Rename Bro to Zeek in Zeekygen-generated documentation

CHANGES

@@ -1,4 +1,8 @@
 
+2.6-387 | 2019-06-06 18:51:09 -0700
+
+  * Rename Bro to Zeek in Zeekygen-generated documentation (Jon Siwek, Corelight)
+
 2.6-386 | 2019-06-06 17:17:55 -0700
 
   * Add new RDP event: rdp_native_encrytped_data (Anthony Kasza, Corelight)

VERSION

@@ -1 +1 @@
-2.6-386
+2.6-387

doc

@@ -1 +1 @@
-Subproject commit 9ca066677c56d7926ec6a4396b7ef02cb0b3958a
+Subproject commit 46801e2b553ae71623710fbc0b67fe76552d4597

src/analyzer/protocol/arp/events.bif

@@ -40,7 +40,7 @@ event arp_request%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 			TPA: addr, THA: string%);
 
-## Generated for ARP packets that Bro cannot interpret. Examples are packets
+## Generated for ARP packets that Zeek cannot interpret. Examples are packets
 ## with non-standard hardware address formats or hardware addresses that do not
 ## match the originator of the packet.
 ##
@@ -56,8 +56,8 @@ event arp_reply%(mac_src: string, mac_dst: string, SPA: addr, SHA: string,
 ##
 ## .. zeek:see:: arp_reply arp_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event bad_arp%(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string%);

src/analyzer/protocol/dns/events.bif

@@ -1,7 +1,7 @@
 ## Generated for all DNS messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -26,7 +26,7 @@ event dns_message%(c: connection, is_orig: bool, msg: dns_msg, len: count%);
 ## is raised once for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -55,7 +55,7 @@ event dns_request%(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 ## the reply; there's no stateful correlation with the query.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -81,7 +81,7 @@ event dns_rejected%(c: connection, msg: dns_msg, query: string, qtype: count, qc
 ## Generated for each entry in the Question section of a DNS reply.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -109,7 +109,7 @@ event dns_query_reply%(c: connection, msg: dns_msg, query: string,
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -134,7 +134,7 @@ event dns_A_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -159,7 +159,7 @@ event dns_AAAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -184,7 +184,7 @@ event dns_A6_reply%(c: connection, msg: dns_msg, ans: dns_answer, a: addr%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -209,7 +209,7 @@ event dns_NS_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%)
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -234,7 +234,7 @@ event dns_CNAME_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: strin
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -259,7 +259,7 @@ event dns_PTR_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -284,7 +284,7 @@ event dns_SOA_reply%(c: connection, msg: dns_msg, ans: dns_answer, soa: dns_soa%
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -307,7 +307,7 @@ event dns_WKS_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -330,7 +330,7 @@ event dns_HINFO_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -357,7 +357,7 @@ event dns_MX_reply%(c: connection, msg: dns_msg, ans: dns_answer, name: string,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -401,7 +401,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -433,7 +433,7 @@ event dns_CAA_reply%(c: connection, msg: dns_msg, ans: dns_answer, flags: count,
 event dns_SRV_reply%(c: connection, msg: dns_msg, ans: dns_answer, target: string, priority: count, weight: count, p: count%);
 
 ## Generated on DNS reply resource records when the type of record is not one
-## that Bro knows how to parse and generate another more specific event.
+## that Zeek knows how to parse and generate another more specific event.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
 ##    transport-layer session being analyzed.
@@ -451,7 +451,7 @@ event dns_unknown_reply%(c: connection, msg: dns_msg, ans: dns_answer%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -474,7 +474,7 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ## an individual event of the corresponding type is raised for each.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -565,7 +565,7 @@ event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 ## all resource records have been passed on.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
-## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## information about the DNS protocol. Zeek analyzes both UDP and TCP DNS
 ## sessions.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -590,6 +590,6 @@ event dns_full_request%(%);
 
 ## msg: The raw DNS payload.
 ##
-## .. note:: This event is deprecated and superseded by Bro's dynamic protocol
+## .. note:: This event is deprecated and superseded by Zeek's dynamic protocol
 ##    detection framework.
 event non_dns_request%(c: connection, msg: string%);

src/analyzer/protocol/finger/events.bif

@@ -13,9 +13,9 @@
 ##
 ## .. zeek:see:: finger_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event finger_request%(c: connection, full: bool, username: string, hostname: string%);
 
@@ -30,9 +30,9 @@ event finger_request%(c: connection, full: bool, username: string, hostname: str
 ##
 ## .. zeek:see:: finger_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event finger_reply%(c: connection, reply_line: string%);
 

src/analyzer/protocol/gnutella/events.bif

@@ -7,9 +7,9 @@
 ##    gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found
 ##
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 
@@ -21,9 +21,9 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%);
 ## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 				ttl: count, hops: count, msg_len: count,
@@ -38,9 +38,9 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count,
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_not_establish  gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_partial_binary_msg%(c: connection, orig: bool,
 					msg: string, len: count%);
@@ -53,9 +53,9 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool,
 ## .. zeek:see:: gnutella_binary_msg  gnutella_http_notify gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_establish%(c: connection%);
 
@@ -67,9 +67,9 @@ event gnutella_establish%(c: connection%);
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_not_establish%(c: connection%);
 
@@ -81,8 +81,8 @@ event gnutella_not_establish%(c: connection%);
 ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish
 ##    gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event gnutella_http_notify%(c: connection%);

src/analyzer/protocol/http/events.bif

@@ -1,5 +1,5 @@
 
-## Generated for HTTP requests. Bro supports persistent and pipelined HTTP
+## Generated for HTTP requests. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a request's initial line has
 ## been parsed, and before any :zeek:id:`http_header` events are raised.
@@ -22,7 +22,7 @@
 ##    truncate_http_URI http_connection_upgrade
 event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
 
-## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
+## Generated for HTTP replies. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues. This event is generated as soon as a reply's initial line has
 ## been parsed, and before any :zeek:id:`http_header` events are raised.
@@ -43,7 +43,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ##    http_stats http_connection_upgrade
 event http_reply%(c: connection, version: string, code: count, reason: string%);
 
-## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
+## Generated for HTTP headers. Zeek supports persistent and pipelined HTTP
 ## sessions and raises corresponding events as it parses client/server
 ## dialogues.
 ##
@@ -67,7 +67,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 
 ## Generated for HTTP headers, passing on all headers of an HTTP message at
-## once. Bro supports persistent and pipelined HTTP sessions and raises
+## once. Zeek supports persistent and pipelined HTTP sessions and raises
 ## corresponding events as it parses client/server dialogues.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -92,7 +92,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 ## Generated when starting to parse an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
 ## potentially more than once if the body contains further nested MIME
-## entities. Bro raises this event just before it starts parsing each entity's
+## entities. Zeek raises this event just before it starts parsing each entity's
 ## content.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -111,7 +111,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
 ## Generated when finishing parsing an HTTP body entity. This event is generated
 ## at least once for each non-empty (client or server) HTTP body; and
 ## potentially more than once if the body contains further nested MIME
-## entities. Bro raises this event at the point when it has finished parsing an
+## entities. Zeek raises this event at the point when it has finished parsing an
 ## entity's content.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol>`__
@@ -181,7 +181,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
 ##    entities.
 event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string%);
 
-## Generated once at the end of parsing an HTTP message. Bro supports persistent
+## Generated once at the end of parsing an HTTP message. Zeek supports persistent
 ## and pipelined HTTP sessions and raises corresponding events as it parses
 ## client/server dialogues. A "message" is one top-level HTTP entity, such as a
 ## complete request or reply. Each message can have further nested sub-entities

src/analyzer/protocol/icmp/events.bif

@@ -1,5 +1,5 @@
 ## Generated for all ICMP messages that are not handled separately with
-## dedicated ICMP events. Bro's ICMP analyzer handles a number of ICMP messages
+## dedicated ICMP events. Zeek's ICMP analyzer handles a number of ICMP messages
 ## directly with dedicated events. This event acts as a fallback for those it
 ## doesn't.
 ##
@@ -70,7 +70,7 @@ event icmp_echo_request%(c: connection, icmp: icmp_conn, id: count, seq: count,
 event icmp_echo_reply%(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string%);
 
 ## Generated for all ICMPv6 error messages that are not handled
-## separately with dedicated events. Bro's ICMP analyzer handles a number
+## separately with dedicated events. Zeek's ICMP analyzer handles a number
 ## of ICMP error messages directly with dedicated events. This event acts
 ## as a fallback for those it doesn't.
 ##
@@ -107,7 +107,7 @@ event icmp_error_message%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Unreachable* messages should include the original IP
-##          header from the packet that triggered them, and Bro parses that
+##          header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *unreachable*
 ##          includes only a partial IP header for some reason, no
 ##          fields of *context* will be filled out.
@@ -131,7 +131,7 @@ event icmp_unreachable%(c: connection, icmp: icmp_conn, code: count, context: ic
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Too big* messages should include the original IP header
-##          from the packet that triggered them, and Bro parses that into
+##          from the packet that triggered them, and Zeek parses that into
 ##          the *context* structure. Note that if the *too big* includes only
 ##          a partial IP header for some reason, no fields of *context* will
 ##          be filled out.
@@ -155,7 +155,7 @@ event icmp_packet_too_big%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Unreachable* messages should include the original IP
-##          header from the packet that triggered them, and Bro parses that
+##          header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *exceeded* includes
 ##          only a partial IP header for some reason, no fields of *context*
 ##          will be filled out.
@@ -179,7 +179,7 @@ event icmp_time_exceeded%(c: connection, icmp: icmp_conn, code: count, context:
 ##
 ## context: A record with specifics of the original packet that the message
 ##          refers to. *Parameter problem* messages should include the original
-##          IP header from the packet that triggered them, and Bro parses that
+##          IP header from the packet that triggered them, and Zeek parses that
 ##          into the *context* structure. Note that if the *parameter problem*
 ##          includes only a partial IP header for some reason, no fields
 ##          of *context* will be filled out.

src/analyzer/protocol/ident/events.bif

@@ -11,9 +11,9 @@
 ##
 ## .. zeek:see:: ident_error ident_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_request%(c: connection, lport: port, rport: port%);
 
@@ -34,9 +34,9 @@ event ident_request%(c: connection, lport: port, rport: port%);
 ##
 ## .. zeek:see:: ident_error  ident_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_reply%(c: connection, lport: port, rport: port, user_id: string, system: string%);
 
@@ -55,9 +55,9 @@ event ident_reply%(c: connection, lport: port, rport: port, user_id: string, sys
 ##
 ## .. zeek:see:: ident_reply ident_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ident_error%(c: connection, lport: port, rport: port, line: string%);
 

src/analyzer/protocol/login/events.bif

@@ -21,9 +21,9 @@
 ## .. note:: For historical reasons, these events are separate from the
 ##    ``login_`` events. Ideally, they would all be handled uniquely.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event rsh_request%(c: connection, client_user: string, server_user: string, line: string, new_session: bool%);
 
@@ -48,9 +48,9 @@ event rsh_request%(c: connection, client_user: string, server_user: string, line
 ## .. note:: For historical reasons, these events are separate from the
 ##    ``login_`` events. Ideally, they would all be handled uniquely.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event rsh_reply%(c: connection, client_user: string, server_user: string, line: string%);
 
@@ -79,12 +79,12 @@ event rsh_reply%(c: connection, client_user: string, server_user: string, line:
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying login attempts. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeeks's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_failure%(c: connection, user: string, client_user: string, password: string, line: string%);
@@ -114,12 +114,12 @@ event login_failure%(c: connection, user: string, client_user: string, password:
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying login attempts. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_success%(c: connection, user: string, client_user: string, password: string, line: string%);
@@ -134,9 +134,9 @@ event login_success%(c: connection, user: string, client_user: string, password:
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_output_line login_prompt login_success login_terminal    rsh_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_input_line%(c: connection, line: string%);
@@ -151,14 +151,14 @@ event login_input_line%(c: connection, line: string%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line  login_prompt login_success login_terminal rsh_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_output_line%(c: connection, line: string%);
 
-## Generated when tracking of Telnet/Rlogin authentication failed. As Bro's
+## Generated when tracking of Telnet/Rlogin authentication failed. As Zeek's
 ## *login* analyzer uses a number of heuristics to extract authentication
 ## information, it may become confused. If it can no longer correctly track
 ## the authentication dialog, it raises this event.
@@ -178,9 +178,9 @@ event login_output_line%(c: connection, line: string%);
 ##    login_failure_msgs login_non_failure_msgs login_prompts login_success_msgs
 ##    login_timeouts set_login_state
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused%(c: connection, msg: string, line: string%);
@@ -199,9 +199,9 @@ event login_confused%(c: connection, msg: string, line: string%);
 ##    get_login_state login_failure_msgs login_non_failure_msgs login_prompts
 ##    login_success_msgs login_timeouts set_login_state
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_confused_text%(c: connection, line: string%);
@@ -216,9 +216,9 @@ event login_confused_text%(c: connection, line: string%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line login_prompt login_success
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_terminal%(c: connection, terminal: string%);
@@ -233,9 +233,9 @@ event login_terminal%(c: connection, terminal: string%);
 ## .. zeek:see:: login_confused login_confused_text  login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_display%(c: connection, display: string%);
@@ -258,9 +258,9 @@ event login_display%(c: connection, display: string%);
 ##    while :zeek:id:`login_success` heuristically determines success by watching
 ##    session data.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_accepted%(name: string, c: connection%);
@@ -283,9 +283,9 @@ event authentication_accepted%(name: string, c: connection%);
 ##    while :zeek:id:`login_success` heuristically determines failure by watching
 ##    session data.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_rejected%(name: string, c: connection%);
@@ -304,12 +304,12 @@ event authentication_rejected%(name: string, c: connection%);
 ##
 ## .. note:: The login analyzer depends on a set of script-level variables that
 ##    need to be configured with patterns identifying activity. This
-##    configuration has not yet been ported over from Bro 1.5 to Bro 2.x, and
+##    configuration has not yet been ported, and
 ##    the analyzer is therefore not directly usable at the moment.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event authentication_skipped%(c: connection%);
@@ -328,9 +328,9 @@ event authentication_skipped%(c: connection%);
 ## .. zeek:see:: login_confused login_confused_text login_display login_failure
 ##    login_input_line login_output_line  login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event login_prompt%(c: connection, prompt: string%);
@@ -380,9 +380,9 @@ event inconsistent_option%(c: connection%);
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option%(c: connection%);
@@ -399,9 +399,9 @@ event bad_option%(c: connection%);
 ##    login_confused_text login_display login_failure login_input_line
 ##    login_output_line login_prompt login_success login_terminal
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event bad_option_termination%(c: connection%);

src/analyzer/protocol/mime/events.bif

@@ -1,9 +1,9 @@
 ## Generated when starting to parse an email MIME entity. MIME is a
 ## protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. Bro raises this event when it
+## corresponding metadata, for transmission. Zeek raises this event when it
 ## begins parsing a MIME entity extracted from an email protocol.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -13,16 +13,16 @@
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_begin_entity
 ##
-## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_begin_entity` instead.
 event mime_begin_entity%(c: connection%);
 
 ## Generated when finishing parsing an email MIME entity.  MIME is a
 ## protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. Bro raises this event when it
+## corresponding metadata, for transmission. Zeek raises this event when it
 ## finished parsing a MIME entity extracted from an email protocol.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -32,7 +32,7 @@ event mime_begin_entity%(c: connection%);
 ##    mime_entity_data mime_event mime_one_header mime_segment_data smtp_data
 ##    http_end_entity
 ##
-## .. note:: Bro also extracts MIME entities from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME entities from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_end_entity` instead.
 event mime_end_entity%(c: connection%);
 
@@ -40,7 +40,7 @@ event mime_end_entity%(c: connection%);
 ## entities.  MIME is a protocol-independent data format for encoding text and
 ## files, along with corresponding metadata, for transmission.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -52,7 +52,7 @@ event mime_end_entity%(c: connection%);
 ##    mime_end_entity mime_entity_data mime_event  mime_segment_data
 ##    http_header  http_all_headers
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_header` instead.
 event mime_one_header%(c: connection, h: mime_header_rec%);
 
@@ -60,7 +60,7 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
 ## headers at once.  MIME is a protocol-independent data format for encoding
 ## text and files, along with corresponding metadata, for transmission.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -74,21 +74,21 @@ event mime_one_header%(c: connection, h: mime_header_rec%);
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##    http_header  http_all_headers
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_header` instead.
 event mime_all_headers%(c: connection, hlist: mime_header_list%);
 
 ## Generated for chunks of decoded MIME data from email MIME entities.  MIME
 ## is a protocol-independent data format for encoding text and files, along with
-## corresponding metadata, for transmission. As Bro parses the data of an
+## corresponding metadata, for transmission. As Zeek parses the data of an
 ## entity, it raises a sequence of these events, each coming as soon as a new
 ## chunk of data is available. In contrast, there is also
 ## :zeek:id:`mime_entity_data`, which passes all of an entities data at once
 ## in a single block. While the latter is more convenient to handle,
-## ``mime_segment_data`` is more efficient as Bro does not need to buffer
+## ``mime_segment_data`` is more efficient as Zeek does not need to buffer
 ## the data. Thus, if possible, this event should be preferred.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -102,7 +102,7 @@ event mime_all_headers%(c: connection, hlist: mime_header_list%);
 ##    mime_end_entity mime_entity_data mime_event mime_one_header http_entity_data
 ##    mime_segment_length mime_segment_overlap_length
 ##
-## .. note:: Bro also extracts MIME data from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME data from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_entity_data` (sic!) instead.
 event mime_segment_data%(c: connection, length: count, data: string%);
 
@@ -111,10 +111,10 @@ event mime_segment_data%(c: connection, length: count, data: string%);
 ## and base64 data decoded. In contrast, there is also :zeek:id:`mime_segment_data`,
 ## which passes on a sequence of data chunks as they come in. While
 ## ``mime_entity_data`` is more convenient to handle, ``mime_segment_data`` is
-## more efficient as Bro does not need to buffer the data. Thus, if possible,
+## more efficient as Zeek does not need to buffer the data. Thus, if possible,
 ## the latter should be preferred.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -127,7 +127,7 @@ event mime_segment_data%(c: connection, length: count, data: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity  mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_entity_data%(c: connection, length: count, data: string%);
 
@@ -137,7 +137,7 @@ event mime_entity_data%(c: connection, length: count, data: string%);
 ## of the potentially significant buffering necessary, using this event can be
 ## expensive.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -150,13 +150,13 @@ event mime_entity_data%(c: connection, length: count, data: string%);
 ## .. zeek:see::  mime_all_headers mime_begin_entity mime_content_hash mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_all_data%(c: connection, length: count, data: string%);
 
 ## Generated for errors found when decoding email MIME entities.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -170,15 +170,15 @@ event mime_all_data%(c: connection, length: count, data: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_content_hash
 ##    mime_end_entity mime_entity_data  mime_one_header mime_segment_data http_event
 ##
-## .. note:: Bro also extracts MIME headers from HTTP sessions. For those,
+## .. note:: Zeek also extracts MIME headers from HTTP sessions. For those,
 ##    however, it raises :zeek:id:`http_event` instead.
 event mime_event%(c: connection, event_type: string, detail: string%);
 
 ## Generated for decoded MIME entities extracted from email messages, passing on
-## their MD5 checksums. Bro computes the MD5 over the complete decoded data of
+## their MD5 checksums. Zeek computes the MD5 over the complete decoded data of
 ## each MIME entity.
 ##
-## Bro's MIME analyzer for emails currently supports SMTP and POP3. See
+## Zeek's MIME analyzer for emails currently supports SMTP and POP3. See
 ## `Wikipedia <http://en.wikipedia.org/wiki/MIME>`__ for more information
 ## about MIME.
 ##
@@ -191,7 +191,7 @@ event mime_event%(c: connection, event_type: string, detail: string%);
 ## .. zeek:see:: mime_all_data mime_all_headers mime_begin_entity mime_end_entity
 ##    mime_entity_data mime_event mime_one_header mime_segment_data
 ##
-## .. note:: While Bro also decodes MIME entities extracted from HTTP
+## .. note:: While Zeek also decodes MIME entities extracted from HTTP
 ##    sessions, there's no corresponding event for that currently.
 event mime_content_hash%(c: connection, content_len: count, hash_value: string%);
 

src/analyzer/protocol/ncp/events.bif

@@ -13,9 +13,9 @@
 ##
 ## .. zeek:see:: ncp_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ncp_request%(c: connection, frame_type: count, length: count, func: count%);
 
@@ -38,9 +38,9 @@ event ncp_request%(c: connection, frame_type: count, length: count, func: count%
 ##
 ## .. zeek:see:: ncp_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ncp_reply%(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count%);
 

src/analyzer/protocol/netbios/events.bif

@@ -1,10 +1,10 @@
-## Generated for all NetBIOS SSN and DGM messages. Bro's NetBIOS analyzer
+## Generated for all NetBIOS SSN and DGM messages. Zeek's NetBIOS analyzer
 ## processes the NetBIOS session service running on TCP port 139, and (despite
 ## its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -21,22 +21,22 @@
 ##    netbios_session_ret_arg_resp  decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, data_len: count%);
 
-## Generated for NetBIOS messages of type *session request*. Bro's NetBIOS
+## Generated for NetBIOS messages of type *session request*. Zeek's NetBIOS
 ## analyzer processes the NetBIOS session service running on TCP port 139, and
 ## (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -49,22 +49,22 @@ event netbios_session_message%(c: connection, is_orig: bool, msg_type: count, da
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_request%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *positive session response*. Bro's
+## Generated for NetBIOS messages of type *positive session response*. Zeek's
 ## NetBIOS analyzer processes the NetBIOS session service running on TCP port
 ## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -77,22 +77,22 @@ event netbios_session_request%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_accepted%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *negative session response*. Bro's
+## Generated for NetBIOS messages of type *negative session response*. Zeek's
 ## NetBIOS analyzer processes the NetBIOS session service running on TCP port
 ## 139, and (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -105,12 +105,12 @@ event netbios_session_accepted%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_rejected%(c: connection, msg: string%);
 
@@ -122,7 +122,7 @@ event netbios_session_rejected%(c: connection, msg: string%);
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -137,25 +137,25 @@ event netbios_session_rejected%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
 ## .. todo:: This is an oddly named event. In fact, it's probably an odd event
 ##    to have to begin with.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
 
-## Generated for NetBIOS messages of type *retarget response*. Bro's NetBIOS
+## Generated for NetBIOS messages of type *retarget response*. Zeek's NetBIOS
 ## analyzer processes the NetBIOS session service running on TCP port 139, and
 ## (despite its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -168,24 +168,24 @@ event netbios_session_raw_message%(c: connection, is_orig: bool, msg: string%);
 ##    netbios_session_request decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
 ## .. todo:: This is an oddly named event.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_ret_arg_resp%(c: connection, msg: string%);
 
-## Generated for NetBIOS messages of type *keep-alive*. Bro's NetBIOS analyzer
+## Generated for NetBIOS messages of type *keep-alive*. Zeek's NetBIOS analyzer
 ## processes the NetBIOS session service running on TCP port 139, and (despite
 ## its name!) the NetBIOS datagram service on UDP port 138.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/NetBIOS>`__ for more information
 ## about NetBIOS.  :rfc:`1002` describes
-## the packet format for NetBIOS over TCP/IP, which Bro parses.
+## the packet format for NetBIOS over TCP/IP, which Zeek parses.
 ##
 ## c: The connection, which may be TCP or UDP, depending on the type of the
 ##    NetBIOS session.
@@ -198,12 +198,12 @@ event netbios_session_ret_arg_resp%(c: connection, msg: string%);
 ##    netbios_session_ret_arg_resp decode_netbios_name decode_netbios_name_type
 ##
 ## .. note:: These days, NetBIOS is primarily used as a transport mechanism for
-##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Bro's
+##    `SMB/CIFS <http://en.wikipedia.org/wiki/Server_Message_Block>`__. Zeek's
 ##    SMB analyzer parses both SMB-over-NetBIOS and SMB-over-TCP on port 445.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event netbios_session_keepalive%(c: connection, msg: string%);
 

src/analyzer/protocol/ntp/events.bif

@@ -1,4 +1,4 @@
-## Generated for all NTP messages. Different from many other of Bro's events,
+## Generated for all NTP messages. Different from many other of Zeek's events,
 ## this one is generated for both client-side and server-side messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Network_Time_Protocol>`__ for
@@ -8,14 +8,14 @@
 ##
 ## msg: The parsed NTP message.
 ##
-## excess: The raw bytes of any optional parts of the NTP packet. Bro does not
+## excess: The raw bytes of any optional parts of the NTP packet. Zeek does not
 ##         further parse any optional fields.
 ##
 ## .. zeek:see:: ntp_session_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event ntp_message%(u: connection, msg: ntp_msg, excess: string%);
 

src/analyzer/protocol/pop3/events.bif

@@ -15,9 +15,9 @@
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_request%(c: connection, is_orig: bool,
 			command: string, arg: string%);
@@ -42,9 +42,9 @@ event pop3_request%(c: connection, is_orig: bool,
 ##
 ## .. todo:: This event is receiving odd parameters, should unify.
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 
@@ -65,9 +65,9 @@ event pop3_reply%(c: connection, is_orig: bool, cmd: string, msg: string%);
 ## .. zeek:see:: pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_data%(c: connection, is_orig: bool, data: string%);
 
@@ -88,9 +88,9 @@ event pop3_data%(c: connection, is_orig: bool, data: string%);
 ##
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_unexpected%(c: connection, is_orig: bool,
 			msg: string, detail: string%);
@@ -108,9 +108,9 @@ event pop3_unexpected%(c: connection, is_orig: bool,
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply
 ##    pop3_request pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_starttls%(c: connection%);
 
@@ -131,9 +131,9 @@ event pop3_starttls%(c: connection%);
 ## .. zeek:see:: pop3_data pop3_login_failure pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_login_success%(c: connection, is_orig: bool,
 				user: string, password: string%);
@@ -155,9 +155,9 @@ event pop3_login_success%(c: connection, is_orig: bool,
 ## .. zeek:see:: pop3_data pop3_login_success pop3_reply pop3_request
 ##    pop3_unexpected
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pop3_login_failure%(c: connection, is_orig: bool,
 				user: string, password: string%);

src/analyzer/protocol/rpc/events.bif

@@ -15,9 +15,9 @@
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 
@@ -43,9 +43,9 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
 
@@ -71,9 +71,9 @@ event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NF
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t%);
 
@@ -99,9 +99,9 @@ event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::lookup_reply_t%);
 
@@ -127,9 +127,9 @@ event nfs_proc_lookup%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##    NFS3::return_data NFS3::return_data_first_only NFS3::return_data_max
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, rep: NFS3::read_reply_t%);
 
@@ -155,9 +155,9 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
 
@@ -183,9 +183,9 @@ event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -211,9 +211,9 @@ event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkarg
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    nfs_proc_symlink rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t%);
 
@@ -240,9 +240,9 @@ event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, r
 ##    rpc_dialogue rpc_reply NFS3::return_data NFS3::return_data_first_only
 ##    NFS3::return_data_max
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t, rep: NFS3::write_reply_t%);
 
@@ -268,9 +268,9 @@ event nfs_proc_write%(c: connection, info: NFS3::info_t, req: NFS3::writeargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -296,9 +296,9 @@ event nfs_proc_create%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
 ##    rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::newobj_reply_t%);
 
@@ -324,9 +324,9 @@ event nfs_proc_mkdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ##    nfs_proc_readlink  nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
@@ -352,9 +352,9 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    nfs_proc_readlink nfs_proc_remove  nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
@@ -380,9 +380,9 @@ event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t,
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
 ##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
 
@@ -408,13 +408,13 @@ event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameoparg
 ##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirargs_t, rep: NFS3::readdir_reply_t%);
 
-## Generated for NFSv3 request/reply dialogues of a type that Bro's NFSv3
+## Generated for NFSv3 request/reply dialogues of a type that Zeek's NFSv3
 ## analyzer does not implement.
 ##
 ## NFS is a service running on top of RPC. See `Wikipedia
@@ -425,15 +425,15 @@ event nfs_proc_readdir%(c: connection, info: NFS3::info_t, req: NFS3::readdirarg
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## proc: The procedure called that Bro does not implement.
+## proc: The procedure called that Zeek does not implement.
 ##
 ## .. zeek:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_null nfs_proc_read nfs_proc_readdir nfs_proc_readlink nfs_proc_remove
 ##    nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::proc_t%);
 
@@ -449,9 +449,9 @@ event nfs_proc_not_implemented%(c: connection, info: NFS3::info_t, proc: NFS3::p
 ##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 
@@ -468,9 +468,9 @@ event nfs_reply_status%(n: connection, info: NFS3::info_t%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_null%(r: connection%);
 
@@ -493,9 +493,9 @@ event pm_request_null%(r: connection%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 
@@ -518,9 +518,9 @@ event pm_request_set%(r: connection, m: pm_mapping, success: bool%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 
@@ -541,9 +541,9 @@ event pm_request_unset%(r: connection, m: pm_mapping, success: bool%);
 ##    pm_attempt_unset pm_attempt_getport pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 
@@ -563,9 +563,9 @@ event pm_request_getport%(r: connection, pr: pm_port_request, p: port%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_dump%(r: connection, m: pm_mappings%);
 
@@ -587,9 +587,9 @@ event pm_request_dump%(r: connection, m: pm_mappings%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 
@@ -610,9 +610,9 @@ event pm_request_callit%(r: connection, call: pm_callit_request, p: port%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_null%(r: connection, status: rpc_status%);
 
@@ -635,9 +635,9 @@ event pm_attempt_null%(r: connection, status: rpc_status%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 
@@ -660,9 +660,9 @@ event pm_attempt_set%(r: connection, status: rpc_status, m: pm_mapping%);
 ##    pm_attempt_dump pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 
@@ -684,9 +684,9 @@ event pm_attempt_unset%(r: connection, status: rpc_status, m: pm_mapping%);
 ##    pm_attempt_null pm_attempt_set pm_attempt_unset pm_attempt_dump
 ##    pm_attempt_callit pm_bad_port rpc_call rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request%);
 
@@ -707,9 +707,9 @@ event pm_attempt_getport%(r: connection, status: rpc_status, pr: pm_port_request
 ##    pm_attempt_getport pm_attempt_callit pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_dump%(r: connection, status: rpc_status%);
 
@@ -732,9 +732,9 @@ event pm_attempt_dump%(r: connection, status: rpc_status%);
 ##    pm_attempt_getport pm_attempt_dump pm_bad_port rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_request%);
 
@@ -757,9 +757,9 @@ event pm_attempt_callit%(r: connection, status: rpc_status, call: pm_callit_requ
 ##    pm_attempt_getport pm_attempt_dump pm_attempt_callit rpc_call
 ##    rpc_dialogue rpc_reply
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event pm_bad_port%(r: connection, bad_p: count%);
 
@@ -792,9 +792,9 @@ event pm_bad_port%(r: connection, bad_p: count%);
 ## .. zeek:see:: rpc_call rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status: rpc_status, start_time: time, call_len: count, reply_len: count%);
@@ -819,9 +819,9 @@ event rpc_dialogue%(c: connection, prog: count, ver: count, proc: count, status:
 ## .. zeek:see::  rpc_dialogue rpc_reply dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count%);
@@ -843,9 +843,9 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
 ## .. zeek:see:: rpc_call rpc_dialogue  dce_rpc_bind dce_rpc_message dce_rpc_request
 ##    dce_rpc_response rpc_timeout
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to add a
+##    been ported. To still enable this event, one needs to add a
 ##    call to :zeek:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
@@ -862,9 +862,9 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 
@@ -885,9 +885,9 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t%);
 
@@ -905,9 +905,9 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
 
@@ -925,27 +925,27 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
 
-## Generated for MOUNT3 request/reply dialogues of a type that Bro's MOUNTv3
+## Generated for MOUNT3 request/reply dialogues of a type that Zeek's MOUNTv3
 ## analyzer does not implement.
 ##
 ## c: The RPC connection.
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## proc: The procedure called that Bro does not implement.
+## proc: The procedure called that Zeek does not implement.
 ##
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t%);
 
@@ -959,8 +959,8 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU
 ## .. zeek:see:: mount_proc_mnt mount_proc_umnt
 ##    mount_proc_umnt_all mount_proc_not_implemented
 ##
-## .. todo:: Bro's current default configuration does not activate the protocol
+## .. todo:: Zeek's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
-##    been ported to Bro 2.x. To still enable this event, one needs to
+##    been ported. To still enable this event, one needs to
 ##    register a port for it or add a DPD payload signature.
 event mount_reply_status%(n: connection, info: MOUNT3::info_t%);

src/analyzer/protocol/smb/smb1_events.bif

@@ -2,7 +2,7 @@
 ## messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
-## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
 ## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
 ## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
 ## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

src/analyzer/protocol/smb/smb2_events.bif

@@ -2,7 +2,7 @@
 ## version 2 messages.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/Server_Message_Block>`__ for more information about the
-## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Bro's
+## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` protocol. Zeek's
 ## :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)` analyzer parses
 ## both :abbr:`SMB (Server Message Block)`-over-:abbr:`NetBIOS (Network Basic Input/Output System)` on
 ## ports 138/139 and :abbr:`SMB (Server Message Block)`-over-TCP on port 445.

src/analyzer/protocol/smtp/events.bif

@@ -20,7 +20,7 @@
 ##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
 ##    smtp_data smtp_reply
 ##
-## .. note:: Bro does not support the newer ETRN extension yet.
+## .. note:: Zeek does not support the newer ETRN extension yet.
 event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%);
 
 ## Generated for server-side SMTP commands.
@@ -51,7 +51,7 @@ event smtp_request%(c: connection, is_orig: bool, command: string, arg: string%)
 ##    mime_end_entity mime_entity_data mime_event mime_one_header mime_segment_data
 ##    smtp_data  smtp_request
 ##
-## .. note:: Bro doesn't support the newer ETRN extension yet.
+## .. note:: Zeek doesn't support the newer ETRN extension yet.
 event smtp_reply%(c: connection, is_orig: bool, code: count, cmd: string, msg: string, cont_resp: bool%);
 
 ## Generated for DATA transmitted on SMTP sessions. This event is raised for

src/analyzer/protocol/ssl/events.bif

@@ -1,5 +1,5 @@
 ## Generated for an SSL/TLS client's initial *hello* message.  SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
+## start with an unencrypted handshake, and Zeek extracts as much information out
 ## of that as it can. This event provides access to the initial information
 ## sent by the client.
 ##
@@ -38,7 +38,7 @@
 event ssl_client_hello%(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
-## start with an unencrypted handshake, and Bro extracts as much information out
+## start with an unencrypted handshake, and Zeek extracts as much information out
 ## of that as it can. This event provides access to the initial information
 ## sent by the client.
 ##
@@ -80,11 +80,11 @@ event ssl_client_hello%(c: connection, version: count, record_version: count, po
 event ssl_server_hello%(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
-## sessions start with an unencrypted handshake, and Bro extracts as much
+## sessions start with an unencrypted handshake, and Zeek extracts as much
 ## information out of that as it can. This event provides access to any
 ## extensions either side sends as part of an extended *hello* message.
 ##
-## Note that Bro offers more specialized events for a few extensions.
+## Note that Zeek offers more specialized events for a few extensions.
 ##
 ## c: The connection.
 ##
@@ -385,7 +385,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
 event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
-## an unencrypted handshake, and Bro extracts as much information out of that
+## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
 ## handshake and its endpoints consider it as fully established. Typically,
 ## everything from now on will be encrypted.
@@ -400,7 +400,7 @@ event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes:
 event ssl_established%(c: connection%);
 
 ## Generated for SSL/TLS alert records. SSL/TLS sessions start with an
-## unencrypted handshake, and Bro extracts as much information out of that as
+## unencrypted handshake, and Zeek extracts as much information out of that as
 ## it can. If during that handshake, an endpoint encounters a fatal error, it
 ## sends an *alert* record, that in turn triggers this event. After an *alert*,
 ## any endpoint may close the connection immediately.
@@ -424,7 +424,7 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 
 ## Generated for SSL/TLS handshake messages that are a part of the
 ## stateless-server session resumption mechanism. SSL/TLS sessions start with
-## an unencrypted handshake, and Bro extracts as much information out of that
+## an unencrypted handshake, and Zeek extracts as much information out of that
 ## as it can. This event is raised when an SSL/TLS server passes a session
 ## ticket to the client that can later be used for resuming the session. The
 ## mechanism is described in :rfc:`4507`.
@@ -468,7 +468,7 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ## Generated for SSL/TLS messages that are sent before full session encryption
 ## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
 ## here this event will be raised for early packets that are already using
-## pre-encryption.  # This event is also used by Bro internally to determine if
+## pre-encryption.  # This event is also used by Zeek internally to determine if
 ## the connection has been completely setup. This is necessary as TLS 1.3 does
 ## not have CCS anymore.
 ##

src/analyzer/protocol/syslog/events.bif

@@ -12,6 +12,6 @@
 ##
 ## msg: The message logged.
 ##
-## .. note:: Bro currently parses only UDP syslog traffic. Support for TCP
+## .. note:: Zeek currently parses only UDP syslog traffic. Support for TCP
 ##    syslog will be added soon.
 event syslog_message%(c: connection, facility: count, severity: count, msg: string%);

src/analyzer/protocol/tcp/events.bif

@@ -1,6 +1,6 @@
 
 ## Generated when reassembly starts for a TCP connection. This event is raised
-## at the moment when Bro's TCP analyzer enables stream reassembly for a
+## at the moment when Zeek's TCP analyzer enables stream reassembly for a
 ## connection.
 ##
 ## c: The connection.
@@ -47,8 +47,8 @@ event connection_attempt%(c: connection%);
 ##    new_connection new_connection_contents partial_connection
 event connection_established%(c: connection%);
 
-## Generated for a new active TCP connection if Bro did not see the initial
+## Generated for a new active TCP connection if Zeek did not see the initial
-## handshake. This event is raised when Bro has observed traffic from each
+## handshake. This event is raised when Zeek has observed traffic from each
 ## endpoint, but the activity did not begin with the usual connection
 ## establishment.
 ##
@@ -65,7 +65,7 @@ event partial_connection%(c: connection%);
 
 ## Generated when a previously inactive endpoint attempts to close a TCP
 ## connection via a normal FIN handshake or an abort RST sequence. When the
-## endpoint sent one of these packets, Bro waits
+## endpoint sent one of these packets, Zeek waits
 ## :zeek:id:`tcp_partial_close_delay` prior to generating the event, to give
 ## the other endpoint a chance to close the connection normally.
 ##
@@ -94,7 +94,7 @@ event connection_finished%(c: connection%);
 
 ## Generated when one endpoint of a TCP connection attempted to gracefully close
 ## the connection, but the other endpoint is in the TCP_INACTIVE state. This can
-## happen due to split routing, in which Bro only sees one side of a connection.
+## happen due to split routing, in which Zeek only sees one side of a connection.
 ##
 ## c: The connection.
 ##
@@ -123,7 +123,7 @@ event connection_half_finished%(c: connection%);
 ##
 ##    If the responder does not respond at all, :zeek:id:`connection_attempt` is
 ##    raised instead. If the responder initially accepts the connection but
-##    aborts it later, Bro first generates :zeek:id:`connection_established`
+##    aborts it later, Zeek first generates :zeek:id:`connection_established`
 ##    and then :zeek:id:`connection_reset`.
 event connection_rejected%(c: connection%);
 
@@ -142,7 +142,7 @@ event connection_rejected%(c: connection%);
 ##    partial_connection
 event connection_reset%(c: connection%);
 
-## Generated for each still-open TCP connection when Bro terminates.
+## Generated for each still-open TCP connection when Zeek terminates.
 ##
 ## c: The connection.
 ##
@@ -154,7 +154,7 @@ event connection_reset%(c: connection%);
 ##    new_connection new_connection_contents partial_connection zeek_done
 event connection_pending%(c: connection%);
 
-## Generated for a SYN packet. Bro raises this event for every SYN packet seen
+## Generated for a SYN packet. Zeek raises this event for every SYN packet seen
 ## by its TCP analyzer.
 ##
 ## c: The connection.
@@ -283,11 +283,25 @@ event tcp_option%(c: connection, is_orig: bool, opt: count, optlen: count%);
 ##    application-layer protocol analyzers internally. Subsequent invocations of
 ##    this event for the same connection receive non-overlapping in-order chunks
 ##    of its TCP payload stream. It is however undefined what size each chunk
-##    has; while Bro passes the data on as soon as possible, specifics depend on
+##    has; while Zeek passes the data on as soon as possible, specifics depend on
 ##    network-level effects such as latency, acknowledgements, reordering, etc.
 event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
 
-## TODO.
+## Generated for each detected TCP segment retransmission.
+##
+## c: The connection the packet is part of.
+##
+## is_orig: True if the packet was sent by the connection's originator.
+##
+## seq: The segment's relative TCP sequence number.
+##
+## len: The length of the TCP segment, as specified in the packet header.
+##
+## data_in_flight: The number of bytes corresponding to the difference between
+##                 the last sequence number and last acknowledgement number
+##                 we've seen for a given endpoint.
+##
+## window: the TCP window size.
 event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
 
 ## Generated if a TCP flow crosses a checksum-error threshold, per

src/analyzer/protocol/tcp/functions.bif

@@ -77,7 +77,7 @@ function get_resp_seq%(cid: conn_id%): count
 ##              responder (often the server).
 ##            - ``CONTENTS_BOTH``: Record the data sent in both directions.
 ##              Results in the two directions being intermixed in the file,
-##              in the order the data was seen by Bro.
+##              in the order the data was seen by Zeek.
 ##
 ## f: The file handle of the file to write the contents to.
 ##

src/bro.bif

@@ -4,7 +4,7 @@
 ##! filtering, interprocess communication and controlling protocol analyzer
 ##! behavior.
 ##!
-##! You'll find most of Bro's built-in functions that aren't protocol-specific
+##! You'll find most of Zeek's built-in functions that aren't protocol-specific
 ##! in this file.
 
 %%{ // C segment
@@ -304,7 +304,7 @@ static int next_fmt(const char*& fmt, val_list* args, ODesc* d, int& n)
 ## Returns the current wall-clock time.
 ##
 ## In general, you should use :zeek:id:`network_time` instead
-## unless you are using Bro for non-networking uses (such as general
+## unless you are using Zeek for non-networking uses (such as general
 ## scripting; not particularly recommended), because otherwise your script
 ## may behave very differently on live traffic versus played-back traffic
 ## from a save file.
@@ -364,7 +364,7 @@ function setenv%(var: string, val: string%): bool
 	return val_mgr->GetBool(1);
 	%}
 
-## Shuts down the Bro process immediately.
+## Shuts down the Zeek process immediately.
 ##
 ## code: The exit code to return with.
 ##
@@ -375,12 +375,12 @@ function exit%(code: int%): any
 	return 0;
 	%}
 
-## Gracefully shut down Bro by terminating outstanding processing.
+## Gracefully shut down Zeek by terminating outstanding processing.
 ##
-## Returns: True after successful termination and false when Bro is still in
+## Returns: True after successful termination and false when Zeek is still in
 ##          the process of shutting down.
 ##
-## .. zeek:see:: exit bro_is_terminating
+## .. zeek:see:: exit zeek_is_terminating
 function terminate%(%): bool
 	%{
 	if ( terminating )
@@ -600,7 +600,7 @@ function sha256_hash%(...%): string
 	%}
 
 ## Computes an HMAC-MD5 hash value of the provided list of arguments. The HMAC
-## secret key is generated from available entropy when Bro starts up, or it can
+## secret key is generated from available entropy when Zeek starts up, or it can
 ## be specified for repeatability using the ``-K`` command line flag.
 ##
 ## Returns: The HMAC-MD5 hash value of the concatenated arguments.
@@ -893,7 +893,7 @@ function syslog%(s: string%): any
 	return 0;
 	%}
 
-## Determines the MIME type of a piece of data using Bro's file magic
+## Determines the MIME type of a piece of data using Zeek's file magic
 ## signatures.
 ##
 ## data: The data to find the MIME type for.
@@ -918,7 +918,7 @@ function identify_data%(data: string, return_mime: bool &default=T%): string
 	return new StringVal(strongest_match);
 	%}
 
-## Determines the MIME type of a piece of data using Bro's file magic
+## Determines the MIME type of a piece of data using Zeek's file magic
 ## signatures.
 ##
 ## data: The data for which to find matching MIME types.
@@ -1705,7 +1705,7 @@ function log10%(d: double%): double
 # ===========================================================================
 
 ## Determines whether a connection has been received externally. For example,
-## Broccoli or the Time Machine can send packets to Bro via a mechanism that is
+## Broccoli or the Time Machine can send packets to Zeek via a mechanism that is
 ## one step lower than sending events. This function checks whether the packets
 ## of a connection stem from one of these external *packet sources*.
 ##
@@ -1726,9 +1726,9 @@ function current_analyzer%(%) : count
 	return val_mgr->GetCount(mgr.CurrentAnalyzer());
 	%}
 
-## Returns Bro's process ID.
+## Returns Zeek's process ID.
 ##
-## Returns: Bro's process ID.
+## Returns: Zeek's process ID.
 function getpid%(%) : count
 	%{
 	return val_mgr->GetCount(getpid());
@@ -1780,7 +1780,7 @@ function record_type_to_vector%(rt: string%): string_vec
 	return result;
 	%}
 
-## Returns the type name of an arbitrary Bro variable.
+## Returns the type name of an arbitrary Zeek variable.
 ##
 ## t: An arbitrary object.
 ##
@@ -1796,9 +1796,9 @@ function type_name%(t: any%): string
 	return new StringVal(s);
 	%}
 
-## Checks whether Bro reads traffic from one or more network interfaces (as
+## Checks whether Zeek reads traffic from one or more network interfaces (as
 ## opposed to from a network trace in a file). Note that this function returns
-## true even after Bro has stopped reading network traffic, for example due to
+## true even after Zeek has stopped reading network traffic, for example due to
 ## receiving a termination signal.
 ##
 ## Returns: True if reading traffic from a network interface.
@@ -1809,7 +1809,7 @@ function reading_live_traffic%(%): bool
 	return val_mgr->GetBool(reading_live);
 	%}
 
-## Checks whether Bro reads traffic from a trace file (as opposed to from a
+## Checks whether Zeek reads traffic from a trace file (as opposed to from a
 ## network interface).
 ##
 ## Returns: True if reading traffic from a network trace.
@@ -2098,9 +2098,9 @@ function zeek_is_terminating%(%): bool
 	return val_mgr->GetBool(terminating);
 	%}
 
-## Returns the hostname of the machine Bro runs on.
+## Returns the hostname of the machine Zeek runs on.
 ##
-## Returns: The hostname of the machine Bro runs on.
+## Returns: The hostname of the machine Zeek runs on.
 function gethostname%(%) : string
 	%{
 	char buffer[MAXHOSTNAMELEN];
@@ -3911,7 +3911,7 @@ static bool mmdb_try_open_asn ()
 %%}
 
 ## Initializes MMDB for later use of lookup_location.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## f: The filename of the MaxMind City or Country DB.
 ##
@@ -3928,7 +3928,7 @@ function mmdb_open_location_db%(f: string%) : bool
 	%}
 
 ## Initializes MMDB for later use of lookup_asn.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## f: The filename of the MaxMind ASN DB.
 ##
@@ -3945,7 +3945,7 @@ function mmdb_open_asn_db%(f: string%) : bool
 	%}
 
 ## Performs a geo-lookup of an IP address.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -4030,7 +4030,7 @@ function lookup_location%(a: addr%) : geo_location
 	%}
 
 ## Performs an ASN lookup of an IP address.
-## Requires Bro to be built with ``libmaxminddb``.
+## Requires Zeek to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -4248,8 +4248,8 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 	return val_mgr->GetBool(1);
 	%}
 
-## Informs Bro that it should skip any further processing of the contents of
+## Informs Zeek that it should skip any further processing of the contents of
-## a given connection. In particular, Bro will refrain from reassembling the
+## a given connection. In particular, Zeek will refrain from reassembling the
 ## TCP byte stream and from generating events relating to any analyzers that
 ## have been processing the connection.
 ##
@@ -4260,7 +4260,7 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 ##
 ## .. note::
 ##
-##     Bro will still generate connection-oriented events such as
+##     Zeek will still generate connection-oriented events such as
 ##     :zeek:id:`connection_finished`.
 function skip_further_processing%(cid: conn_id%): bool
 	%{
@@ -4287,7 +4287,7 @@ function skip_further_processing%(cid: conn_id%): bool
 ##
 ## .. note::
 ##
-##     This is independent of whether Bro processes the packets of this
+##     This is independent of whether Zeek processes the packets of this
 ##     connection, which is controlled separately by
 ##     :zeek:id:`skip_further_processing`.
 ##
@@ -4671,7 +4671,7 @@ function file_size%(f: string%) : double
 
 ## Disables sending :zeek:id:`print_hook` events to remote peers for a given
 ## file. In a
-## distributed setup, communicating Bro instances generate the event
+## distributed setup, communicating Zeek instances generate the event
 ## :zeek:id:`print_hook` for each print statement and send it to the remote
 ## side. When disabled for a particular file, these events will not be
 ## propagated to other peers.
@@ -4958,7 +4958,7 @@ function is_remote_event%(%) : bool
 	return val_mgr->GetBool(mgr.CurrentSource() != SOURCE_LOCAL);
 	%}
 
-## Stops Bro's packet processing. This function is used to synchronize
+## Stops Zeek's packet processing. This function is used to synchronize
 ## distributed trace processing with communication enabled
 ## (*pseudo-realtime* mode).
 ##
@@ -4969,7 +4969,7 @@ function suspend_processing%(%) : any
 	return 0;
 	%}
 
-## Resumes Bro's packet processing.
+## Resumes Zeek's packet processing.
 ##
 ## .. zeek:see:: suspend_processing
 function continue_processing%(%) : any

src/broker/data.bif

@@ -8,7 +8,7 @@
 module Broker;
 
 ## Enumerates the possible types that :zeek:see:`Broker::Data` may be in
-## terms of Bro data types.
+## terms of Zeek data types.
 enum DataType %{
 	NONE,
 	BOOL,

src/const.bif

@@ -1,4 +1,4 @@
-##! Declaration of various scripting-layer constants that the Bro core uses
+##! Declaration of various scripting-layer constants that the Zeek core uses
 ##! internally.  Documentation and default values for the scripting-layer
 ##! variables themselves are found in :doc:`/scripts/base/init-bare.zeek`.
 

src/event.bif

@@ -1,4 +1,4 @@
-##! The protocol-independent events that the C/C++ core of Bro can generate.
+##! The protocol-independent events that the C/C++ core of Zeek can generate.
 ##!
 ##! This is mostly events not related to a specific transport- or
 ##! application-layer protocol, but also includes a few that may be generated
@@ -68,7 +68,7 @@ event zeek_done%(%);
 event bro_done%(%) &deprecated;
 
 ## Generated for every new connection. This event is raised with the first
-## packet of a previously unknown connection. Bro uses a flow-based definition
+## packet of a previously unknown connection. Zeek uses a flow-based definition
 ## of "connection" here that includes not only TCP sessions but also UDP and
 ## ICMP flows.
 ##
@@ -94,7 +94,7 @@ event new_connection%(c: connection%);
 ## *tunnel* field is NOT automatically/internally assigned to the new
 ## encapsulation value of *e* after this event is raised.  If the desired
 ## behavior is to track the latest tunnel encapsulation per-connection,
-## then a handler of this event should assign *e* to ``c$tunnel`` (which Bro's
+## then a handler of this event should assign *e* to ``c$tunnel`` (which Zeek's
 ## default scripts are doing).
 ##
 ## c: The connection whose tunnel/encapsulation changed.
@@ -128,7 +128,7 @@ event tunnel_changed%(c: connection, e: EncapsulatingConnVector%);
 event connection_timeout%(c: connection%);
 
 ## Generated when a connection's internal state is about to be removed from
-## memory. Bro generates this event reliably once for every connection when it
+## memory. Zeek generates this event reliably once for every connection when it
 ## is about to delete the internal state. As such, the event is well-suited for
 ## script-level cleanup that needs to be performed for every connection.  This
 ## event is generated not only for TCP sessions but also for UDP and ICMP
@@ -145,7 +145,7 @@ event connection_timeout%(c: connection%);
 ##    tcp_inactivity_timeout icmp_inactivity_timeout conn_stats
 event connection_state_remove%(c: connection%);
 
-## Generated when a connection 4-tuple is reused. This event is raised when Bro
+## Generated when a connection 4-tuple is reused. This event is raised when Zeek
 ## sees a new TCP session or UDP flow using a 4-tuple matching that of an
 ## earlier connection it still considers active.
 ##
@@ -188,7 +188,7 @@ event connection_status_update%(c: connection%);
 event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: count, new_label: count%);
 
 ## Generated for a new connection received from the communication subsystem.
-## Remote peers can inject packets into Bro's packet loop, for example via
+## Remote peers can inject packets into Zeek's packet loop, for example via
 ## Broccoli.  The communication system
 ## raises this event with the first packet of a connection coming in this way.
 ##
@@ -198,7 +198,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co
 event connection_external%(c: connection, tag: string%);
 
 ## Generated when a UDP session for a supported protocol has finished. Some of
-## Bro's application-layer UDP analyzers flag the end of a session by raising
+## Zeek's application-layer UDP analyzers flag the end of a session by raising
 ## this event. Currently, the analyzers for DNS, NTP, Netbios, Syslog, AYIYA,
 ## Teredo, and GTPv1 support this.
 ##
@@ -208,7 +208,7 @@ event connection_external%(c: connection, tag: string%);
 event udp_session_done%(u: connection%);
 
 ## Generated when a connection is seen that is marked as being expected.
-## The function :zeek:id:`Analyzer::schedule_analyzer` tells Bro to expect a
+## The function :zeek:id:`Analyzer::schedule_analyzer` tells Zeek to expect a
 ## particular connection to come up, and which analyzer to associate with it.
 ## Once the first packet of such a connection is indeed seen, this event is
 ## raised.
@@ -231,7 +231,7 @@ event udp_session_done%(u: connection%);
 ##    ``ANALYZER_*`` constants right now.
 event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
 
-## Generated for every packet Bro sees that have a valid link-layer header. This
+## Generated for every packet Zeek sees that have a valid link-layer header. This
 ## is a very very low-level and expensive event that should be avoided when at all
 ## possible. It's usually infeasible to handle when processing even medium volumes
 ## of traffic in real-time. That said, if you work from a trace and want to do some
@@ -242,7 +242,7 @@ event scheduled_analyzer_applied%(c: connection, a: Analyzer::Tag%);
 ## .. zeek:see:: new_packet packet_contents
 event raw_packet%(p: raw_pkt_hdr%);
 
-## Generated for all packets that make it into Bro's connection processing. In
+## Generated for all packets that make it into Zeek's connection processing. In
 ## contrast to :zeek:id:`raw_packet` this filters out some more packets that don't
 ## pass certain sanity checks.
 ##
@@ -298,8 +298,8 @@ event mobile_ipv6_message%(p: pkt_hdr%);
 ## .. zeek:see:: new_packet tcp_packet
 event packet_contents%(c: connection, contents: string%);
 
-## Generated when Bro detects a TCP retransmission inconsistency. When
+## Generated when Zeek detects a TCP retransmission inconsistency. When
-## reassembling a TCP stream, Bro buffers all payload until it sees the
+## reassembling a TCP stream, Zeek buffers all payload until it sees the
 ## responder acking it. If during that time, the sender resends a chunk of
 ## payload but with different content than originally, this event will be
 ## raised. In addition, if :zeek:id:`tcp_max_old_segments` is larger than zero,
@@ -320,10 +320,10 @@ event packet_contents%(c: connection, contents: string%);
 ## .. zeek:see:: tcp_rexmit tcp_contents
 event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: string%);
 
-## Generated when Bro detects a gap in a reassembled TCP payload stream. This
+## Generated when Zeek detects a gap in a reassembled TCP payload stream. This
-## event is raised when Bro, while reassembling a payload stream, determines
+## event is raised when Zeek, while reassembling a payload stream, determines
 ## that a chunk of payload is missing (e.g., because the responder has already
-## acknowledged it, even though Bro didn't see it).
+## acknowledged it, even though Zeek didn't see it).
 ##
 ## c: The connection.
 ##
@@ -343,7 +343,7 @@ event rexmit_inconsistency%(c: connection, t1: string, t2: string, tcp_flags: st
 event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 
 ## Generated when a protocol analyzer confirms that a connection is indeed
-## using that protocol. Bro's dynamic protocol detection heuristically activates
+## using that protocol. Zeek's dynamic protocol detection heuristically activates
 ## analyzers as soon as it believes a connection *could* be using a particular
 ## protocol. It is then left to the corresponding analyzer to verify whether
 ## that is indeed the case; if so, this event will be generated.
@@ -364,13 +364,13 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 ##
 ## .. note::
 ##
-##    Bro's default scripts use this event to determine the ``service`` column
+##    Zeek's default scripts use this event to determine the ``service`` column
 ##    of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
 ##    there (and thus in ``conn.log``).
 event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
 
 ## Generated when a protocol analyzer determines that a connection it is parsing
-## is not conforming to the protocol it expects. Bro's dynamic protocol
+## is not conforming to the protocol it expects. Zeek's dynamic protocol
 ## detection heuristically activates analyzers as soon as it believes a
 ## connection *could* be using a particular protocol. It is then left to the
 ## corresponding analyzer to verify whether that is indeed the case; if not,
@@ -394,14 +394,14 @@ event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
 ##
 ## .. note::
 ##
-##    Bro's default scripts use this event to disable an analyzer via
+##    Zeek's default scripts use this event to disable an analyzer via
 ##    :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's
 ##    however a script-level decision and not done automatically by the event
 ##    engine.
 event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
 
 ## Generated when a TCP connection terminated, passing on statistics about the
-## two endpoints. This event is always generated when Bro flushes the internal
+## two endpoints. This event is always generated when Zeek flushes the internal
 ## connection state, independent of how a connection terminates.
 ##
 ## c: The connection.
@@ -414,12 +414,12 @@ event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reaso
 event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 
 ## Generated for unexpected activity related to a specific connection.  When
-## Bro's packet analysis encounters activity that does not conform to a
+## Zeek's packet analysis encounters activity that does not conform to a
 ## protocol's specification, it raises one of the ``*_weird`` events to report
 ## that. This event is raised if the activity is tied directly to a specific
 ## connection.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -436,13 +436,13 @@ event conn_stats%(c: connection, os: endpoint_stats, rs: endpoint_stats%);
 event conn_weird%(name: string, c: connection, addl: string%);
 
 ## Generated for unexpected activity related to a pair of hosts, but independent
-## of a specific connection.  When Bro's packet analysis encounters activity
+## of a specific connection.  When Zeek's packet analysis encounters activity
 ## that does not conform to a protocol's specification, it raises one of
 ## the ``*_weird`` events to report that. This event is raised if the activity
 ## is related to a pair of hosts, yet not to a specific connection between
 ## them.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -459,12 +459,12 @@ event conn_weird%(name: string, c: connection, addl: string%);
 event flow_weird%(name: string, src: addr, dst: addr%);
 
 ## Generated for unexpected activity that is not tied to a specific connection
-## or pair of hosts. When Bro's packet analysis encounters activity that
+## or pair of hosts. When Zeek's packet analysis encounters activity that
 ## does not conform to a protocol's specification, it raises one of the
 ## ``*_weird`` events to report that. This event is raised if the activity is
 ## not tied directly to a specific connection or pair of hosts.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -477,11 +477,11 @@ event flow_weird%(name: string, src: addr, dst: addr%);
 event net_weird%(name: string%);
 
 ## Generated for unexpected activity that is tied to a file.
-## When Bro's packet analysis encounters activity that
+## When Zeek's packet analysis encounters activity that
 ## does not conform to a protocol's specification, it raises one of the
 ## ``*_weird`` events to report that.
 ##
-## name: A unique name for the specific type of "weird" situation. Bro's default
+## name: A unique name for the specific type of "weird" situation. Zeek's default
 ##       scripts use this name in filtering policies that specify which
 ##       "weirds" are worth reporting.
 ##
@@ -497,11 +497,11 @@ event net_weird%(name: string%);
 ##    endpoint's implementation interprets an RFC quite liberally.
 event file_weird%(name: string, f: fa_file, addl: string%);
 
-## Generated regularly for the purpose of profiling Bro's processing. This event
+## Generated regularly for the purpose of profiling Zeek's processing. This event
 ## is raised for every :zeek:id:`load_sample_freq` packet. For these packets,
-## Bro records script-level functions executed during their processing as well
+## Zeek records script-level functions executed during their processing as well
 ## as further internal locations. By sampling the processing in this form, one
-## can understand where Bro spends its time.
+## can understand where Zeek spends its time.
 ##
 ## samples: A set with functions and locations seen during the processing of
 ##          the sampled packet.
@@ -511,13 +511,13 @@ event file_weird%(name: string, f: fa_file, addl: string%);
 ## dmem: The difference in memory usage caused by processing the sampled packet.
 event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
 
-## Generated when a signature matches. Bro's signature engine provides
+## Generated when a signature matches. Zeek's signature engine provides
 ## high-performance pattern matching separately from the normal script
 ## processing. If a signature with an ``event`` action matches, this event is
 ## raised.
 ##
 ## See the :doc:`user manual </frameworks/signatures>` for more information
-## about Bro's signature engine.
+## about Zeek's signature engine.
 ##
 ## state: Context about the match, including which signatures triggered the
 ##        event and the connection for which the match was found.
@@ -525,7 +525,7 @@ event load_sample%(samples: load_sample_info, CPU: interval, dmem: int%);
 ## msg: The message passed to the ``event`` signature action.
 ##
 ## data: The last chunk of input that triggered the match. Note that the
-##       specifics here are not well-defined as Bro does not buffer any input.
+##       specifics here are not well-defined as Zeek does not buffer any input.
 ##       If a match is split across packet boundaries, only the last chunk
 ##       triggering the match will be passed on to the event.
 event signature_match%(state: signature_state, msg: string, data: string%);
@@ -572,7 +572,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
 ## different analyzers. For example, the HTTP analyzer reports user-agent and
 ## server software by raising this event. Different from
 ## :zeek:id:`software_version_found`  and :zeek:id:`software_parse_error`, this
-## event is always raised, independent of whether Bro can parse the version
+## event is always raised, independent of whether Zeek can parse the version
 ## string.
 ##
 ## c: The connection.
@@ -584,7 +584,7 @@ event software_parse_error%(c: connection, host: addr, descr: string%);
 ## .. zeek:see:: software_parse_error software_version_found OS_version_found
 event software_unparsed_version_found%(c: connection, host: addr, str: string%);
 
-## Generated when an operating system has been fingerprinted. Bro uses `p0f
+## Generated when an operating system has been fingerprinted. Zeek uses `p0f
 ## <http://lcamtuf.coredump.cx/p0f.shtml>`__ to fingerprint endpoints passively,
 ## and it raises this event for each system identified. The p0f fingerprints are
 ## defined by :zeek:id:`passive_fingerprint_file`.
@@ -600,7 +600,7 @@ event software_unparsed_version_found%(c: connection, host: addr, str: string%);
 ##    generate_OS_version_event
 event OS_version_found%(c: connection, host: addr, OS: OS_version%);
 
-## Generated each time Bro's internal profiling log is updated. The file is
+## Generated each time Zeek's internal profiling log is updated. The file is
 ## defined by :zeek:id:`profiling_file`, and its update frequency by
 ## :zeek:id:`profiling_interval` and :zeek:id:`expensive_profiling_multiple`.
 ##
@@ -612,7 +612,7 @@ event OS_version_found%(c: connection, host: addr, OS: OS_version%);
 ## .. zeek:see::  profiling_interval expensive_profiling_multiple
 event profiling_update%(f: file, expensive: bool%);
 
-## Raised for informational messages reported via Bro's reporter framework. Such
+## Raised for informational messages reported via Zeek's reporter framework. Such
 ## messages may be generated internally by the event engine and also by other
 ## scripts calling :zeek:id:`Reporter::info`.
 ##
@@ -626,12 +626,12 @@ event profiling_update%(f: file, expensive: bool%);
 ## .. zeek:see:: reporter_warning reporter_error Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_info%(t: time, msg: string, location: string%) &error_handler;
 
-## Raised for warnings reported via Bro's reporter framework. Such messages may
+## Raised for warnings reported via Zeek's reporter framework. Such messages may
 ## be generated internally by the event engine and also by other scripts calling
 ## :zeek:id:`Reporter::warning`.
 ##
@@ -645,12 +645,12 @@ event reporter_info%(t: time, msg: string, location: string%) &error_handler;
 ## .. zeek:see:: reporter_info reporter_error Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
 
-## Raised for errors reported via Bro's reporter framework. Such messages may
+## Raised for errors reported via Zeek's reporter framework. Such messages may
 ## be generated internally by the event engine and also by other scripts calling
 ## :zeek:id:`Reporter::error`.
 ##
@@ -664,7 +664,7 @@ event reporter_warning%(t: time, msg: string, location: string%) &error_handler;
 ## .. zeek:see:: reporter_info reporter_warning Reporter::info Reporter::warning
 ##    Reporter::error
 ##
-## .. note:: Bro will not call reporter events recursively. If the handler of
+## .. note:: Zeek will not call reporter events recursively. If the handler of
 ##    any reporter event triggers a new reporter message itself, the output
 ##    will go to ``stderr`` instead.
 event reporter_error%(t: time, msg: string, location: string%) &error_handler;
@@ -680,7 +680,7 @@ event zeek_script_loaded%(path: string, level: count%);
 ## Deprecated synonym for :zeek:see:`zeek_script_loaded`.
 event bro_script_loaded%(path: string, level: count%) &deprecated;
 
-## Generated each time Bro's script interpreter opens a file. This event is
+## Generated each time Zeek's script interpreter opens a file. This event is
 ## triggered only for files opened via :zeek:id:`open`, and in particular not for
 ## normal log files as created by log writers.
 ##
@@ -796,7 +796,7 @@ event file_reassembly_overflow%(f: fa_file, offset: count, skipped: count%);
 event file_state_remove%(f: fa_file%);
 
 ## Generated when an internal DNS lookup produces the same result as last time.
-## Bro keeps an internal DNS cache for host names and IP addresses it has
+## Zeek keeps an internal DNS cache for host names and IP addresses it has
 ## already resolved. This event is generated when a subsequent lookup returns
 ## the same result as stored in the cache.
 ##
@@ -807,7 +807,7 @@ event file_state_remove%(f: fa_file%);
 event dns_mapping_valid%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup got no answer even though it had
-## succeeded in the past. Bro keeps an internal DNS cache for host names and IP
+## succeeded in the past. Zeek keeps an internal DNS cache for host names and IP
 ## addresses it has already resolved. This event is generated when a
 ## subsequent lookup does not produce an answer even though we have
 ## already stored a result in the cache.
@@ -819,7 +819,7 @@ event dns_mapping_valid%(dm: dns_mapping%);
 event dns_mapping_unverified%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup succeeded but an earlier attempt
-## did not. Bro keeps an internal DNS cache for host names and IP
+## did not. Zeek keeps an internal DNS cache for host names and IP
 ## addresses it has already resolved. This event is generated when a subsequent
 ## lookup produces an answer for a query that was marked as failed in the cache.
 ##
@@ -830,7 +830,7 @@ event dns_mapping_unverified%(dm: dns_mapping%);
 event dns_mapping_new_name%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup returned zero answers even though it
-## had succeeded in the past. Bro keeps an internal DNS cache for host names
+## had succeeded in the past. Zeek keeps an internal DNS cache for host names
 ## and IP addresses it has already resolved. This event is generated when
 ## on a subsequent lookup we receive an answer that is empty even
 ## though we have already stored a result in the cache.
@@ -842,7 +842,7 @@ event dns_mapping_new_name%(dm: dns_mapping%);
 event dns_mapping_lost_name%(dm: dns_mapping%);
 
 ## Generated when an internal DNS lookup produced a different result than in
-## the past.  Bro keeps an internal DNS cache for host names and IP addresses
+## the past.  Zeek keeps an internal DNS cache for host names and IP addresses
 ## it has already resolved. This event is generated when a subsequent lookup
 ## returns a different answer than we have stored in the cache.
 ##
@@ -858,7 +858,7 @@ event dns_mapping_lost_name%(dm: dns_mapping%);
 ##    dns_mapping_valid
 event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr_set%);
 
-## A meta event generated for events that Bro raises. This will report all
+## A meta event generated for events that Zeek raises. This will report all
 ## events for which at least one handler is defined.
 ##
 ## Note that handling this meta event is expensive and should be limited to

src/probabilistic/bloom-filter.bif

@@ -23,7 +23,7 @@ module GLOBAL;
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -60,7 +60,7 @@ function bloomfilter_basic_init%(fp: double, capacity: count,
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -104,7 +104,7 @@ function bloomfilter_basic_init2%(k: count, cells: count,
 ##
 ## name: A name that uniquely identifies and seeds the Bloom filter. If empty,
 ##       the filter will use :zeek:id:`global_hash_seed` if that's set, and
-##       otherwise use a local seed tied to the current Bro process. Only
+##       otherwise use a local seed tied to the current Zeek process. Only
 ##       filters with the same seed can be merged with
 ##       :zeek:id:`bloomfilter_merge`.
 ##
@@ -206,7 +206,7 @@ function bloomfilter_clear%(bf: opaque of bloomfilter%): any
 
 ## Merges two Bloom filters.
 ##
-## .. note:: Currently Bloom filters created by different Bro instances cannot
+## .. note:: Currently Bloom filters created by different Zeek instances cannot
 ##    be merged. In the future, this will be supported as long as both filters
 ##    are created with the same name.
 ##

src/stats.bif

@@ -20,7 +20,7 @@ RecordType* ReporterStats;
 %%}
 
 ## Returns packet capture statistics. Statistics include the number of
-## packets *(i)* received by Bro, *(ii)* dropped, and *(iii)* seen on the
+## packets *(i)* received by Zeek, *(ii)* dropped, and *(iii)* seen on the
 ## link (not always available).
 ##
 ## Returns: A record of packet statistics.
@@ -70,7 +70,7 @@ function get_net_stats%(%): NetStats
 	return r;
 	%}
 
-## Returns Bro traffic statistics.
+## Returns Zeek traffic statistics.
 ##
 ## Returns: A record with connection and packet statistics.
 ##
@@ -121,7 +121,7 @@ function get_conn_stats%(%): ConnStats
 	return r;
 	%}
 
-## Returns Bro process statistics.
+## Returns Zeek process statistics.
 ##
 ## Returns: A record with process statistics.
 ##

src/strings.bif

@@ -160,7 +160,7 @@ function join_string_vec%(vec: string_vec, sep: string%): string
 ## arg_s: The string to edit.
 ##
 ## arg_edit_char: A string of exactly one character that represents the
-##                "backspace character". If it is longer than one character Bro
+##                "backspace character". If it is longer than one character Zeek
 ##                generates a run-time error and uses the first character in
 ##                the string.
 ##

src/types.bif

@@ -1,4 +1,4 @@
-##! Declaration of various types that the Bro core uses internally.
+##! Declaration of various types that the Zeek core uses internally.
 
 enum rpc_status %{
 	RPC_SUCCESS,

src/zeekygen/zeekygen.bif

@@ -31,7 +31,7 @@ function get_identifier_comments%(name: string%): string
 	%}
 
 ## Retrieve the Zeekygen-style summary comments (``##!``) associated with
-## a Bro script.
+## a Zeek script.
 ##
 ## name: the name of a Zeek script.  It must be a relative path to where
 ##       it is located within a particular component of ZEEKPATH and use
@@ -50,7 +50,7 @@ function get_script_comments%(name: string%): string
 	return comments_to_val(d->GetComments());
 	%}
 
-## Retrieve the contents of a Bro script package's README file.
+## Retrieve the contents of a Zeek script package's README file.
 ##
 ## name: the name of a Zeek script package.  It must be a relative path
 ##       to where it is located within a particular component of ZEEKPATH.