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
+    
     # SSH
     add ssl_ports[22/tcp];
     # HTTPS
@@ -14,17 +12,11 @@ event bro_init()
     
     # Check for SMTPS 
     if ( 587/tcp !in ssl_ports )
-        {
         add ssl_ports[587/tcp];
-        }
     
     for ( i in ssl_ports )
-        {
         print fmt("SSL Port: %s", i);
-        }
 
     for ( i in non_ssl_ports )
-        {
         print fmt("Non-SSL Port: %s", i);
     }
-    }

doc/scripting/data_struct_table_complex.bro

@@ -1,17 +1,13 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 event bro_init()
     {
     local samurai_flicks: table[string, string, count, string] of string;
+    
     samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru";
     samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin";
     samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri";
     samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei";
     
     for ( [d, s, y, a] in samurai_flicks )
-        {
         print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a);
     }
-    }
 

doc/scripting/data_struct_table_declaration.bro

@@ -1,19 +1,13 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 event bro_init()
     {
     local ssl_services: table[string] of port;
+    
     ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp);
     ssl_services["IMAPS"] = 993/tcp;
 
     if ( "SMTPS" !in ssl_services )
-        {
         ssl_services["SMTPS"] = 587/tcp;
-        }
 
     for ( k in ssl_services )
-        {
         print fmt("Service Name:  %s - Common Port: %s", k, ssl_services[k]);
     }
-    }

doc/scripting/data_struct_vector.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 event bro_init()
     {
     local v: vector of count = vector(1, 2, 3, 4);

doc/scripting/data_struct_vector_declaration.bro

@@ -1,14 +1,13 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 event bro_init()
     {
     local v1: vector of count;
     local v2 = vector(1, 2, 3, 4);
+    
     v1[|v1|] = 1;
     v1[|v1|] = 2;
     v1[|v1|] = 3;
     v1[|v1|] = 4;
+    
     print fmt("contents of v1: %s", v1);
     print fmt("length of v1: %d", |v1|);
     print fmt("contents of v1: %s", v2);

doc/scripting/data_struct_vector_iter.bro

@@ -0,0 +1,7 @@
+event bro_init()
+    {
+    local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
+
+    for (i in addr_vector)
+        print mask_addr(addr_vector[i], 18);
+    }

doc/scripting/data_type_const.bro

@@ -0,0 +1,9 @@
+const port_list: table[port] of string &redef;
+
+redef port_list += { [6666/tcp] = "IRC"};
+redef port_list += { [80/tcp] = "WWW" };
+
+event bro_init()
+    {
+    print port_list;
+    }

doc/scripting/data_type_const_simple.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro -b %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 @load base/protocols/http
 
 redef HTTP::default_capture_password = T;

doc/scripting/data_type_declaration.bro

@@ -0,0 +1,9 @@
+event bro_init()
+    {
+    local a: int;
+    a = 10;
+    local b = 10;
+
+    if ( a == b )
+        print fmt("A: %d, B: %d", a, b);
+    }

doc/scripting/data_type_interval.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 # Store the time the previous connection was established.
 global last_connection_time: time;
 
@@ -10,11 +7,12 @@ global connection_seen: bool = F;
 event connection_established(c: connection)
     {
     local net_time: time  = network_time();
+
     print fmt("%s:  New connection established from %s to %s", strftime("%Y/%M/%d %H:%m:%S", net_time), c$id$orig_h, c$id$resp_h);
+    
     if ( connection_seen )
-        {
         print fmt("     Time since last connection: %s", net_time - last_connection_time);
-        }
+    
     last_connection_time = net_time;
     connection_seen = T;
     }

doc/scripting/data_type_local.bro

@@ -0,0 +1,11 @@
+function add_two(i: count): count
+    {
+    local added_two = i+2;
+    print fmt("i + 2 = %d", added_two);
+    return added_two;
+    }
+
+event bro_init()
+    {
+    local test = add_two(10);
+    }

doc/scripting/data_type_pattern_01.bro

@@ -1,14 +1,13 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 event bro_init()
     {
     local test_string = "The quick brown fox jumped over the lazy dog.";
     local test_pattern = /quick|lazy/;
     
     if ( test_pattern in test_string )
+        {
         local results = split(test_string, test_pattern);
         print results[1];
         print results[2];
         print results[3];
         }
+    }

doc/scripting/data_type_pattern_02.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 event bro_init()
     {
     local test_string = "equality";
@@ -11,4 +8,3 @@ event bro_init()
     test_pattern = /equality/;
     print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
     }
-

doc/scripting/data_type_subnets.bro

@@ -0,0 +1,15 @@
+event bro_init()
+    {
+    local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20);
+    local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.22.45, 172.16.1.1);
+    
+    for ( a in addresses )
+        {
+        for ( s in subnets )
+            {
+            if ( addresses[a] in subnets[s] )
+                print fmt("%s belongs to subnet %s", addresses[a], subnets[s]);
+            }
+        }
+
+    }

doc/scripting/data_type_time.bro

@@ -0,0 +1,4 @@
+event connection_established(c: connection)
+    {
+    print fmt("%s:  New connection established from %s to %s\n", strftime("%Y/%M/%d %H:%m:%S", network_time()), c$id$orig_h, c$id$resp_h);
+    }

doc/scripting/framework_logging_factorial_01.bro

@@ -0,0 +1,19 @@
+module Factor;
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    else
+        return ( n * factorial(n - 1) );
+    }
+
+event bro_init()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
+    
+    for ( n in numbers )
+        print fmt("%d", factorial(numbers[n]));
+    }
+
+

doc/scripting/framework_logging_factorial_02.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff factor.log
-
 module Factor;
 
 export {
@@ -15,14 +12,11 @@ export {
 function factorial(n: count): count
     {
     if ( n == 0 )
-        {
         return 1;
-        }
+    
     else
-        {
         return ( n * factorial(n - 1) );
     }
-    }
 
 event bro_init()
     {
@@ -33,8 +27,6 @@ event bro_done()
     {
     local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
     for ( n in numbers )
-        {
         Log::write( Factor::LOG, [$num=numbers[n],
                                   $factorial_num=factorial(numbers[n])]);
     }
-    }

doc/scripting/framework_logging_factorial_03.bro

@@ -1,7 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff factor-mod5.log
-# @TEST-EXEC: btest-diff factor-non5.log
-
 module Factor;
 
 export {
@@ -16,44 +12,33 @@ export {
 function factorial(n: count): count
     {
     if ( n == 0 )
-        {
         return 1;
-        }
-    else
-        {
-        return ( n * factorial(n - 1) );
-        }
-    }
     
-event bro_init()
-    {
-    Log::create_stream(LOG, [$columns=Info]);
+    else
+        return (n * factorial(n - 1));
     }
 
 event bro_done()
     {
     local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
     for ( n in numbers )
-        {
         Log::write( Factor::LOG, [$num=numbers[n],
                                   $factorial_num=factorial(numbers[n])]);
     }
-    }
 
 function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
     {
     if ( rec$factorial_num % 5 == 0 )
-        {
         return "factor-mod5";
-        }
+    
     else
-        {
         return "factor-non5";
     }
-    }
 
 event bro_init()
     {
+    Log::create_stream(LOG, [$columns=Info]);
+    
     local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
     Log::add_filter(Factor::LOG, filter);
     Log::remove_filter(Factor::LOG, "default");

doc/scripting/framework_logging_factorial_04.bro

@@ -1,7 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff factor-mod5.log
-# @TEST-EXEC: btest-diff factor-non5.log
-
 module Factor;
 
 export {
@@ -18,14 +14,11 @@ export {
 function factorial(n: count): count
     {
     if ( n == 0 )
-        {
         return 1;
-        }
+    
     else
-        {
         return (n * factorial(n - 1));
     }
-    }
 
 event bro_init()
     {
@@ -36,23 +29,18 @@ event bro_done()
     {
     local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
     for ( n in numbers )
-        {
         Log::write( Factor::LOG, [$num=numbers[n],
                                   $factorial_num=factorial(numbers[n])]);
     }
-    }
 
 function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
     {
     if ( rec$factorial_num % 5 == 0 )
-        {
         return "factor-mod5";
-        }
+    
     else
-        {
         return "factor-non5";
     }
-    }
 
 event bro_init()
     {

doc/scripting/framework_notice_hook_01.bro

@@ -0,0 +1,7 @@
+@load policy/protocols/ssh/interesting-hostnames.bro
+
+hook Notice::policy(n: Notice::Info)
+  {
+  if ( n$note == SSH::Interesting_Hostname_Login )
+      add n$actions[Notice::ACTION_EMAIL];
+  }

doc/scripting/framework_notice_hook_suppression_01.bro

@@ -0,0 +1,7 @@
+@load policy/protocols/ssl/expiring-certs.bro
+
+hook Notice::policy(n: Notice::Info) 
+   {
+   if ( n$note == SSL::Certificate_Expires_Soon )
+       n$suppress_for = 12hrs;
+   }

doc/scripting/framework_notice_shortcuts_01.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 @load policy/protocols/ssh/interesting-hostnames.bro
 @load base/protocols/ssh/
 

doc/scripting/framework_notice_shortcuts_02.bro

@@ -1,6 +1,3 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
 @load policy/protocols/ssh/interesting-hostnames.bro
 @load base/protocols/ssh/
 

doc/using/index.rst

@@ -44,7 +44,8 @@ the Unix utility ``head`` and outputting the first lines of the file:
 
 .. btest:: using_bro
    
-   @TEST-EXEC: btest-rst-cmd "bro -r $TRACES/wikipedia.trace && head -15 conn.log"
+   @TEST-EXEC: btest-rst-cmd bro -r $TRACES/wikipedia.trace
+   @TEST-EXEC: btest-rst-include -n 15 conn.log
 
 As you can see, the header consists of lines prefixed by ``#`` and
 includes information such as what separators are being used for

testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1

@@ -0,0 +1,11 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -b -r dns-session.trace connection_record_01.bro
+  [id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
+  
+  }, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
+  
+  }], extract_orig=F, extract_resp=F]
+

testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1

@@ -0,0 +1,17 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -b -r dns-session.trace connection_record_02.bro
+  [id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], orig=[size=29, state=5, num_pkts=6, num_bytes_ip=273, flow_label=0], resp=[size=44, state=5, num_pkts=5, num_bytes_ip=248, flow_label=0], start_time=930613226.067666, duration=0.709643, service={
+  
+  }, addl=, hot=0, history=ShADadFf, uid=UWkUyAuUGXf, tunnel=<uninitialized>, conn=[ts=930613226.067666, uid=UWkUyAuUGXf, id=[orig_h=212.180.42.100, orig_p=25000/tcp, resp_h=131.243.64.3, resp_p=53/tcp], proto=tcp, service=<uninitialized>, duration=0.709643, orig_bytes=29, resp_bytes=44, conn_state=SF, local_orig=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=6, orig_ip_bytes=273, resp_pkts=5, resp_ip_bytes=248, tunnel_parents={
+  
+  }], extract_orig=F, extract_resp=F, dns=<uninitialized>, dns_state=[pending={
+  [34798] = [initialized=T, vals={
+  
+  }, settings=[max_len=<uninitialized>], top=1, bottom=1, size=0]
+  }, finished_answers={
+  
+  }]]
+

testing/btest/Baseline/doc.sphinx.data_struct_record_01/btest-doc.sphinx.data_struct_record_01#1

@@ -0,0 +1,12 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_struct_record_01.bro
+  Service: dns(RFC1035)
+    port: 53/tcp
+    port: 53/udp
+  Service: http(RFC2616)
+    port: 80/tcp
+    port: 8080/tcp
+

testing/btest/Baseline/doc.sphinx.data_struct_record_02/btest-doc.sphinx.data_struct_record_02#1

@@ -0,0 +1,13 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_struct_record_02.bro
+  System: morlock
+    Service: dns(RFC1035)
+      port: 53/tcp
+      port: 53/udp
+    Service: http(RFC2616)
+      port: 80/tcp
+      port: 8080/tcp
+

testing/btest/Baseline/doc.sphinx.data_struct_set_declaration/btest-doc.sphinx.data_struct_set_declaration#1

@@ -0,0 +1,14 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_struct_set_declaration.bro
+  SSL Port: 993/tcp
+  SSL Port: 22/tcp
+  SSL Port: 587/tcp
+  SSL Port: 443/tcp
+  Non-SSL Port: 143/tcp
+  Non-SSL Port: 25/tcp
+  Non-SSL Port: 80/tcp
+  Non-SSL Port: 23/tcp
+

testing/btest/Baseline/doc.sphinx.data_struct_table_complex/btest-doc.sphinx.data_struct_table_complex#1

@@ -0,0 +1,10 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -b data_struct_table_complex.bro
+  Kiru was released in 1968 by Toho studios, directed by Kihachi Okamoto and starring Tatsuya Nakadai
+  Goyokin was released in 1969 by Fuji studios, directed by Hideo Gosha and starring Tatsuya Nakadai
+  Harakiri was released in 1962 by Shochiku Eiga studios, directed by Masaki Kobayashi and starring Tatsuya Nakadai
+  Tasogare Seibei was released in 2002 by Eisei Gekijo studios, directed by Yoji Yamada and starring Hiroyuki Sanada
+

testing/btest/Baseline/doc.sphinx.data_struct_table_declaration/btest-doc.sphinx.data_struct_table_declaration#1

@@ -0,0 +1,10 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_struct_table_declaration.bro
+  Service Name:  IMAPS - Common Port: 993/tcp
+  Service Name:  HTTPS - Common Port: 443/tcp
+  Service Name:  SSH - Common Port: 22/tcp
+  Service Name:  SMTPS - Common Port: 587/tcp
+

testing/btest/Baseline/doc.sphinx.data_struct_vector_declaration/btest-doc.sphinx.data_struct_vector_declaration#1

@@ -0,0 +1,10 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_struct_vector_declaration.bro
+  contents of v1: [1, 2, 3, 4]
+  length of v1: 4
+  contents of v1: [1, 2, 3, 4]
+  length of v2: 4
+

testing/btest/Baseline/doc.sphinx.data_struct_vector_iter/btest-doc.sphinx.data_struct_vector_iter#1

@@ -0,0 +1,9 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -b data_struct_vector_iter.bro
+  1.2.0.0/18
+  2.3.0.0/18
+  3.4.0.0/18
+

testing/btest/Baseline/doc.sphinx.data_type_const.bro/btest-doc.sphinx.data_type_const.bro#1

@@ -0,0 +1,10 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -b data_type_const.bro
+  {
+  [6666/tcp] = IRC,
+  [80/tcp] = WWW
+  }
+

testing/btest/Baseline/doc.sphinx.data_type_interval/btest-doc.sphinx.data_type_interval#1

@@ -0,0 +1,23 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -r wikipedia.trace data_type_interval.bro
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+       Time since last connection: 132.0 msecs 97.0 usecs
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+       Time since last connection: 177.0 usecs
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+       Time since last connection: 2.0 msecs 177.0 usecs
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+       Time since last connection: 33.0 msecs 898.0 usecs
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+       Time since last connection: 35.0 usecs
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+       Time since last connection: 2.0 msecs 532.0 usecs
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2
+       Time since last connection: 7.0 msecs 866.0 usecs
+  2011/06/18 19:03:09:  New connection established from 141.142.220.235 to 173.192.163.128
+       Time since last connection: 817.0 msecs 703.0 usecs
+

testing/btest/Baseline/doc.sphinx.data_type_pattern/btest-doc.sphinx.data_type_pattern#1

@@ -0,0 +1,9 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_type_pattern_01.bro
+  The 
+   brown fox jumped over the 
+   dog.
+

testing/btest/Baseline/doc.sphinx.data_type_pattern_02/btest-doc.sphinx.data_type_pattern_02#1

@@ -0,0 +1,8 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_type_pattern_02.bro
+  equality and /^?(equal)$?/ are not equal
+  equality and /^?(equality)$?/ are equal
+

testing/btest/Baseline/doc.sphinx.data_type_subnets/btest-doc.sphinx.data_type_subnets#1

@@ -0,0 +1,10 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro data_type_subnets.bro
+  172.16.4.56 belongs to subnet 172.16.0.0/20
+  172.16.47.254 belongs to subnet 172.16.32.0/20
+  172.16.22.45 belongs to subnet 172.16.16.0/20
+  172.16.1.1 belongs to subnet 172.16.0.0/20
+

testing/btest/Baseline/doc.sphinx.data_type_time/btest-doc.sphinx.data_type_time#1

@@ -0,0 +1,15 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -r wikipedia.trace data_type_time.bro
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118^J
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+  2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2^J
+  2011/06/18 19:03:09:  New connection established from 141.142.220.235 to 173.192.163.128^J
+

testing/btest/Baseline/doc.sphinx.framework_logging_factorial-2/btest-doc.sphinx.framework_logging_factorial-2#1

@@ -0,0 +1,29 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro framework_logging_factorial_02.bro
+
+.. code-block:: guess
+   :linenos:
+
+  #separator \x09
+  #set_separator	,
+  #empty_field	(empty)
+  #unset_field	-
+  #path	factor
+  #open	2013-08-30-23-20-49
+  #fields	num	factorial_num
+  #types	count	count
+  1	1
+  2	2
+  3	6
+  4	24
+  5	120
+  6	720
+  7	5040
+  8	40320
+  9	362880
+  10	3628800
+  #close	2013-08-30-23-20-49
+

testing/btest/Baseline/doc.sphinx.framework_logging_factorial-3/btest-doc.sphinx.framework_logging_factorial-3#1

@@ -0,0 +1,25 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro framework_logging_factorial_03.bro
+
+.. code-block:: guess
+   :linenos:
+
+  #separator \x09
+  #set_separator	,
+  #empty_field	(empty)
+  #unset_field	-
+  #path	factor-mod5
+  #open	2013-08-30-23-20-49
+  #fields	num	factorial_num
+  #types	count	count
+  5	120
+  6	720
+  7	5040
+  8	40320
+  9	362880
+  10	3628800
+  #close	2013-08-30-23-20-49
+

testing/btest/Baseline/doc.sphinx.framework_logging_factorial/btest-doc.sphinx.framework_logging_factorial#1

@@ -0,0 +1,16 @@
+.. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro framework_logging_factorial_01.bro
+  1
+  2
+  6
+  24
+  120
+  720
+  5040
+  40320
+  362880
+  3628800
+

testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_connection_record_02_bro.include-doc_scripting_connection_record_02_bro.btest

@@ -1,5 +1,6 @@
-# @TEST-EXEC: bro -b -r $TRACES/dns-session.trace %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- connection_record_02.bro
 
 @load base/protocols/conn
 @load base/protocols/dns

testing/btest/Baseline/doc.sphinx.include-doc_scripting_connection_record_02_bro@2/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_connection_record_02_bro@2.include-doc_scripting_connection_record_02_bro@2.btest

@@ -0,0 +1,11 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- connection_record_02.bro
+
+@load base/protocols/conn
+@load base/protocols/dns
+
+event connection_state_remove(c: connection)
+    {
+    print c;
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_01_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_record_01_bro.include-doc_scripting_data_struct_record_01_bro.btest

@@ -1,5 +1,6 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_record_01.bro
 
 type Service: record {
     name: string;
@@ -10,16 +11,16 @@ type Service: record {
 function print_service(serv: Service): string
     {
     print fmt("Service: %s(RFC%d)",serv$name, serv$rfc);
+    
     for ( p in serv$ports )
-        {
         print fmt("  port: %s", p);
     }
-    }
 
 event bro_init()
     {
     local dns: Service = [$name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
     local http: Service = [$name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
+    
     print_service(dns);
     print_service(http);
     }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_record_02_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_record_02_bro.include-doc_scripting_data_struct_record_02_bro.btest

@@ -0,0 +1,45 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_record_02.bro
+
+type Service: record {
+    name: string;
+    ports: set[port];
+    rfc: count;
+    };
+
+type System: record {
+    name: string;
+    services: set[Service];
+    };
+
+function print_service(serv: Service): string
+    {
+    print fmt("  Service: %s(RFC%d)",serv$name, serv$rfc);
+    
+    for ( p in serv$ports )
+        print fmt("    port: %s", p);
+    }
+
+function print_system(sys: System): string
+    {
+    print fmt("System: %s", sys$name);
+    
+    for ( s in sys$services )
+        print_service(s);
+    }
+
+event bro_init()
+    {
+    local server01: System;
+    server01$name = "morlock";
+    add server01$services[[ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035]];
+    add server01$services[[ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616]];
+    print_system(server01);
+    
+    
+    # local dns: Service = [ $name="dns", $ports=set(53/udp, 53/tcp), $rfc=1035];
+    # local http: Service = [ $name="http", $ports=set(80/tcp, 8080/tcp), $rfc=2616];
+    # print_service(dns);
+    # print_service(http);
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro.include-doc_scripting_data_struct_set_declaration_bro.btest

@@ -0,0 +1,9 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_set_declaration.bro
+
+event bro_init()
+    {
+    local ssl_ports: set[port];
+    local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@2/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@2.include-doc_scripting_data_struct_set_declaration_bro@2.btest

@@ -0,0 +1,9 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_set_declaration.bro
+
+    for ( i in ssl_ports )
+        print fmt("SSL Port: %s", i);
+
+    for ( i in non_ssl_ports )
+        print fmt("Non-SSL Port: %s", i);

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@3/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@3.include-doc_scripting_data_struct_set_declaration_bro@3.btest

@@ -0,0 +1,7 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_set_declaration.bro
+
+    # Check for SMTPS 
+    if ( 587/tcp !in ssl_ports )
+        add ssl_ports[587/tcp];

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@4/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_set_declaration_bro@4.include-doc_scripting_data_struct_set_declaration_bro@4.btest

@@ -0,0 +1,26 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_set_declaration.bro
+
+event bro_init()
+    {
+    local ssl_ports: set[port];
+    local non_ssl_ports = set( 23/tcp, 80/tcp, 143/tcp, 25/tcp );
+    
+    # SSH
+    add ssl_ports[22/tcp];
+    # HTTPS
+    add ssl_ports[443/tcp];
+    # IMAPS
+    add ssl_ports[993/tcp];
+    
+    # Check for SMTPS 
+    if ( 587/tcp !in ssl_ports )
+        add ssl_ports[587/tcp];
+    
+    for ( i in ssl_ports )
+        print fmt("SSL Port: %s", i);
+
+    for ( i in non_ssl_ports )
+        print fmt("Non-SSL Port: %s", i);
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_complex_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_table_complex_bro.include-doc_scripting_data_struct_table_complex_bro.btest

@@ -0,0 +1,17 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_table_complex.bro
+
+event bro_init()
+    {
+    local samurai_flicks: table[string, string, count, string] of string;
+    
+    samurai_flicks["Kihachi Okamoto", "Toho", 1968, "Tatsuya Nakadai"] = "Kiru";
+    samurai_flicks["Hideo Gosha", "Fuji", 1969, "Tatsuya Nakadai"] = "Goyokin";
+    samurai_flicks["Masaki Kobayashi", "Shochiku Eiga", 1962, "Tatsuya Nakadai" ] = "Harakiri";
+    samurai_flicks["Yoji Yamada", "Eisei Gekijo", 2002, "Hiroyuki Sanada" ] = "Tasogare Seibei";
+    
+    for ( [d, s, y, a] in samurai_flicks )
+        print fmt("%s was released in %d by %s studios, directed by %s and starring %s", samurai_flicks[d, s, y, a], y, s, d, a);
+    }
+

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_table_declaration_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_table_declaration_bro.include-doc_scripting_data_struct_table_declaration_bro.btest

@@ -0,0 +1,17 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_table_declaration.bro
+
+event bro_init()
+    {
+    local ssl_services: table[string] of port;
+    
+    ssl_services = table(["SSH"] = 22/tcp, ["HTTPS"] = 443/tcp);
+    ssl_services["IMAPS"] = 993/tcp;
+
+    if ( "SMTPS" !in ssl_services )
+        ssl_services["SMTPS"] = 587/tcp;
+
+    for ( k in ssl_services )
+        print fmt("Service Name:  %s - Common Port: %s", k, ssl_services[k]);
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro.include-doc_scripting_data_struct_vector_declaration_bro.btest

@@ -0,0 +1,19 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_vector_declaration.bro
+
+event bro_init()
+    {
+    local v1: vector of count;
+    local v2 = vector(1, 2, 3, 4);
+    
+    v1[|v1|] = 1;
+    v1[|v1|] = 2;
+    v1[|v1|] = 3;
+    v1[|v1|] = 4;
+    
+    print fmt("contents of v1: %s", v1);
+    print fmt("length of v1: %d", |v1|);
+    print fmt("contents of v1: %s", v2);
+    print fmt("length of v2: %d", |v2|);
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_iter_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_struct_vector_iter_bro.include-doc_scripting_data_struct_vector_iter_bro.btest

@@ -0,0 +1,11 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_struct_vector_iter.bro
+
+event bro_init()
+    {
+    local addr_vector: vector of addr = vector(1.2.3.4, 2.3.4.5, 3.4.5.6);
+
+    for (i in addr_vector)
+        print mask_addr(addr_vector[i], 18);
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_const_bro.include-doc_scripting_data_type_const_bro.btest

@@ -1,5 +1,6 @@
-# @TEST-EXEC: bro -b %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_const.bro
 
 const port_list: table[port] of string &redef;
 

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_const_simple_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_const_simple_bro.include-doc_scripting_data_type_const_simple_bro.btest

@@ -0,0 +1,8 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_const_simple.bro
+
+@load base/protocols/http
+
+redef HTTP::default_capture_password = T;
+

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_declaration_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_declaration_bro.include-doc_scripting_data_type_declaration_bro.btest

@@ -1,5 +1,6 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_declaration.bro
 
 event bro_init()
     {
@@ -8,7 +9,5 @@ event bro_init()
     local b = 10;
 
     if ( a == b )
-        {
         print fmt("A: %d, B: %d", a, b);
     }
-    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_interval_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_interval_bro.include-doc_scripting_data_type_interval_bro.btest

@@ -0,0 +1,22 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_interval.bro
+
+# Store the time the previous connection was established.
+global last_connection_time: time;
+
+# boolean value to indicate whether we have seen a previous connection.
+global connection_seen: bool = F;
+
+event connection_established(c: connection)
+    {
+    local net_time: time  = network_time();
+
+    print fmt("%s:  New connection established from %s to %s", strftime("%Y/%M/%d %H:%m:%S", net_time), c$id$orig_h, c$id$resp_h);
+    
+    if ( connection_seen )
+        print fmt("     Time since last connection: %s", net_time - last_connection_time);
+    
+    last_connection_time = net_time;
+    connection_seen = T;
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_local_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_local_bro.include-doc_scripting_data_type_local_bro.btest

@@ -1,5 +1,6 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_local.bro
 
 function add_two(i: count): count
     {

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_01_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_pattern_01_bro.include-doc_scripting_data_type_pattern_01_bro.btest

@@ -0,0 +1,17 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_pattern_01.bro
+
+event bro_init()
+    {
+    local test_string = "The quick brown fox jumped over the lazy dog.";
+    local test_pattern = /quick|lazy/;
+    
+    if ( test_pattern in test_string )
+        {
+        local results = split(test_string, test_pattern);
+        print results[1];
+        print results[2];
+        print results[3];
+        }
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_pattern_02_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_pattern_02_bro.include-doc_scripting_data_type_pattern_02_bro.btest

@@ -0,0 +1,14 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_pattern_02.bro
+
+event bro_init()
+    {
+    local test_string = "equality";
+
+    local test_pattern = /equal/;
+    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
+    
+    test_pattern = /equality/;
+    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_subnets_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_subnets_bro.include-doc_scripting_data_type_subnets_bro.btest

@@ -1,22 +1,19 @@
-# @TEST-EXEC: bro -b %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_subnets.bro
 
 event bro_init()
     {
     local subnets = vector(172.16.0.0/20, 172.16.16.0/20, 172.16.32.0/20, 172.16.48.0/20);
     local addresses = vector(172.16.4.56, 172.16.47.254, 172.16.22.45, 172.16.1.1);
+    
     for ( a in addresses )
         {
         for ( s in subnets )
             {
             if ( addresses[a] in subnets[s] )
-                {
                 print fmt("%s belongs to subnet %s", addresses[a], subnets[s]);
             }
         }
-        }
 
     }
-
-
-

testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_type_time_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_data_type_time_bro.include-doc_scripting_data_type_time_bro.btest

@@ -1,5 +1,6 @@
-# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- data_type_time.bro
 
 event connection_established(c: connection)
     {

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_01_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_logging_factorial_01_bro.include-doc_scripting_framework_logging_factorial_01_bro.btest

@@ -1,27 +1,23 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_logging_factorial_01.bro
 
 module Factor;
 
 function factorial(n: count): count
     {
     if ( n == 0 )
-        {
         return 1;
-        }
     else
-        {
         return ( n * factorial(n - 1) );
     }
-    }
 
 event bro_init()
     {
     local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
+    
     for ( n in numbers )
-        {
         print fmt("%d", factorial(numbers[n]));
     }
-    }
 
 

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_02_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_logging_factorial_02_bro.include-doc_scripting_framework_logging_factorial_02_bro.btest

@@ -0,0 +1,36 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_logging_factorial_02.bro
+
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return ( n * factorial(n - 1) );
+    }
+
+event bro_init()
+    {
+    Log::create_stream(LOG, [$columns=Info]);
+    }
+
+event bro_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro.include-doc_scripting_framework_logging_factorial_03_bro.btest

@@ -0,0 +1,12 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_logging_factorial_03.bro
+
+event bro_init()
+    {
+    Log::create_stream(LOG, [$columns=Info]);
+    
+    local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
+    Log::add_filter(Factor::LOG, filter);
+    Log::remove_filter(Factor::LOG, "default");
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_04_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_logging_factorial_04_bro.include-doc_scripting_framework_logging_factorial_04_bro.btest

@@ -0,0 +1,54 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_logging_factorial_04.bro
+
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    
+    global log_factor: event(rec: Info);
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return (n * factorial(n - 1));
+    }
+
+event bro_init()
+    {
+    Log::create_stream(LOG, [$columns=Info, $ev=log_factor]);
+    }
+
+event bro_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
+
+function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
+    {
+    if ( rec$factorial_num % 5 == 0 )
+        return "factor-mod5";
+    
+    else
+        return "factor-non5";
+    }
+
+event bro_init()
+    {
+    local filter: Log::Filter = [$name="split-mod5s", $path_func=mod5];
+    Log::add_filter(Factor::LOG, filter);
+    Log::remove_filter(Factor::LOG, "default");
+    }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_01_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_notice_hook_01_bro.include-doc_scripting_framework_notice_hook_01_bro.btest

@@ -1,12 +1,11 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_notice_hook_01.bro
 
 @load policy/protocols/ssh/interesting-hostnames.bro
 
 hook Notice::policy(n: Notice::Info)
   {
   if ( n$note == SSH::Interesting_Hostname_Login )
-      {
       add n$actions[Notice::ACTION_EMAIL];
   }
-  }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_hook_suppression_01_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_notice_hook_suppression_01_bro.include-doc_scripting_framework_notice_hook_suppression_01_bro.btest

@@ -1,12 +1,11 @@
-# @TEST-EXEC: bro %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_notice_hook_suppression_01.bro
 
 @load policy/protocols/ssl/expiring-certs.bro
 
 hook Notice::policy(n: Notice::Info) 
    {
    if ( n$note == SSL::Certificate_Expires_Soon )
-       {
        n$suppress_for = 12hrs;
    }
-   }

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_01_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_notice_shortcuts_01_bro.include-doc_scripting_framework_notice_shortcuts_01_bro.btest

@@ -0,0 +1,12 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_notice_shortcuts_01.bro
+
+@load policy/protocols/ssh/interesting-hostnames.bro
+@load base/protocols/ssh/
+
+redef Notice::emailed_types += {
+    SSH::Interesting_Hostname_Login,
+    SSH::Login
+};
+

testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_notice_shortcuts_02_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-doc_scripting_framework_notice_shortcuts_02_bro.include-doc_scripting_framework_notice_shortcuts_02_bro.btest

@@ -0,0 +1,11 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- framework_notice_shortcuts_02.bro
+
+@load policy/protocols/ssh/interesting-hostnames.bro
+@load base/protocols/ssh/
+
+redef Notice::type_suppression_intervals += {
+    [SSH::Interesting_Hostname_Login] = 1day,
+    [SSH::Login] = 12hrs,
+};

testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_event_bif_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_base_bif_event_bif_bro.include-scripts_base_bif_event_bif_bro.btest

@@ -0,0 +1,25 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- event.bif.bro
+
+## script-level cleanup that needs to be performed for every connection.  This
+## event is generated not only for TCP sessions but also for UDP and ICMP
+## flows.
+##
+##
+global connection_external: event(c: connection , tag: string );
+
+
+## Generated when a UDP session for a supported protocol has finished. Some of
+## Bro's application-layer UDP analyzers flag the end of a session by raising
+## Generated when a connection is seen that is marked as being expected.
+
+
+global ipv6_ext_headers: event(c: connection , p: pkt_hdr );
+##    their specifics differ slightly. Often, however, both will be raised for
+##    the same connection if some of its data is missing. We should eventually
+##    merge the two.
+global ack_above_hole: event(c: connection );
+
+
+##

testing/btest/Baseline/doc.sphinx.include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro.include-scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest

@@ -0,0 +1,30 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- Bro_DNS.events.bif.bro
+
+## Generated for DNS requests. For requests with multiple queries, this event
+## is raised once for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count );

testing/btest/Baseline/doc.sphinx.include-scripts_base_init-bare_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_base_init-bare_bro.include-scripts_base_init-bare_bro.btest

@@ -0,0 +1,7 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- init-bare.bro
+
+type string_array: table[count] of string;
+type string_set: set[string];
+type addr_set: set[addr];

testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_conn_main_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_base_protocols_conn_main_bro.include-scripts_base_protocols_conn_main_bro.btest

@@ -0,0 +1,28 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- main.bro
+
+module Conn;
+
+export {
+	## The record type which contains column fields of the connection log.
+	type Info: record {
+		ts:           time            &log;
+		uid:          string          &log;
+		id:           conn_id         &log;
+		proto:        transport_proto &log;
+		service:      string          &log &optional;
+		duration:     interval        &log &optional;
+		orig_bytes:   count           &log &optional;
+		resp_bytes:   count           &log &optional;
+		conn_state:   string          &log &optional;
+		local_orig:   bool            &log &optional;
+		missed_bytes: count           &log &default=0;
+		history:      string          &log &optional;
+		orig_pkts:     count      &log &optional;
+		orig_ip_bytes: count      &log &optional;
+		resp_pkts:     count      &log &optional;
+		resp_ip_bytes: count      &log &optional;
+		tunnel_parents: set[string] &log;
+	};
+}

testing/btest/Baseline/doc.sphinx.include-scripts_base_protocols_http_main_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_base_protocols_http_main_bro.include-scripts_base_protocols_http_main_bro.btest

@@ -0,0 +1,10 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- main.bro
+
+module HTTP;
+
+export {
+	## This setting changes if passwords used in Basic-Auth are captured or not.
+	const default_capture_password = F &redef;
+}

testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro.include-scripts_policy_frameworks_files_detect-MHR_bro.btest

@@ -0,0 +1,61 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- detect-MHR.bro
+
+##! Detect file downloads that have hash values matching files in Team
+##! Cymru's Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).
+
+@load base/frameworks/files
+@load base/frameworks/notice
+@load frameworks/files/hash-all-files
+
+module TeamCymruMalwareHashRegistry;
+
+export {
+	redef enum Notice::Type += {
+		## The hash value of a file transferred over HTTP matched in the
+		## malware hash registry.
+		Match
+	};
+
+	## File types to attempt matching against the Malware Hash Registry.
+	const match_file_types = /application\/x-dosexec/ |
+	                         /application\/vnd.ms-cab-compressed/ |
+	                         /application\/pdf/ |
+	                         /application\/x-shockwave-flash/ |
+	                         /application\/x-java-applet/ |
+	                         /application\/jar/ |
+	                         /video\/mp4/ &redef;
+
+	## The malware hash registry runs each malware sample through several A/V engines.
+	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
+	## sample as malicious. This threshold allows you to require a minimum detection
+	## rate.
+	const notice_threshold = 10 &redef;
+}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( kind=="sha1" && match_file_types in f$mime_type )
+		{
+		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+			{
+			# Data is returned as "<dateFirstDetected> <detectionRate>"
+			local MHR_answer = split1(MHR_result, / /);
+			if ( |MHR_answer| == 2 )
+				{
+				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));
+				local mhr_detect_rate = to_count(MHR_answer[2]);
+
+				local readable_first_detected = strftime("%Y-%m-%d %H:%M:%S", mhr_first_detected);
+				if ( mhr_detect_rate >= notice_threshold )
+					{
+					local message = fmt("Malware Hash Registry Detection rate: %d%%  Last seen: %s", mhr_detect_rate, readable_first_detected);
+					local virustotal_url = fmt("https://www.virustotal.com/en/file/%s/analysis/", hash);
+					NOTICE([$note=Match, $msg=message, $sub=virustotal_url, $f=f]);
+					}
+				}
+			}
+		}
+	}

testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@2.include-scripts_policy_frameworks_files_detect-MHR_bro@2.btest

@@ -0,0 +1,9 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- detect-MHR.bro
+
+
+module TeamCymruMalwareHashRegistry;
+
+export {
+	redef enum Notice::Type += {

testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@3.include-scripts_policy_frameworks_files_detect-MHR_bro@3.btest

@@ -0,0 +1,17 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- detect-MHR.bro
+
+		## The hash value of a file transferred over HTTP matched in the
+		## malware hash registry.
+		Match
+	};
+
+	## File types to attempt matching against the Malware Hash Registry.
+	const match_file_types = /application\/x-dosexec/ |
+	                         /application\/vnd.ms-cab-compressed/ |
+	                         /application\/pdf/ |
+	                         /application\/x-shockwave-flash/ |
+	                         /application\/x-java-applet/ |
+	                         /application\/jar/ |
+	                         /video\/mp4/ &redef;

testing/btest/Baseline/doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_policy_frameworks_files_detect-MHR_bro@4.include-scripts_policy_frameworks_files_detect-MHR_bro@4.btest

@@ -0,0 +1,23 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- detect-MHR.bro
+
+	## The malware hash registry runs each malware sample through several A/V engines.
+	## Team Cymru returns a percentage to indicate how many A/V engines flagged the
+	## sample as malicious. This threshold allows you to require a minimum detection
+	## rate.
+	const notice_threshold = 10 &redef;
+}
+
+event file_hash(f: fa_file, kind: string, hash: string)
+	{
+	if ( kind=="sha1" && match_file_types in f$mime_type )
+		{
+		local hash_domain = fmt("%s.malware.hash.cymru.com", hash);
+		when ( local MHR_result = lookup_hostname_txt(hash_domain) )
+			{
+			# Data is returned as "<dateFirstDetected> <detectionRate>"
+			local MHR_answer = split1(MHR_result, / /);
+			if ( |MHR_answer| == 2 )
+				{
+				local mhr_first_detected = double_to_time(to_double(MHR_answer[1]));

testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro.include-scripts_policy_protocols_conn_known-hosts_bro.btest

@@ -0,0 +1,9 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- known-hosts.bro
+
+module Known;
+
+export {
+	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
+}

testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro.include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest

@@ -0,0 +1,50 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- interesting-hostnames.bro
+
+##! This script will generate a notice if an apparent SSH login originates 
+##! or heads to a host with a reverse hostname that looks suspicious.  By 
+##! default, the regular expression to match "interesting" hostnames includes 
+##! names that are typically used for infrastructure hosts like nameservers, 
+##! mail servers, web servers and ftp servers.
+
+@load base/frameworks/notice
+
+module SSH;
+
+export {
+	redef enum Notice::Type += {
+		## Generated if a login originates or responds with a host where the 
+		## reverse hostname lookup resolves to a name matched by the 
+		## :bro:id:`SSH::interesting_hostnames` regular expression.
+		Interesting_Hostname_Login,
+	};
+	
+	## Strange/bad host names to see successful SSH logins from or to.
+	const interesting_hostnames =
+			/^d?ns[0-9]*\./ |
+			/^smtp[0-9]*\./ |
+			/^mail[0-9]*\./ |
+			/^pop[0-9]*\./  |
+			/^imap[0-9]*\./ |
+			/^www[0-9]*\./  |
+			/^ftp[0-9]*\./  &redef;
+}
+
+event SSH::heuristic_successful_login(c: connection)
+	{
+	for ( host in set(c$id$orig_h, c$id$resp_h) )
+		{
+		when ( local hostname = lookup_addr(host) )
+			{
+			if ( interesting_hostnames in hostname )
+				{
+				NOTICE([$note=Interesting_Hostname_Login,
+				        $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+				                 Site::is_local_addr(host) ? "local" : "remote",
+				                 host == c$id$orig_h ? "client" : "server"),
+				        $sub=hostname, $conn=c]);
+				}
+			}
+		}
+	}

testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro/.Users.robin.bro.docs.testing.btest..tmp.doc.sphinx.include-scripts_policy_protocols_ssl_expiring-certs_bro.include-scripts_policy_protocols_ssl_expiring-certs_bro.btest

@@ -0,0 +1,8 @@
+# @TEST-EXEC: btest-diff %INPUT
+
+-- expiring-certs.bro
+
+		NOTICE([$note=Certificate_Expires_Soon,
+		        $msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
+		        $conn=c, $suppress_for=1day,
+		        $identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cert_hash)]);

testing/btest/Baseline/doc.sphinx.test/btest-doc.sphinx.test.rst

@@ -1,13 +0,0 @@
-.. code-block:: none
-
-  # bro -r wikipedia.trace
-
-.. code-block:: none
-
-  # cat http.log | bro-cut ts id.orig_h | head -5
-  1300475168.843894	141.142.220.118
-  1300475168.975800	141.142.220.118
-  1300475168.976327	141.142.220.118
-  1300475168.979160	141.142.220.118
-  1300475169.012666	141.142.220.118
-

testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1

@@ -1,12 +1,18 @@
 .. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
+
+  # bro -r wikipedia.trace
+
+.. code-block:: guess
+   :linenos:
 
-  # bro -r wikipedia.trace && head -15 conn.log
   #separator \x09
   #set_separator	,
   #empty_field	(empty)
   #unset_field	-
   #path	conn
-  #open	2013-08-22-22-52-46
+  #open	2013-08-30-23-20-51
   #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
   #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
   1300475167.096535	UWkUyAuUGXf	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
@@ -16,4 +22,5 @@
   1300475168.854378	FrJExwHcSal	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	(empty)
   1300475168.854837	5OKnoww6xl4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	(empty)
   1300475168.857956	fRFu0wcOle6	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	(empty)
+  [...]
 

testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#2

@@ -1,4 +1,6 @@
 .. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
 
   # cat conn.log | bro-cut id.orig_h id.orig_p id.resp_h duration
   141.142.220.202	5353	224.0.0.251	-

testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#3

@@ -1,4 +1,6 @@
 .. code-block:: none
+  :linenos:
+  :emphasize-lines: 1,1
 
   # awk '/^[^#]/ {print $3, $4, $5, $6, $9}' conn.log
   141.142.220.202 5353 224.0.0.251 5353 -