diff --git a/CMakeLists.txt b/CMakeLists.txt index 7fe5c3e2ee..239004ee6c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,7 +1,7 @@ project(Bro C CXX) # When changing the minimum version here, also adapt -# aux/bro-aux/plugin-support/skeleton/CMakeLists.txt +# aux/zeek-aux/plugin-support/skeleton/CMakeLists.txt cmake_minimum_required(VERSION 2.8.12 FATAL_ERROR) include(cmake/CommonCMakeConfig.cmake) @@ -23,16 +23,16 @@ endif () set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX}) if (NOT BRO_SCRIPT_INSTALL_PATH) - # set the default Bro script installation path (user did not specify one) + # set the default Zeek script installation path (user did not specify one) set(BRO_SCRIPT_INSTALL_PATH ${BRO_ROOT_DIR}/share/bro) endif () if (NOT BRO_MAN_INSTALL_PATH) - # set the default Bro man page installation path (user did not specify one) + # set the default Zeek man page installation path (user did not specify one) set(BRO_MAN_INSTALL_PATH ${BRO_ROOT_DIR}/share/man) endif () -# sanitize the Bro script install directory into an absolute path +# sanitize the Zeek script install directory into an absolute path # (CMake is confused by ~ as a representation of home directory) get_filename_component(BRO_SCRIPT_INSTALL_PATH ${BRO_SCRIPT_INSTALL_PATH} ABSOLUTE) @@ -358,12 +358,12 @@ if (CMAKE_BUILD_TYPE) endif () message( - "\n====================| Bro Build Summary |=====================" + "\n====================| Zeek Build Summary |====================" "\n" "\nBuild type: ${CMAKE_BUILD_TYPE}" "\nBuild dir: ${CMAKE_BINARY_DIR}" "\nInstall prefix: ${CMAKE_INSTALL_PREFIX}" - "\nBro Script Path: ${BRO_SCRIPT_INSTALL_PATH}" + "\nZeek Script Path: ${BRO_SCRIPT_INSTALL_PATH}" "\nDebug mode: ${ENABLE_DEBUG}" "\n" "\nCC: ${CMAKE_C_COMPILER}" diff --git a/Makefile b/Makefile index 8e9d77e3cf..c83ef22a54 100644 --- a/Makefile +++ b/Makefile @@ -55,9 +55,9 @@ test: -@( cd testing && make ) test-aux: - -test -d aux/broctl && ( cd aux/broctl && make test-all ) + -test -d aux/zeekctl && ( cd aux/zeekctl && make test-all ) -test -d aux/btest && ( cd aux/btest && make test ) - -test -d aux/bro-aux && ( cd aux/bro-aux && make test ) + -test -d aux/zeek-aux && ( cd aux/zeek-aux && make test ) -test -d aux/plugins && ( cd aux/plugins && make test-all ) test-all: test test-aux diff --git a/NEWS b/NEWS index 7af0a6384d..242cdd4c17 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,5 @@ -This document summarizes the most important changes in the current Bro +This document summarizes the most important changes in the current Zeek release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as Broker, come with their own ``CHANGES``.) @@ -18,7 +18,7 @@ New Functionality - dns_NSEC - dns_NSEC3 -- Bro's Plugin framework now allows a patch version. If a patch version is not +- Zeek's Plugin framework now allows a patch version. If a patch version is not provided, it will default to 0. To specify this, modify the plugin Configuration class in your ``src/Plugin.cc`` and set ``config.version.patch``. Note that the default plugin skeleton diff --git a/configure b/configure index 19068471fa..33de4694b9 100755 --- a/configure +++ b/configure @@ -32,7 +32,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]... Installation Directories: --prefix=PREFIX installation directory [/usr/local/bro] - --scriptdir=PATH root installation directory for Bro scripts + --scriptdir=PATH root installation directory for Zeek scripts [PREFIX/share/bro] --localstatedir=PATH when using ZeekControl, path to store log files and run-time data (within log/ and spool/ subdirs) @@ -51,12 +51,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]... (automatically on when perftools is present on Linux) --enable-perftools-debug use Google's perftools for debugging --enable-jemalloc link against jemalloc - --enable-static-broker build broker statically (ignored if --with-broker is specified) + --enable-static-broker build Broker statically (ignored if --with-broker is specified) --enable-static-binpac build binpac statically (ignored if --with-binpac is specified) --disable-zeekctl don't install ZeekControl --disable-auxtools don't build or install auxiliary tools --disable-perftools don't try to build with Google Perftools - --disable-python don't try to build python bindings for broker + --disable-python don't try to build python bindings for Broker --disable-broker-tests don't try to build Broker unit tests Required Packages in Non-Standard Locations: @@ -65,13 +65,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]... --with-pcap=PATH path to libpcap install root --with-binpac=PATH path to BinPAC executable (useful for cross-compiling) - --with-bifcl=PATH path to Bro BIF compiler executable + --with-bifcl=PATH path to Zeek BIF compiler executable (useful for cross-compiling) --with-flex=PATH path to flex executable --with-bison=PATH path to bison executable --with-python=PATH path to Python executable --with-broker=PATH path to Broker install root - (Bro uses an embedded version by default) + (Zeek uses an embedded version by default) --with-caf=PATH path to C++ Actor Framework install root (a Broker dependency that is embedded by default) diff --git a/man/zeek.8 b/man/zeek.8 index 9dffbe2a27..0d851d0773 100644 --- a/man/zeek.8 +++ b/man/zeek.8 @@ -5,13 +5,13 @@ bro \- passive network traffic analyzer .B bro \/\fP [\fIoptions\fR] [\fIfile\fR ...] .SH DESCRIPTION -Bro is primarily a security monitor that inspects all traffic on a link in -depth for signs of suspicious activity. More generally, however, Bro +Zeek is primarily a security monitor that inspects all traffic on a link in +depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting. -Bro comes with built-in functionality for a range of analysis and detection +Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL @@ -108,12 +108,12 @@ load seeds from given file \fB\-\-save\-seeds\fR save seeds to given file .TP -The following option is available only when Bro is built with the \-\-enable\-debug configure option: +The following option is available only when Zeek is built with the \-\-enable\-debug configure option: .TP \fB\-B\fR,\ \-\-debug Enable debugging output for selected streams ('-B help' for help) .TP -The following options are available only when Bro is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options): +The following options are available only when Zeek is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options): .TP \fB\-m\fR,\ \-\-mem-leaks show leaks @@ -150,4 +150,4 @@ Output file for script execution statistics Disable Zeekygen (Broxygen) documentation support .SH AUTHOR .B bro -was written by The Bro Project . +was written by The Zeek Project . diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 9a3f596add..a79fb96bd4 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -11,7 +11,7 @@ install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING if ( NOT BINARY_PACKAGING_MODE ) # If the user has a local.bro file from a previous installation, prefer to # symlink local.zeek to it to avoid breaking their custom configuration -- - # because BroControl will now prefer to load local.zeek rather than local.bro + # because ZeekControl will now prefer to load local.zeek rather than local.bro # and we're about to install a default version of local.zeek. set(_local_bro_dst ${BRO_SCRIPT_INSTALL_PATH}/site/local.bro) diff --git a/scripts/base/frameworks/analyzer/README b/scripts/base/frameworks/analyzer/README index 2180fdd735..6f8f1f1228 100644 --- a/scripts/base/frameworks/analyzer/README +++ b/scripts/base/frameworks/analyzer/README @@ -1,3 +1,3 @@ -The analyzer framework allows to dynamically enable or disable Bro's +The analyzer framework allows to dynamically enable or disable Zeek's protocol analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections. diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index 0775768dca..8fd986e497 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -1,4 +1,4 @@ -##! Framework for managing Bro's protocol analyzers. +##! Framework for managing Zeek's protocol analyzers. ##! ##! The analyzer framework allows to dynamically enable or disable analyzers, as ##! well as to manage the well-known ports which automatically activate a @@ -21,7 +21,7 @@ export { global disable_all = F &redef; ## Enables an analyzer. Once enabled, the analyzer may be used for analysis - ## of future connections as decided by Bro's dynamic protocol detection. + ## of future connections as decided by Zeek's dynamic protocol detection. ## ## tag: The tag of the analyzer to enable. ## diff --git a/scripts/base/frameworks/broker/README b/scripts/base/frameworks/broker/README index 11c2479d90..c58b85af19 100644 --- a/scripts/base/frameworks/broker/README +++ b/scripts/base/frameworks/broker/README @@ -1,2 +1,2 @@ -The Broker communication framework facilitates connecting to remote Bro +The Broker communication framework facilitates connecting to remote Zeek instances to share state and transfer events. diff --git a/scripts/base/frameworks/broker/main.zeek b/scripts/base/frameworks/broker/main.zeek index a61f81f239..d6ea8b08ad 100644 --- a/scripts/base/frameworks/broker/main.zeek +++ b/scripts/base/frameworks/broker/main.zeek @@ -32,27 +32,27 @@ export { const disable_ssl = F &redef; ## Path to a file containing concatenated trusted certificates - ## in PEM format. If set, Bro will require valid certificates for + ## in PEM format. If set, Zeek will require valid certificates for ## all peers. const ssl_cafile = "" &redef; ## Path to an OpenSSL-style directory of trusted certificates. - ## If set, Bro will require valid certificates for + ## If set, Zeek will require valid certificates for ## all peers. const ssl_capath = "" &redef; ## Path to a file containing a X.509 certificate for this - ## node in PEM format. If set, Bro will require valid certificates for + ## node in PEM format. If set, Zeek will require valid certificates for ## all peers. const ssl_certificate = "" &redef; ## Passphrase to decrypt the private key specified by - ## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid + ## :zeek:see:`Broker::ssl_keyfile`. If set, Zeek will require valid ## certificates for all peers. const ssl_passphrase = "" &redef; ## Path to the file containing the private key for this node's - ## certificate. If set, Bro will require valid certificates for + ## certificate. If set, Zeek will require valid certificates for ## all peers. const ssl_keyfile = "" &redef; @@ -347,7 +347,7 @@ export { ## Peers advertise interest by registering a subscription to some ## prefix of this topic name. ## - ## ev: a Bro event value. + ## ev: a Zeek event value. ## ## Returns: true if automatic event sending is now enabled. global auto_publish: function(topic: string, ev: any): bool; diff --git a/scripts/base/frameworks/broker/store.zeek b/scripts/base/frameworks/broker/store.zeek index dace2032c9..50559c4522 100644 --- a/scripts/base/frameworks/broker/store.zeek +++ b/scripts/base/frameworks/broker/store.zeek @@ -365,15 +365,15 @@ export { # Data API # ########################## - ## Convert any Bro value to communication data. + ## Convert any Zeek value to communication data. ## ## .. note:: Normally you won't need to use this function as data - ## conversion happens implicitly when passing Bro values into Broker + ## conversion happens implicitly when passing Zeek values into Broker ## functions. ## - ## d: any Bro value to attempt to convert (not all types are supported). + ## d: any Zeek value to attempt to convert (not all types are supported). ## - ## Returns: the converted communication data. If the supplied Bro data + ## Returns: the converted communication data. If the supplied Zeek data ## type does not support conversion to communication data, the ## returned record's optional field will not be set. global data: function(d: any): Broker::Data; diff --git a/scripts/base/frameworks/cluster/README b/scripts/base/frameworks/cluster/README index 1bf9907d9b..98a1cfc95b 100644 --- a/scripts/base/frameworks/cluster/README +++ b/scripts/base/frameworks/cluster/README @@ -1,2 +1,2 @@ The cluster framework provides for establishing and controlling a cluster -of Bro instances. +of Zeek instances. diff --git a/scripts/base/frameworks/cluster/main.zeek b/scripts/base/frameworks/cluster/main.zeek index 02c063c346..08cf47485e 100644 --- a/scripts/base/frameworks/cluster/main.zeek +++ b/scripts/base/frameworks/cluster/main.zeek @@ -1,6 +1,6 @@ -##! A framework for establishing and controlling a cluster of Bro instances. +##! A framework for establishing and controlling a cluster of Zeek instances. ##! In order to use the cluster framework, a script named -##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path +##! ``cluster-layout.zeek`` must exist somewhere in Zeek's script search path ##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable. ##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node` ##! must also be sent and the cluster framework loaded as a package like @@ -178,7 +178,7 @@ export { global is_enabled: function(): bool; ## This function can be called at any time to determine what type of - ## cluster node the current Bro instance is going to be acting as. + ## cluster node the current Zeek instance is going to be acting as. ## If :zeek:id:`Cluster::is_enabled` returns false, then ## :zeek:enum:`Cluster::NONE` is returned. ## @@ -194,7 +194,7 @@ export { ## The cluster layout definition. This should be placed into a filter ## named cluster-layout.zeek somewhere in the BROPATH. It will be ## automatically loaded if the CLUSTER_NODE environment variable is set. - ## Note that BroControl handles all of this automatically. + ## Note that ZeekControl handles all of this automatically. ## The table is typically indexed by node names/labels (e.g. "manager" ## or "worker-1"). const nodes: table[string] of Node = {} &redef; @@ -202,7 +202,7 @@ export { ## Indicates whether or not the manager will act as the logger and receive ## logs. This value should be set in the cluster-layout.zeek script (the ## value should be true only if no logger is specified in Cluster::nodes). - ## Note that BroControl handles this automatically. + ## Note that ZeekControl handles this automatically. const manager_is_logger = T &redef; ## This is usually supplied on the command line for each instance diff --git a/scripts/base/frameworks/cluster/nodes/logger.zeek b/scripts/base/frameworks/cluster/nodes/logger.zeek index 03a422e460..6fb5d09208 100644 --- a/scripts/base/frameworks/cluster/nodes/logger.zeek +++ b/scripts/base/frameworks/cluster/nodes/logger.zeek @@ -1,7 +1,7 @@ -##! This is the core Bro script to support the notion of a cluster logger. +##! This is the core Zeek script to support the notion of a cluster logger. ##! -##! The logger is passive (other Bro instances connect to us), and once -##! connected the logger receives logs from other Bro instances. +##! The logger is passive (other Zeek instances connect to us), and once +##! connected the logger receives logs from other Zeek instances. ##! This script will be automatically loaded if necessary based on the ##! type of node being started. diff --git a/scripts/base/frameworks/cluster/nodes/manager.zeek b/scripts/base/frameworks/cluster/nodes/manager.zeek index 8858025a25..945d952f31 100644 --- a/scripts/base/frameworks/cluster/nodes/manager.zeek +++ b/scripts/base/frameworks/cluster/nodes/manager.zeek @@ -1,4 +1,4 @@ -##! This is the core Bro script to support the notion of a cluster manager. +##! This is the core Zeek script to support the notion of a cluster manager. ##! ##! The manager is passive (the workers connect to us), and once connected ##! the manager registers for the events on the workers that are needed diff --git a/scripts/base/frameworks/cluster/nodes/proxy.zeek b/scripts/base/frameworks/cluster/nodes/proxy.zeek index df2a7c552b..dec0d69f6b 100644 --- a/scripts/base/frameworks/cluster/nodes/proxy.zeek +++ b/scripts/base/frameworks/cluster/nodes/proxy.zeek @@ -1,4 +1,4 @@ -##! Redefines the options common to all proxy nodes within a Bro cluster. +##! Redefines the options common to all proxy nodes within a Zeek cluster. ##! In particular, proxies are not meant to produce logs locally and they ##! do not forward events anywhere, they mainly synchronize state between ##! worker nodes. diff --git a/scripts/base/frameworks/cluster/nodes/worker.zeek b/scripts/base/frameworks/cluster/nodes/worker.zeek index 826df848f7..02c22fb127 100644 --- a/scripts/base/frameworks/cluster/nodes/worker.zeek +++ b/scripts/base/frameworks/cluster/nodes/worker.zeek @@ -1,4 +1,4 @@ -##! Redefines some options common to all worker nodes within a Bro cluster. +##! Redefines some options common to all worker nodes within a Zeek cluster. ##! In particular, worker nodes do not produce logs locally, instead they ##! send them off to a logger node for processing. diff --git a/scripts/base/frameworks/cluster/pools.zeek b/scripts/base/frameworks/cluster/pools.zeek index ae14a09527..787d3aa0e0 100644 --- a/scripts/base/frameworks/cluster/pools.zeek +++ b/scripts/base/frameworks/cluster/pools.zeek @@ -351,7 +351,7 @@ event zeek_init() &priority=-5 return; # Sorting now ensures the node distribution process is stable even if - # there's a change in the order of time-of-registration between Bro runs. + # there's a change in the order of time-of-registration between Zeek runs. sort(registered_pools, pool_sorter); pool_eligibility[Cluster::WORKER] = diff --git a/scripts/base/frameworks/config/README b/scripts/base/frameworks/config/README index 3640d1e8c4..2869bc78bb 100644 --- a/scripts/base/frameworks/config/README +++ b/scripts/base/frameworks/config/README @@ -1,2 +1,2 @@ -The configuration framework provides a way to change the Bro configuration +The configuration framework provides a way to change the Zeek configuration in "option" values at run-time. diff --git a/scripts/base/frameworks/config/main.zeek b/scripts/base/frameworks/config/main.zeek index b801c82267..3b188732b9 100644 --- a/scripts/base/frameworks/config/main.zeek +++ b/scripts/base/frameworks/config/main.zeek @@ -1,4 +1,4 @@ -##! The configuration framework provides a way to change Bro options +##! The configuration framework provides a way to change Zeek options ##! (as specified by the "option" keyword) at runtime. It also logs runtime ##! changes to options to config.log. diff --git a/scripts/base/frameworks/control/README b/scripts/base/frameworks/control/README index ba6998d43c..4927653f90 100644 --- a/scripts/base/frameworks/control/README +++ b/scripts/base/frameworks/control/README @@ -1,3 +1,3 @@ The control framework provides the foundation for providing "commands" -that can be taken remotely at runtime to modify a running Bro instance +that can be taken remotely at runtime to modify a running Zeek instance or collect information from the running instance. diff --git a/scripts/base/frameworks/control/main.zeek b/scripts/base/frameworks/control/main.zeek index 7ab92a728b..20cb93c234 100644 --- a/scripts/base/frameworks/control/main.zeek +++ b/scripts/base/frameworks/control/main.zeek @@ -1,5 +1,5 @@ ##! The control framework provides the foundation for providing "commands" -##! that can be taken remotely at runtime to modify a running Bro instance +##! that can be taken remotely at runtime to modify a running Zeek instance ##! or collect information from the running instance. module Control; @@ -58,7 +58,7 @@ export { ## Returns the current net_stats. global net_stats_response: event(s: string); - ## Inform the remote Bro instance that it's configuration may have been + ## Inform the remote Zeek instance that it's configuration may have been ## updated. global configuration_update_request: event(); ## This event is a wrapper and alias for the @@ -68,7 +68,7 @@ export { ## Message in response to a configuration update request. global configuration_update_response: event(); - ## Requests that the Bro instance begins shutting down. + ## Requests that the Zeek instance begins shutting down. global shutdown_request: event(); ## Message in response to a shutdown request. global shutdown_response: event(); diff --git a/scripts/base/frameworks/input/README b/scripts/base/frameworks/input/README index 6f00f5f6eb..3ce3232c19 100644 --- a/scripts/base/frameworks/input/README +++ b/scripts/base/frameworks/input/README @@ -1,2 +1,2 @@ The input framework provides a way to read previously stored data either as -an event stream or into a Bro table. +an event stream or into a Zeek table. diff --git a/scripts/base/frameworks/input/main.zeek b/scripts/base/frameworks/input/main.zeek index 84488f130c..973661f871 100644 --- a/scripts/base/frameworks/input/main.zeek +++ b/scripts/base/frameworks/input/main.zeek @@ -1,5 +1,5 @@ ##! The input framework provides a way to read previously stored data either -##! as an event stream or into a Bro table. +##! as an event stream or into a Zeek table. module Input; @@ -55,7 +55,7 @@ export { ## abort. Defaults to false (abort). const accept_unsupported_types = F &redef; - ## A table input stream type used to send data to a Bro table. + ## A table input stream type used to send data to a Zeek table. type TableDescription: record { # Common definitions for tables and events @@ -112,7 +112,7 @@ export { ## ## The event is raised like if it had been declared as follows: ## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional; - ## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system. + ## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system. error_ev: any &optional; ## A key/value table that will be passed to the reader. @@ -121,7 +121,7 @@ export { config: table[string] of string &default=table(); }; - ## An event input stream type used to send input data to a Bro event. + ## An event input stream type used to send input data to a Zeek event. type EventDescription: record { # Common definitions for tables and events @@ -166,7 +166,7 @@ export { ## ## The event is raised like it had been declared as follows: ## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional; - ## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system. + ## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system. error_ev: any &optional; ## A key/value table that will be passed to the reader. diff --git a/scripts/base/frameworks/input/readers/ascii.zeek b/scripts/base/frameworks/input/readers/ascii.zeek index c757718d53..26d7b2360c 100644 --- a/scripts/base/frameworks/input/readers/ascii.zeek +++ b/scripts/base/frameworks/input/readers/ascii.zeek @@ -1,6 +1,6 @@ ##! Interface for the ascii input reader. ##! -##! The defaults are set to match Bro's ASCII output. +##! The defaults are set to match Zeek's ASCII output. module InputAscii; diff --git a/scripts/base/frameworks/logging/main.zeek b/scripts/base/frameworks/logging/main.zeek index 8746ee3654..3a83808369 100644 --- a/scripts/base/frameworks/logging/main.zeek +++ b/scripts/base/frameworks/logging/main.zeek @@ -1,6 +1,6 @@ -##! The Bro logging interface. +##! The Zeek logging interface. ##! -##! See :doc:`/frameworks/logging` for an introduction to Bro's +##! See :doc:`/frameworks/logging` for an introduction to Zeek's ##! logging framework. module Log; @@ -84,13 +84,13 @@ export { path: string; ##< Original path value. open: time; ##< Time when opened. close: time; ##< Time when closed. - terminating: bool; ##< True if rotation occured due to Bro shutting down. + terminating: bool; ##< True if rotation occured due to Zeek shutting down. }; ## Default rotation interval to use for filters that do not specify ## an interval. Zero disables rotation. ## - ## Note that this is overridden by the BroControl LogRotationInterval + ## Note that this is overridden by the ZeekControl LogRotationInterval ## option. const default_rotation_interval = 0secs &redef; @@ -108,7 +108,7 @@ export { ## Default alarm summary mail interval. Zero disables alarm summary ## mails. ## - ## Note that this is overridden by the BroControl MailAlarmsInterval + ## Note that this is overridden by the ZeekControl MailAlarmsInterval ## option. const default_mail_alarms_interval = 0secs &redef; @@ -219,7 +219,7 @@ export { scope_sep: string &default=default_scope_sep; ## Default prefix for all extension fields. It's typically - ## prudent to set this to something that Bro's logging + ## prudent to set this to something that Zeek's logging ## framework can't normally write out in a field name. ext_prefix: string &default=default_ext_prefix; diff --git a/scripts/base/frameworks/netcontrol/README b/scripts/base/frameworks/netcontrol/README index a8635da300..0702c6b036 100644 --- a/scripts/base/frameworks/netcontrol/README +++ b/scripts/base/frameworks/netcontrol/README @@ -1,3 +1,3 @@ -The NetControl framework provides a way for Bro to interact with networking +The NetControl framework provides a way for Zeek to interact with networking hard- and software, e.g. for dropping and shunting IP addresses/connections, etc. diff --git a/scripts/base/frameworks/netcontrol/drop.zeek b/scripts/base/frameworks/netcontrol/drop.zeek index 9c1adc73d2..452dda27ee 100644 --- a/scripts/base/frameworks/netcontrol/drop.zeek +++ b/scripts/base/frameworks/netcontrol/drop.zeek @@ -32,7 +32,7 @@ export { type DropInfo: record { ## Time at which the recorded activity occurred. ts: time &log; - ## ID of the rule; unique during each Bro run. + ## ID of the rule; unique during each Zeek run. rule_id: string &log; orig_h: addr &log; ##< The originator's IP address. orig_p: port &log &optional; ##< The originator's port number. diff --git a/scripts/base/frameworks/netcontrol/main.zeek b/scripts/base/frameworks/netcontrol/main.zeek index 97b6e27459..8de0209d6d 100644 --- a/scripts/base/frameworks/netcontrol/main.zeek +++ b/scripts/base/frameworks/netcontrol/main.zeek @@ -1,8 +1,8 @@ -##! Bro's NetControl framework. +##! Zeek's NetControl framework. ##! -##! This plugin-based framework allows to control the traffic that Bro monitors +##! This plugin-based framework allows to control the traffic that Zeek monitors ##! as well as, if having access to the forwarding path, the traffic the network -##! forwards. By default, the framework lets everything through, to both Bro +##! forwards. By default, the framework lets everything through, to both Zeek ##! itself as well as on the network. Scripts can then add rules to impose ##! restrictions on entities, such as specific connections or IP addresses. ##! @@ -291,7 +291,7 @@ export { type Info: record { ## Time at which the recorded activity occurred. ts: time &log; - ## ID of the rule; unique during each Bro run. + ## ID of the rule; unique during each Zeek run. rule_id: string &log &optional; ## Type of the log entry. category: InfoCategory &log &optional; @@ -632,7 +632,7 @@ event NetControl::init() &priority=-20 log_msg_no_plugin("waiting for plugins to initialize"); } -# Low-level functions that only runs on the manager (or standalone) Bro node. +# Low-level functions that only runs on the manager (or standalone) Zeek node. function activate_impl(p: PluginState, priority: int) { diff --git a/scripts/base/frameworks/netcontrol/plugin.zeek b/scripts/base/frameworks/netcontrol/plugin.zeek index 2b432e7597..ac94b265b3 100644 --- a/scripts/base/frameworks/netcontrol/plugin.zeek +++ b/scripts/base/frameworks/netcontrol/plugin.zeek @@ -74,7 +74,7 @@ export { ## Table for a plugin to store instance-specific configuration information. ## ## Note, it would be nicer to pass the Plugin instance to all the below, instead - ## of this state table. However Bro's type resolver has trouble with refering to a + ## of this state table. However Zeek's type resolver has trouble with refering to a ## record type from inside itself. redef record PluginState += { ## The plugin that the state belongs to. (Defined separately diff --git a/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek index ac9bebdc90..1fdb2ced73 100644 --- a/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek +++ b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek @@ -1,5 +1,5 @@ ##! NetControl plugin for the process-level PacketFilter that comes with -##! Bro. Since the PacketFilter in Bro is quite limited in scope +##! Zeek. Since the PacketFilter in Zeek is quite limited in scope ##! and can only add/remove filters for addresses, this is quite ##! limited in scope at the moment. @@ -13,7 +13,7 @@ export { } # Check if we can handle this rule. If it specifies ports or -# anything Bro cannot handle, simply ignore it for now. +# anything Zeek cannot handle, simply ignore it for now. function packetfilter_check_rule(r: Rule) : bool { if ( r$ty != DROP ) diff --git a/scripts/base/frameworks/netcontrol/shunt.zeek b/scripts/base/frameworks/netcontrol/shunt.zeek index 7cbd8512e2..007daffbb5 100644 --- a/scripts/base/frameworks/netcontrol/shunt.zeek +++ b/scripts/base/frameworks/netcontrol/shunt.zeek @@ -7,7 +7,7 @@ module NetControl; export { redef enum Log::ID += { SHUNT }; - ## Stops forwarding a uni-directional flow's packets to Bro. + ## Stops forwarding a uni-directional flow's packets to Zeek. ## ## f: The flow to shunt. ## @@ -21,7 +21,7 @@ export { type ShuntInfo: record { ## Time at which the recorded activity occurred. ts: time &log; - ## ID of the rule; unique during each Bro run. + ## ID of the rule; unique during each Zeek run. rule_id: string &log; ## Flow ID of the shunted flow. f: flow_id &log; diff --git a/scripts/base/frameworks/netcontrol/types.zeek b/scripts/base/frameworks/netcontrol/types.zeek index 2be65ce3e6..beac2302f6 100644 --- a/scripts/base/frameworks/netcontrol/types.zeek +++ b/scripts/base/frameworks/netcontrol/types.zeek @@ -50,12 +50,12 @@ export { ## Type defining the target of a rule. ## ## Rules can either be applied to the forward path, affecting all network traffic, or - ## on the monitor path, only affecting the traffic that is sent to Bro. The second - ## is mostly used for shunting, which allows Bro to tell the networking hardware that + ## on the monitor path, only affecting the traffic that is sent to Zeek. The second + ## is mostly used for shunting, which allows Zeek to tell the networking hardware that ## it wants to no longer see traffic that it identified as benign. type TargetType: enum { FORWARD, #< Apply rule actively to traffic on forwarding path. - MONITOR, #< Apply rule passively to traffic sent to Bro for monitoring. + MONITOR, #< Apply rule passively to traffic sent to Zeek for monitoring. }; ## Type of rules that the framework supports. Each type lists the extra diff --git a/scripts/base/frameworks/notice/README b/scripts/base/frameworks/notice/README index c46a8a7e5c..8875214a9f 100644 --- a/scripts/base/frameworks/notice/README +++ b/scripts/base/frameworks/notice/README @@ -1,4 +1,4 @@ -The notice framework enables Bro to "notice" things which are odd or +The notice framework enables Zeek to "notice" things which are odd or potentially bad, leaving it to the local configuration to define which of them are actionable. This decoupling of detection and reporting allows -Bro to be customized to the different needs that sites have. +Zeek to be customized to the different needs that sites have. diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.zeek b/scripts/base/frameworks/notice/actions/pp-alarms.zeek index a327f3f9d6..ddfc45af6e 100644 --- a/scripts/base/frameworks/notice/actions/pp-alarms.zeek +++ b/scripts/base/frameworks/notice/actions/pp-alarms.zeek @@ -14,7 +14,7 @@ export { ## Address to send the pretty-printed reports to. Default if not set is ## :zeek:id:`Notice::mail_dest`. ## - ## Note that this is overridden by the BroControl MailAlarmsTo option. + ## Note that this is overridden by the ZeekControl MailAlarmsTo option. const mail_dest_pretty_printed = "" &redef; ## If an address from one of these networks is reported, we mark ## the entry with an additional quote symbol (i.e., ">"). Many MUAs diff --git a/scripts/base/frameworks/notice/main.zeek b/scripts/base/frameworks/notice/main.zeek index f4a7796495..ed0fb86d4f 100644 --- a/scripts/base/frameworks/notice/main.zeek +++ b/scripts/base/frameworks/notice/main.zeek @@ -1,6 +1,6 @@ -##! This is the notice framework which enables Bro to "notice" things which +##! This is the notice framework which enables Zeek to "notice" things which ##! are odd or potentially bad. Decisions of the meaning of various notices -##! need to be done per site because Bro does not ship with assumptions about +##! need to be done per site because Zeek does not ship with assumptions about ##! what is bad activity for sites. More extensive documentation about using ##! the notice framework can be found in :doc:`/frameworks/notice`. @@ -189,26 +189,26 @@ export { ## Local system sendmail program. ## - ## Note that this is overridden by the BroControl SendMail option. + ## Note that this is overridden by the ZeekControl SendMail option. option sendmail = "/usr/sbin/sendmail"; ## Email address to send notices with the ## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs ## on rotation with :zeek:enum:`Notice::ACTION_ALARM`. ## - ## Note that this is overridden by the BroControl MailTo option. + ## Note that this is overridden by the ZeekControl MailTo option. const mail_dest = "" &redef; ## Address that emails will be from. ## - ## Note that this is overridden by the BroControl MailFrom option. - option mail_from = "Big Brother "; + ## Note that this is overridden by the ZeekControl MailFrom option. + option mail_from = "Zeek "; ## Reply-to address used in outbound email. option reply_to = ""; ## Text string prefixed to the subject of all emails sent out. ## - ## Note that this is overridden by the BroControl MailSubjectPrefix + ## Note that this is overridden by the ZeekControl MailSubjectPrefix ## option. - option mail_subject_prefix = "[Bro]"; + option mail_subject_prefix = "[Zeek]"; ## The maximum amount of time a plugin can delay email from being sent. const max_email_delay = 15secs &redef; @@ -390,7 +390,7 @@ event zeek_init() &priority=5 Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]); Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm"]); - # If Bro is configured for mailing notices, set up mailing for alarms. + # If Zeek is configured for mailing notices, set up mailing for alarms. # Make sure that this alarm log is also output as text so that it can # be packaged up and emailed later. if ( ! reading_traces() && mail_dest != "" ) diff --git a/scripts/base/frameworks/notice/weird.zeek b/scripts/base/frameworks/notice/weird.zeek index d91a93ce27..d6d381406a 100644 --- a/scripts/base/frameworks/notice/weird.zeek +++ b/scripts/base/frameworks/notice/weird.zeek @@ -1,5 +1,5 @@ ##! This script provides a default set of actions to take for "weird activity" -##! events generated from Bro's event engine. Weird activity is defined as +##! events generated from Zeek's event engine. Weird activity is defined as ##! unusual or exceptional activity that can indicate malformed connections, ##! traffic that doesn't conform to a particular protocol, malfunctioning ##! or misconfigured hardware, or even an attacker attempting to avoid/confuse diff --git a/scripts/base/frameworks/openflow/consts.zeek b/scripts/base/frameworks/openflow/consts.zeek index 3564137701..7b1e635014 100644 --- a/scripts/base/frameworks/openflow/consts.zeek +++ b/scripts/base/frameworks/openflow/consts.zeek @@ -1,7 +1,7 @@ ##! Constants used by the OpenFlow framework. # All types/constants not specific to OpenFlow will be defined here -# until they somehow get into Bro. +# until they somehow get into Zeek. module OpenFlow; @@ -10,7 +10,7 @@ module OpenFlow; const COOKIE_BID_SIZE = 16777216; # start at bit 40 (1 << 40) const COOKIE_BID_START = 1099511627776; -# bro specific cookie ID shall have the 42 bit set (1 << 42) +# Zeek specific cookie ID shall have the 42 bit set (1 << 42) const BRO_COOKIE_ID = 4; # 8 bits group identifier const COOKIE_GID_SIZE = 256; @@ -122,7 +122,7 @@ export { ## Return value for a cookie from a flow ## which is not added, modified or deleted - ## from the bro openflow framework. + ## from the Zeek openflow framework. const INVALID_COOKIE = 0xffffffffffffffff; # Openflow physical port definitions ## Send the packet out the input port. This diff --git a/scripts/base/frameworks/openflow/main.zeek b/scripts/base/frameworks/openflow/main.zeek index ecddea7cb3..09e9ba0f68 100644 --- a/scripts/base/frameworks/openflow/main.zeek +++ b/scripts/base/frameworks/openflow/main.zeek @@ -1,4 +1,4 @@ -##! Bro's OpenFlow control framework. +##! Zeek's OpenFlow control framework. ##! ##! This plugin-based framework allows to control OpenFlow capable ##! switches by implementing communication to an OpenFlow controller diff --git a/scripts/base/frameworks/openflow/plugins/log.zeek b/scripts/base/frameworks/openflow/plugins/log.zeek index 23a16c3186..a9d397fab4 100644 --- a/scripts/base/frameworks/openflow/plugins/log.zeek +++ b/scripts/base/frameworks/openflow/plugins/log.zeek @@ -1,5 +1,5 @@ ##! OpenFlow plugin that outputs flow-modification commands -##! to a Bro log file. +##! to a Zeek log file. @load base/frameworks/openflow @load base/frameworks/logging diff --git a/scripts/base/frameworks/packet-filter/README b/scripts/base/frameworks/packet-filter/README index 536c1527db..7cc194ec17 100644 --- a/scripts/base/frameworks/packet-filter/README +++ b/scripts/base/frameworks/packet-filter/README @@ -1 +1 @@ -The packet filter framework supports how Bro sets its BPF capture filter. +The packet filter framework supports how Zeek sets its BPF capture filter. diff --git a/scripts/base/frameworks/packet-filter/main.zeek b/scripts/base/frameworks/packet-filter/main.zeek index 160139b1db..5d616eb7e6 100644 --- a/scripts/base/frameworks/packet-filter/main.zeek +++ b/scripts/base/frameworks/packet-filter/main.zeek @@ -1,7 +1,7 @@ -##! This script supports how Bro sets its BPF capture filter. By default -##! Bro sets a capture filter that allows all traffic. If a filter +##! This script supports how Zeek sets its BPF capture filter. By default +##! Zeek sets a capture filter that allows all traffic. If a filter ##! is set on the command line, that filter takes precedence over the default -##! open filter and all filters defined in Bro scripts with the +##! open filter and all filters defined in Zeek scripts with the ##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables. @load base/frameworks/notice diff --git a/scripts/base/frameworks/packet-filter/netstats.zeek b/scripts/base/frameworks/packet-filter/netstats.zeek index 48b157b3eb..173f4371cd 100644 --- a/scripts/base/frameworks/packet-filter/netstats.zeek +++ b/scripts/base/frameworks/packet-filter/netstats.zeek @@ -1,5 +1,5 @@ ##! This script reports on packet loss from the various packet sources. -##! When Bro is reading input from trace files, this script will not +##! When Zeek is reading input from trace files, this script will not ##! report any packet loss statistics. @load base/frameworks/notice diff --git a/scripts/base/frameworks/reporter/main.zeek b/scripts/base/frameworks/reporter/main.zeek index 54e4123407..ce66e8f86a 100644 --- a/scripts/base/frameworks/reporter/main.zeek +++ b/scripts/base/frameworks/reporter/main.zeek @@ -27,9 +27,9 @@ export { ## terminate program execution. level: Level &log; ## An info/warning/error message that could have either been - ## generated from the internal Bro core or at the scripting-layer. + ## generated from the internal Zeek core or at the scripting-layer. message: string &log; - ## This is the location in a Bro script where the message originated. + ## This is the location in a Zeek script where the message originated. ## Not all reporter messages will have locations in them though. location: string &log &optional; }; diff --git a/scripts/base/frameworks/signatures/README b/scripts/base/frameworks/signatures/README index fd45cd3a19..7bc1926309 100644 --- a/scripts/base/frameworks/signatures/README +++ b/scripts/base/frameworks/signatures/README @@ -1,4 +1,4 @@ The signature framework provides for doing low-level pattern matching. While -signatures are not Bro's preferred detection tool, they sometimes come in +signatures are not Zeek's preferred detection tool, they sometimes come in handy and are closer to what many people are familiar with from using other NIDS. diff --git a/scripts/base/frameworks/signatures/main.zeek b/scripts/base/frameworks/signatures/main.zeek index 910f3b461c..eb2143d4ec 100644 --- a/scripts/base/frameworks/signatures/main.zeek +++ b/scripts/base/frameworks/signatures/main.zeek @@ -1,6 +1,6 @@ ##! Script level signature support. See the ##! :doc:`signature documentation ` for more -##! information about Bro's signature engine. +##! information about Zeek's signature engine. @load base/frameworks/notice diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 228128b486..50c120bb6b 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -113,7 +113,7 @@ type mime_match: record { ## :zeek:see:`file_magic` type mime_matches: vector of mime_match; -## A connection's transport-layer protocol. Note that Bro uses the term +## A connection's transport-layer protocol. Note that Zeek uses the term ## "connection" broadly, using flow semantics for ICMP and UDP. type transport_proto: enum { unknown_transport, ##< An unknown transport-layer protocol. @@ -235,7 +235,7 @@ type icmp6_nd_option: record { ## A type alias for a vector of ICMPv6 neighbor discovery message options. type icmp6_nd_options: vector of icmp6_nd_option; -# A DNS mapping between IP address and hostname resolved by Bro's internal +# A DNS mapping between IP address and hostname resolved by Zeek's internal # resolver. # # .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name @@ -340,8 +340,8 @@ type endpoint: record { l2_addr: string &optional; }; -## A connection. This is Bro's basic connection type describing IP- and -## transport-layer information about the conversation. Note that Bro uses a +## A connection. This is Zeek's basic connection type describing IP- and +## transport-layer information about the conversation. Note that Zeek uses a ## liberal interpretation of "connection" and associates instances of this type ## also with UDP and ICMP flows. type connection: record { @@ -353,7 +353,7 @@ type connection: record { ## interval between first and last data packet (low-level TCP details ## may adjust it somewhat in ambiguous cases). duration: interval; - ## The set of services the connection is using as determined by Bro's + ## The set of services the connection is using as determined by Zeek's ## dynamic protocol detection. Each entry is the label of an analyzer ## that confirmed that it could parse the connection payload. While ## typically, there will be at most one entry for each connection, in @@ -362,8 +362,8 @@ type connection: record { ## the recorded services are independent of any transport-level protocols. service: set[string]; history: string; ##< State history of connections. See *history* in :zeek:see:`Conn::Info`. - ## A globally unique connection identifier. For each connection, Bro - ## creates an ID that is very likely unique across independent Bro runs. + ## A globally unique connection identifier. For each connection, Zeek + ## creates an ID that is very likely unique across independent Zeek runs. ## These IDs can thus be used to tag and locate information associated ## with that connection. uid: string; @@ -390,7 +390,7 @@ option default_file_timeout_interval: interval = 2 mins; ## matching or later, will receive a copy of this buffer. option default_file_bof_buffer_size: count = 4096; -## A file that Bro is analyzing. This is Bro's type for describing the basic +## A file that Zeek is analyzing. This is Zeek's type for describing the basic ## internal metadata collected about a "file", which is essentially just a ## byte stream that is e.g. pulled from a network connection or possibly ## some other input source. @@ -476,7 +476,7 @@ type SYN_packet: record { ## ## .. zeek:see:: get_net_stats type NetStats: record { - pkts_recvd: count &default=0; ##< Packets received by Bro. + pkts_recvd: count &default=0; ##< Packets received by Zeek. pkts_dropped: count &default=0; ##< Packets reported dropped by the system. ## Packets seen on the link. Note that this may differ ## from *pkts_recvd* because of a potential capture_filter. See @@ -484,7 +484,7 @@ type NetStats: record { ## packet capture system, this value may not be available and will then ## be always set to zero. pkts_link: count &default=0; - bytes_recvd: count &default=0; ##< Bytes received by Bro. + bytes_recvd: count &default=0; ##< Bytes received by Zeek. }; type ConnStats: record { @@ -512,16 +512,16 @@ type ConnStats: record { killed_by_inactivity: count; }; -## Statistics about Bro's process. +## Statistics about Zeek's process. ## ## .. zeek:see:: get_proc_stats ## -## .. note:: All process-level values refer to Bro's main process only, not to +## .. note:: All process-level values refer to Zeek's main process only, not to ## the child process it spawns for doing communication. type ProcStats: record { debug: bool; ##< True if compiled with --enable-debug. start_time: time; ##< Start time of process. - real_time: interval; ##< Elapsed real time since Bro started running. + real_time: interval; ##< Elapsed real time since Zeek started running. user_time: interval; ##< User CPU seconds. system_time: interval; ##< System CPU seconds. mem: count; ##< Maximum memory consumed, in KB. @@ -579,8 +579,8 @@ type FileAnalysisStats: record { cumulative: count; ##< Cumulative number of files analyzed. }; -## Statistics related to Bro's active use of DNS. These numbers are -## about Bro performing DNS queries on it's own, not traffic +## Statistics related to Zeek's active use of DNS. These numbers are +## about Zeek performing DNS queries on it's own, not traffic ## being seen. ## ## .. zeek:see:: get_dns_stats @@ -735,7 +735,7 @@ type call_argument_vector: vector of call_argument; # dependent on the names remaining as they are now. ## Set of BPF capture filters to use for capturing, indexed by a user-definable -## ID (which must be unique). If Bro is *not* configured with +## ID (which must be unique). If Zeek is *not* configured with ## :zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`, ## all packets matching at least one of the filters in this table (and all in ## :zeek:id:`restrict_filters`) will be analyzed. @@ -866,7 +866,7 @@ const mmdb_dir: string = "" &redef; ## Computed entropy values. The record captures a number of measures that are ## computed in parallel. See `A Pseudorandom Number Sequence Test Program -## `_ for more information, Bro uses the same +## `_ for more information, Zeek uses the same ## code. ## ## .. zeek:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy @@ -993,7 +993,7 @@ const tcp_max_above_hole_without_any_acks = 16384 &redef; ## If we've seen this much data without any of it being acked, we give up ## on that connection to avoid memory exhaustion due to buffering all that -## stuff. If set to zero, then we don't ever give up. Ideally, Bro would +## stuff. If set to zero, then we don't ever give up. Ideally, Zeek would ## track the current window on a connection and use it to infer that data ## has in fact gone too far, but for now we just make this quite beefy. ## @@ -1788,7 +1788,7 @@ type gtp_delete_pdp_ctx_response_elements: record { ext: gtp_private_extension &optional; }; -# Prototypes of Bro built-in functions. +# Prototypes of Zeek built-in functions. @load base/bif/bro.bif @load base/bif/stats.bif @load base/bif/reporter.bif @@ -1801,13 +1801,13 @@ global log_file_name: function(tag: string): string &redef; ## Deprecated. This is superseded by the new logging framework. global open_log_file: function(tag: string): file &redef; -## Specifies a directory for Bro to store its persistent state. All globals can +## Specifies a directory for Zeek to store its persistent state. All globals can ## be declared persistent via the :zeek:attr:`&persistent` attribute. const state_dir = ".state" &redef; ## Length of the delays inserted when storing state incrementally. To avoid ## dropping packets when serializing larger volumes of persistent state to -## disk, Bro interleaves the operation with continued packet processing. +## disk, Zeek interleaves the operation with continued packet processing. const state_write_delay = 0.01 secs &redef; global done_with_network = F; @@ -1868,7 +1868,7 @@ global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr) global discarder_maxlen = 128 &redef; ## Function for skipping packets based on their IP header. If defined, this -## function will be called for all IP packets before Bro performs any further +## function will be called for all IP packets before Zeek performs any further ## analysis. If the function signals to discard a packet, no further processing ## will be performed on it. ## @@ -1884,7 +1884,7 @@ global discarder_maxlen = 128 &redef; global discarder_check_ip: function(p: pkt_hdr): bool; ## Function for skipping packets based on their TCP header. If defined, this -## function will be called for all TCP packets before Bro performs any further +## function will be called for all TCP packets before Zeek performs any further ## analysis. If the function signals to discard a packet, no further processing ## will be performed on it. ## @@ -1902,7 +1902,7 @@ global discarder_check_ip: function(p: pkt_hdr): bool; global discarder_check_tcp: function(p: pkt_hdr, d: string): bool; ## Function for skipping packets based on their UDP header. If defined, this -## function will be called for all UDP packets before Bro performs any further +## function will be called for all UDP packets before Zeek performs any further ## analysis. If the function signals to discard a packet, no further processing ## will be performed on it. ## @@ -1920,7 +1920,7 @@ global discarder_check_tcp: function(p: pkt_hdr, d: string): bool; global discarder_check_udp: function(p: pkt_hdr, d: string): bool; ## Function for skipping packets based on their ICMP header. If defined, this -## function will be called for all ICMP packets before Bro performs any further +## function will be called for all ICMP packets before Zeek performs any further ## analysis. If the function signals to discard a packet, no further processing ## will be performed on it. ## @@ -1935,7 +1935,7 @@ global discarder_check_udp: function(p: pkt_hdr, d: string): bool; ## Avoid using it. global discarder_check_icmp: function(p: pkt_hdr): bool; -## Bro's watchdog interval. +## Zeek's watchdog interval. const watchdog_interval = 10 sec &redef; ## The maximum number of timers to expire after processing each new @@ -2711,7 +2711,7 @@ export { ## A set of file names used as named pipes over SMB. This ## only comes into play as a heuristic to identify named - ## pipes when the drive mapping wasn't seen by Bro. + ## pipes when the drive mapping wasn't seen by Zeek. ## ## .. zeek:see:: smb_pipe_connect_heuristic const SMB::pipe_filenames: set[string] &redef; @@ -4670,16 +4670,16 @@ const detect_filtered_trace = F &redef; ## .. zeek:see:: content_gap partial_connection const report_gaps_for_partial = F &redef; -## Flag to prevent Bro from exiting automatically when input is exhausted. -## Normally Bro terminates when all packet sources have gone dry -## and communication isn't enabled. If this flag is set, Bro's main loop will +## Flag to prevent Zeek from exiting automatically when input is exhausted. +## Normally Zeek terminates when all packet sources have gone dry +## and communication isn't enabled. If this flag is set, Zeek's main loop will ## instead keep idling until :zeek:see:`terminate` is explicitly called. ## ## This is mainly for testing purposes when termination behaviour needs to be ## controlled for reproducing results. const exit_only_after_terminate = F &redef; -## The CA certificate file to authorize remote Bros/Broccolis. +## The CA certificate file to authorize remote Zeeks/Broccolis. ## ## .. zeek:see:: ssl_private_key ssl_passphrase const ssl_ca_certificate = "" &redef; @@ -4690,17 +4690,17 @@ const ssl_ca_certificate = "" &redef; const ssl_private_key = "" &redef; ## The passphrase for our private key. Keeping this undefined -## causes Bro to prompt for the passphrase. +## causes Zeek to prompt for the passphrase. ## ## .. zeek:see:: ssl_private_key ssl_ca_certificate const ssl_passphrase = "" &redef; -## Default mode for Bro's user-space dynamic packet filter. If true, packets +## Default mode for Zeek's user-space dynamic packet filter. If true, packets ## that aren't explicitly allowed through, are dropped from any further ## processing. ## ## .. note:: This is not the BPF packet filter but an additional dynamic filter -## that Bro optionally applies just before normal processing starts. +## that Zeek optionally applies just before normal processing starts. ## ## .. zeek:see:: install_dst_addr_filter install_dst_net_filter ## install_src_addr_filter install_src_net_filter uninstall_dst_addr_filter @@ -4714,7 +4714,7 @@ const sig_max_group_size = 50 &redef; const peer_description = "bro" &redef; ## The number of IO chunks allowed to be buffered between the child -## and parent process of remote communication before Bro starts dropping +## and parent process of remote communication before Zeek starts dropping ## connections to remote peers in an attempt to catch up. const chunked_io_buffer_soft_cap = 800000 &redef; @@ -4730,7 +4730,7 @@ const chunked_io_buffer_soft_cap = 800000 &redef; const dpd_reassemble_first_packets = T &redef; ## Size of per-connection buffer used for dynamic protocol detection. For each -## connection, Bro buffers this initial amount of payload in memory so that +## connection, Zeek buffers this initial amount of payload in memory so that ## complete protocol analysis can start even after the initial packets have ## already passed through (i.e., when a DPD signature matches only later). ## However, once the buffer is full, data is deleted and lost to analyzers that @@ -4784,8 +4784,8 @@ const suppress_local_output = F &redef; ## .. zeek:see:: record_all_packets const trace_output_file = ""; -## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it. -## By default, Bro applies (very few) heuristics to reduce the volume. A side +## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it. +## By default, Zeek applies (very few) heuristics to reduce the volume. A side ## effect of setting this to true is that we can write the packets out before we ## actually process them, which can be helpful for debugging in case the ## analysis triggers a crash. @@ -4806,7 +4806,7 @@ module JSON; export { type TimestampFormat: enum { ## Timestamps will be formatted as UNIX epoch doubles. This is - ## the format that Bro typically writes out timestamps. + ## the format that Zeek typically writes out timestamps. TS_EPOCH, ## Timestamps will be formatted as unsigned integers that ## represent the number of milliseconds since the UNIX @@ -4877,17 +4877,17 @@ export { module Reporter; export { ## Tunable for sending reporter info messages to STDERR. The option to - ## turn it off is presented here in case Bro is being run by some + ## turn it off is presented here in case Zeek is being run by some ## external harness and shouldn't output anything to the console. const info_to_stderr = T &redef; ## Tunable for sending reporter warning messages to STDERR. The option - ## to turn it off is presented here in case Bro is being run by some + ## to turn it off is presented here in case Zeek is being run by some ## external harness and shouldn't output anything to the console. const warnings_to_stderr = T &redef; ## Tunable for sending reporter error messages to STDERR. The option to - ## turn it off is presented here in case Bro is being run by some + ## turn it off is presented here in case Zeek is being run by some ## external harness and shouldn't output anything to the console. const errors_to_stderr = T &redef; } @@ -4979,8 +4979,8 @@ export { module GLOBAL; ## Seed for hashes computed internally for probabilistic data structures. Using -## the same value here will make the hashes compatible between independent Bro -## instances. If left unset, Bro will use a temporary local seed. +## the same value here will make the hashes compatible between independent Zeek +## instances. If left unset, Zeek will use a temporary local seed. const global_hash_seed: string = "" &redef; ## Number of bits in UIDs that are generated to identify connections and @@ -4989,7 +4989,7 @@ const global_hash_seed: string = "" &redef; const bits_per_uid: count = 96 &redef; ## Whether usage of the old communication system is considered an error or -## not. The default Bro configuration no longer works with the non-Broker +## not. The default Zeek configuration no longer works with the non-Broker ## communication system unless you have manually taken action to initialize ## and set up the old comm. system. Deprecation warnings are still emitted ## when setting this flag, but they will not result in a fatal error. diff --git a/scripts/base/init-default.zeek b/scripts/base/init-default.zeek index 6982b0b2f4..d8115895dc 100644 --- a/scripts/base/init-default.zeek +++ b/scripts/base/init-default.zeek @@ -1,5 +1,5 @@ ##! This script loads everything in the base/ script directory. If you want -##! to run Bro without all of these scripts loaded by default, you can use +##! to run Zeek without all of these scripts loaded by default, you can use ##! the ``-b`` (``--bare-mode``) command line argument. You can also copy the ##! "@load" lines from this script to your own script to load only the scripts ##! that you actually want. diff --git a/scripts/base/misc/find-checksum-offloading.zeek b/scripts/base/misc/find-checksum-offloading.zeek index 1edd4f9799..751afeac43 100644 --- a/scripts/base/misc/find-checksum-offloading.zeek +++ b/scripts/base/misc/find-checksum-offloading.zeek @@ -50,7 +50,7 @@ event ChecksumOffloading::check() bad_checksum_msg += "UDP"; } - local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg); + local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg); Reporter::warning(message); done = T; } diff --git a/scripts/base/misc/find-filtered-trace.zeek b/scripts/base/misc/find-filtered-trace.zeek index f7bdbb9e91..e4dcf9848c 100644 --- a/scripts/base/misc/find-filtered-trace.zeek +++ b/scripts/base/misc/find-filtered-trace.zeek @@ -2,7 +2,7 @@ ##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST ##! packets and no content). On finding such a trace, a warning is ##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace` -##! option may be desired if the user does not want Bro to report +##! option may be desired if the user does not want Zeek to report ##! missing TCP segments. module FilteredTraceDetection; @@ -45,5 +45,5 @@ event zeek_done() return; if ( ! saw_tcp_conn_with_data ) - Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired."); + Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered. By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired."); } diff --git a/scripts/base/misc/version.zeek b/scripts/base/misc/version.zeek index 4066dadedd..1a453487b2 100644 --- a/scripts/base/misc/version.zeek +++ b/scripts/base/misc/version.zeek @@ -1,4 +1,4 @@ -##! Provide information about the currently running Bro version. +##! Provide information about the currently running Zeek version. ##! The most convenient way to access this are the Version::number ##! and Version::info constants. @@ -8,12 +8,12 @@ module Version; export { - ## A type exactly describing a Bro version + ## A type exactly describing a Zeek version type VersionDescription: record { ## Number representing the version which can be used for easy comparison. ## The format of the number is ABBCC with A being the major version, ## bb being the minor version (2 digits) and CC being the patchlevel (2 digits). - ## As an example, Bro 2.4.1 results in the number 20401. + ## As an example, Zeek 2.4.1 results in the number 20401. version_number: count; ## Major version number (e.g. 2 for 2.5) major: count; @@ -23,7 +23,7 @@ export { patch: count; ## Commit number for development versions, e.g. 12 for 2.4-12. 0 for non-development versions commit: count; - ## If set to true, the version is a beta build of Bro + ## If set to true, the version is a beta build of Zeek beta: bool; ## If set to true, the version is a debug build debug: bool; @@ -33,12 +33,12 @@ export { ## Parse a given version string. ## - ## version_string: Bro version string. + ## version_string: Zeek version string. ## ## Returns: `VersionDescription` record. global parse: function(version_string: string): VersionDescription; - ## Test if the current running version of Bro is greater or equal to the given version + ## Test if the current running version of Zeek is greater or equal to the given version ## string. ## ## version_string: Version to check against the current running version. @@ -74,13 +74,13 @@ function parse(version_string: string): VersionDescription } export { - ## version number of the currently running version of Bro as a numeric representation. + ## version number of the currently running version of Zeek as a numeric representation. ## The format of the number is ABBCC with A being the major version, ## bb being the minor version (2 digits) and CC being the patchlevel (2 digits). - ## As an example, Bro 2.4.1 results in the number 20401 + ## As an example, Zeek 2.4.1 results in the number 20401 const number = Version::parse(bro_version())$version_number; - ## `VersionDescription` record pertaining to the currently running version of Bro. + ## `VersionDescription` record pertaining to the currently running version of Zeek. const info = Version::parse(bro_version()); } diff --git a/scripts/base/protocols/conn/main.zeek b/scripts/base/protocols/conn/main.zeek index ecc9e436ac..653aa6816d 100644 --- a/scripts/base/protocols/conn/main.zeek +++ b/scripts/base/protocols/conn/main.zeek @@ -112,7 +112,7 @@ export { ## w packet with a zero window advertisement ## i inconsistent packet (e.g. FIN+RST bits set) ## q multi-flag packet (SYN+FIN or SYN+RST bits set) - ## ^ connection direction was flipped by Bro's heuristic + ## ^ connection direction was flipped by Zeek's heuristic ## ====== ==================================================== ## ## If the event comes from the originator, the letter is in diff --git a/scripts/base/protocols/dhcp/main.zeek b/scripts/base/protocols/dhcp/main.zeek index 1f98cd0583..f72283a503 100644 --- a/scripts/base/protocols/dhcp/main.zeek +++ b/scripts/base/protocols/dhcp/main.zeek @@ -138,7 +138,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval # If a message hasn't been seen in the past 5 seconds or the # total time watching has been more than the maximum time # allowed by the configuration then log this data and expire it. - # Also, if Bro is shutting down. + # Also, if Zeek is shutting down. if ( (now - info$last_message_ts) > 5sec || (now - info$ts) > max_txid_watch_time || bro_is_terminating() ) diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek index f91a94b0cb..b8cb2b80b5 100644 --- a/scripts/base/protocols/dns/main.zeek +++ b/scripts/base/protocols/dns/main.zeek @@ -116,7 +116,7 @@ export { ## Give up trying to match pending DNS queries or replies for a given ## query/transaction ID once this number of unmatched queries or replies ## is reached (this shouldn't happen unless either the DNS server/resolver - ## is broken, Bro is not seeing all the DNS traffic, or an AXFR query + ## is broken, Zeek is not seeing all the DNS traffic, or an AXFR query ## response is ongoing). option max_pending_msgs = 50; @@ -561,7 +561,7 @@ event connection_state_remove(c: connection) &priority=-5 if ( ! c?$dns_state ) return; - # If Bro is expiring state, we should go ahead and log all unmatched + # If Zeek is expiring state, we should go ahead and log all unmatched # queries and replies now. if( c$dns_state?$pending_query ) Log::write(DNS::LOG, c$dns_state$pending_query); diff --git a/scripts/base/utils/active-http.zeek b/scripts/base/utils/active-http.zeek index 27eb6e2bb2..4f84ebca71 100644 --- a/scripts/base/utils/active-http.zeek +++ b/scripts/base/utils/active-http.zeek @@ -78,7 +78,7 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string function request(req: Request): ActiveHTTP::Response { - local tmpfile = "/tmp/bro-activehttp-" + unique_id(""); + local tmpfile = "/tmp/zeek-activehttp-" + unique_id(""); local bodyfile = fmt("%s_body", tmpfile); local headersfile = fmt("%s_headers", tmpfile); diff --git a/scripts/base/utils/geoip-distance.zeek b/scripts/base/utils/geoip-distance.zeek index 8aa2601500..241c274175 100644 --- a/scripts/base/utils/geoip-distance.zeek +++ b/scripts/base/utils/geoip-distance.zeek @@ -1,7 +1,7 @@ ##! Functions to calculate distance between two locations, based on GeoIP data. ## Returns the distance between two IP addresses using the haversine formula, -## based on GeoIP database locations. Requires Bro to be built with GeoIP. +## based on GeoIP database locations. Requires Zeek to be built with GeoIP. ## ## a1: First IP address. ## diff --git a/scripts/base/utils/json.zeek b/scripts/base/utils/json.zeek index ead214f93e..5bce89d18b 100644 --- a/scripts/base/utils/json.zeek +++ b/scripts/base/utils/json.zeek @@ -1,9 +1,9 @@ -##! Functions to assist with generating JSON data from Bro data scructures. +##! Functions to assist with generating JSON data from Zeek data scructures. # We might want to implement this in core somtime, this looks... hacky at best. @load base/utils/strings -## A function to convert arbitrary Bro data into a JSON string. +## A function to convert arbitrary Zeek data into a JSON string. ## ## v: The value to convert to JSON. Typically a record. ## diff --git a/scripts/base/utils/patterns.zeek b/scripts/base/utils/patterns.zeek index 6d955339f8..861f0b20bd 100644 --- a/scripts/base/utils/patterns.zeek +++ b/scripts/base/utils/patterns.zeek @@ -9,7 +9,7 @@ module GLOBAL; ## ss: a set of strings to OR together. ## ## pat: the pattern containing a "~~" in it. If a literal backslash is -## included, it needs to be escaped with another backslash due to Bro's +## included, it needs to be escaped with another backslash due to Zeek's ## string parsing reducing it to a single backslash upon rendering. ## ## Returns: the input pattern with "~~" replaced by OR'd elements of input set. diff --git a/scripts/base/utils/site.zeek b/scripts/base/utils/site.zeek index 949f340410..94c487f7a3 100644 --- a/scripts/base/utils/site.zeek +++ b/scripts/base/utils/site.zeek @@ -17,7 +17,7 @@ export { [::1]/128, }; - ## Networks that are considered "local". Note that BroControl sets + ## Networks that are considered "local". Note that ZeekControl sets ## this automatically. option local_nets: set[subnet] = {}; diff --git a/scripts/base/utils/strings.zeek b/scripts/base/utils/strings.zeek index 8a3f03faaa..4fa002acd6 100644 --- a/scripts/base/utils/strings.zeek +++ b/scripts/base/utils/strings.zeek @@ -1,5 +1,5 @@ ##! Functions to assist with small string analysis and manipulation that can -##! be implemented as Bro functions and don't need to be implemented as built-in +##! be implemented as Zeek functions and don't need to be implemented as built-in ##! functions. ## Returns true if the given string is at least 25% composed of 8-bit diff --git a/scripts/policy/frameworks/control/controllee.zeek b/scripts/policy/frameworks/control/controllee.zeek index 784cad52f9..f807915852 100644 --- a/scripts/policy/frameworks/control/controllee.zeek +++ b/scripts/policy/frameworks/control/controllee.zeek @@ -1,5 +1,5 @@ ##! The controllee portion of the control framework. Load this script if remote -##! runtime control of the Bro process is desired. +##! runtime control of the Zeek process is desired. ##! ##! A controllee only needs to load the controllee script in addition ##! to the specific analysis scripts desired. It may also need a node diff --git a/scripts/policy/frameworks/control/controller.zeek b/scripts/policy/frameworks/control/controller.zeek index 1e58f68821..b68f89b345 100644 --- a/scripts/policy/frameworks/control/controller.zeek +++ b/scripts/policy/frameworks/control/controller.zeek @@ -1,5 +1,5 @@ ##! This is a utility script that implements the controller interface for the -##! control framework. It's intended to be run to control a remote Bro +##! control framework. It's intended to be run to control a remote Zeek ##! and then shutdown. ##! ##! It's intended to be used from the command line like this:: diff --git a/scripts/policy/frameworks/packet-filter/shunt.zeek b/scripts/policy/frameworks/packet-filter/shunt.zeek index 3a08dfaddd..8fd2596fdc 100644 --- a/scripts/policy/frameworks/packet-filter/shunt.zeek +++ b/scripts/policy/frameworks/packet-filter/shunt.zeek @@ -4,18 +4,18 @@ module PacketFilter; export { - ## The maximum number of BPF based shunts that Bro is allowed to perform. + ## The maximum number of BPF based shunts that Zeek is allowed to perform. const max_bpf_shunts = 100 &redef; ## Call this function to use BPF to shunt a connection (to prevent the - ## data packets from reaching Bro). For TCP connections, control - ## packets are still allowed through so that Bro can continue logging + ## data packets from reaching Zeek). For TCP connections, control + ## packets are still allowed through so that Zeek can continue logging ## the connection and it can stop shunting once the connection ends. global shunt_conn: function(id: conn_id): bool; ## This function will use a BPF expression to shunt traffic between ## the two hosts given in the `conn_id` so that the traffic is never - ## exposed to Bro's traffic processing. + ## exposed to Zeek's traffic processing. global shunt_host_pair: function(id: conn_id): bool; ## Remove shunting for a host pair given as a `conn_id`. The filter diff --git a/scripts/policy/integration/barnyard2/main.zeek b/scripts/policy/integration/barnyard2/main.zeek index 876467eb8a..7e77e66ee6 100644 --- a/scripts/policy/integration/barnyard2/main.zeek +++ b/scripts/policy/integration/barnyard2/main.zeek @@ -1,4 +1,4 @@ -##! This script lets Barnyard2 integrate with Bro. It receives alerts from +##! This script lets Barnyard2 integrate with Zeek. It receives alerts from ##! Barnyard2 and logs them. In the future it will do more correlation ##! and derive new notices from the alerts. @@ -20,7 +20,7 @@ export { ## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to ## a :zeek:type:`conn_id` value in the case that you might need to index - ## into an existing data structure elsewhere within Bro. + ## into an existing data structure elsewhere within Zeek. global pid2cid: function(p: PacketID): conn_id; } diff --git a/scripts/policy/integration/collective-intel/README b/scripts/policy/integration/collective-intel/README index 17d534c8dd..3e28be5903 100644 --- a/scripts/policy/integration/collective-intel/README +++ b/scripts/policy/integration/collective-intel/README @@ -1,4 +1,4 @@ The scripts in this module are for deeper integration with the -Collective Intelligence Framework (CIF) since Bro's Intel framework +Collective Intelligence Framework (CIF) since Zeek's Intel framework doesn't natively behave the same as CIF nor does it store and maintain the same data in all cases. diff --git a/scripts/policy/integration/collective-intel/main.zeek b/scripts/policy/integration/collective-intel/main.zeek index 48459c378a..fac86dd744 100644 --- a/scripts/policy/integration/collective-intel/main.zeek +++ b/scripts/policy/integration/collective-intel/main.zeek @@ -3,7 +3,7 @@ module Intel; -## These are some fields to add extended compatibility between Bro and the +## These are some fields to add extended compatibility between Zeek and the ## Collective Intelligence Framework. redef record Intel::MetaData += { ## Maps to the Impact field in the Collective Intelligence Framework. diff --git a/scripts/policy/misc/capture-loss.zeek b/scripts/policy/misc/capture-loss.zeek index c6516d46eb..2864a81109 100644 --- a/scripts/policy/misc/capture-loss.zeek +++ b/scripts/policy/misc/capture-loss.zeek @@ -25,7 +25,7 @@ export { ts: time &log; ## The time delay between this measurement and the last. ts_delta: interval &log; - ## In the event that there are multiple Bro instances logging + ## In the event that there are multiple Zeek instances logging ## to the same host, this distinguishes each peer with its ## individual name. peer: string &log; diff --git a/scripts/policy/misc/dump-events.zeek b/scripts/policy/misc/dump-events.zeek index 7d27e91981..9b3a78ffd3 100644 --- a/scripts/policy/misc/dump-events.zeek +++ b/scripts/policy/misc/dump-events.zeek @@ -1,6 +1,6 @@ -##! This script dumps the events that Bro raises out to standard output in a +##! This script dumps the events that Zeek raises out to standard output in a ##! readable form. This is for debugging only and allows to understand events and -##! their parameters as Bro processes input. Note that it will show only events +##! their parameters as Zeek processes input. Note that it will show only events ##! for which a handler is defined. module DumpEvents; diff --git a/scripts/policy/misc/load-balancing.zeek b/scripts/policy/misc/load-balancing.zeek index 62f352f12e..7a1be09871 100644 --- a/scripts/policy/misc/load-balancing.zeek +++ b/scripts/policy/misc/load-balancing.zeek @@ -1,5 +1,5 @@ -##! This script implements the "Bro side" of several load balancing -##! approaches for Bro clusters. +##! This script implements the "Zeek side" of several load balancing +##! approaches for Zeek clusters. @load base/frameworks/cluster @load base/frameworks/packet-filter diff --git a/scripts/policy/misc/profiling.zeek b/scripts/policy/misc/profiling.zeek index fed8c41f54..197d3a3f82 100644 --- a/scripts/policy/misc/profiling.zeek +++ b/scripts/policy/misc/profiling.zeek @@ -1,4 +1,4 @@ -##! Turns on profiling of Bro resource consumption. +##! Turns on profiling of Zeek resource consumption. module Profiling; diff --git a/scripts/policy/misc/stats.zeek b/scripts/policy/misc/stats.zeek index 9c4ae4e792..8c59c30c30 100644 --- a/scripts/policy/misc/stats.zeek +++ b/scripts/policy/misc/stats.zeek @@ -100,7 +100,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr local ds = get_dns_stats(); if ( bro_is_terminating() ) - # No more stats will be written or scheduled when Bro is + # No more stats will be written or scheduled when Zeek is # shutting down. return; diff --git a/scripts/policy/protocols/conn/known-hosts.zeek b/scripts/policy/protocols/conn/known-hosts.zeek index 702ab59ca3..19bf2cef05 100644 --- a/scripts/policy/protocols/conn/known-hosts.zeek +++ b/scripts/policy/protocols/conn/known-hosts.zeek @@ -1,4 +1,4 @@ -##! This script logs hosts that Bro determines have performed complete TCP +##! This script logs hosts that Zeek determines have performed complete TCP ##! handshakes and logs the address once per day (by default). The log that ##! is output provides an easy way to determine a count of the IP addresses in ##! use on a network per day. @@ -22,7 +22,7 @@ export { }; ## Toggles between different implementations of this script. - ## When true, use a Broker data store, else use a regular Bro set + ## When true, use a Broker data store, else use a regular Zeek set ## with keys uniformly distributed over proxy nodes in cluster ## operation. const use_host_store = T &redef; diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek index 767962b791..fc8c3e806e 100644 --- a/scripts/policy/protocols/conn/known-services.zeek +++ b/scripts/policy/protocols/conn/known-services.zeek @@ -28,7 +28,7 @@ export { }; ## Toggles between different implementations of this script. - ## When true, use a Broker data store, else use a regular Bro set + ## When true, use a Broker data store, else use a regular Zeek set ## with keys uniformly distributed over proxy nodes in cluster ## operation. const use_service_store = T &redef; diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek index 58eecceb11..12a9a0c312 100644 --- a/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek +++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek @@ -10,7 +10,7 @@ export { ## Places where it's suspicious for mail to originate from represented ## as all-capital, two character country codes (e.g., US). It requires - ## Bro to be built with GeoIP support. + ## Zeek to be built with GeoIP support. option suspicious_origination_countries: set[string] = {}; option suspicious_origination_networks: set[subnet] = {}; diff --git a/scripts/policy/protocols/smtp/software.zeek b/scripts/policy/protocols/smtp/software.zeek index e4333c10ef..69cfdf4c57 100644 --- a/scripts/policy/protocols/smtp/software.zeek +++ b/scripts/policy/protocols/smtp/software.zeek @@ -26,7 +26,7 @@ export { }; ## Assuming that local mail servers are more trustworthy with the - ## headers they insert into message envelopes, this default makes Bro + ## headers they insert into message envelopes, this default makes Zeek ## not attempt to detect software in inbound message bodies. If mail ## coming in from external addresses gives incorrect data in ## the Received headers, it could populate your SOFTWARE logging stream diff --git a/scripts/policy/protocols/ssl/known-certs.zeek b/scripts/policy/protocols/ssl/known-certs.zeek index 3a8ec75922..9830ad0ed5 100644 --- a/scripts/policy/protocols/ssl/known-certs.zeek +++ b/scripts/policy/protocols/ssl/known-certs.zeek @@ -32,7 +32,7 @@ export { option cert_tracking = LOCAL_HOSTS; ## Toggles between different implementations of this script. - ## When true, use a Broker data store, else use a regular Bro set + ## When true, use a Broker data store, else use a regular Zeek set ## with keys uniformly distributed over proxy nodes in cluster ## operation. const use_cert_store = T &redef; diff --git a/scripts/policy/protocols/ssl/validate-certs.zeek b/scripts/policy/protocols/ssl/validate-certs.zeek index 6a85627b3c..4d23c8e02d 100644 --- a/scripts/policy/protocols/ssl/validate-certs.zeek +++ b/scripts/policy/protocols/ssl/validate-certs.zeek @@ -34,7 +34,7 @@ export { &read_expire=5mins &redef; ## Use intermediate CA certificate caching when trying to validate - ## certificates. When this is enabled, Bro keeps track of all valid + ## certificates. When this is enabled, Zeek keeps track of all valid ## intermediate CA certificates that it has seen in the past. When ## encountering a host certificate that cannot be validated because ## of missing intermediate CA certificate, the cached list is used diff --git a/scripts/policy/protocols/ssl/validate-sct.zeek b/scripts/policy/protocols/ssl/validate-sct.zeek index b4db3666eb..98c2f0c647 100644 --- a/scripts/policy/protocols/ssl/validate-sct.zeek +++ b/scripts/policy/protocols/ssl/validate-sct.zeek @@ -34,7 +34,7 @@ export { logid: string; ## The timestamp at which this SCT was issued measured since the ## epoch (January 1, 1970, 00:00), ignoring leap seconds, in - ## milliseconds. Not converted to a Bro timestamp because we need + ## milliseconds. Not converted to a Zeek timestamp because we need ## the exact value for validation. timestamp: count; ## The signature algorithm used for this sct. diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek index 0eadf0ff57..a6e5987664 100644 --- a/scripts/test-all-policy.zeek +++ b/scripts/test-all-policy.zeek @@ -1,4 +1,4 @@ -# This file loads ALL policy scripts that are part of the Bro distribution. +# This file loads ALL policy scripts that are part of the Zeek distribution. # # This is rarely makes sense, and is for testing only. # diff --git a/zeek-config.h.in b/zeek-config.h.in index 356e790c8e..d460e6db8e 100644 --- a/zeek-config.h.in +++ b/zeek-config.h.in @@ -222,12 +222,12 @@ /* String with extension of dynamic libraries (e.g., ".so") */ #define DYNAMIC_PLUGIN_SUFFIX "@CMAKE_SHARED_MODULE_SUFFIX@" -/* True if we're building outside of the main Bro source code tree. */ +/* True if we're building outside of the main Zeek source code tree. */ #ifndef BRO_PLUGIN_INTERNAL_BUILD #define BRO_PLUGIN_INTERNAL_BUILD @BRO_PLUGIN_INTERNAL_BUILD@ #endif -/* A C function that has the Bro version encoded into its name. */ +/* A C function that has the Zeek version encoded into its name. */ #define BRO_VERSION_FUNCTION bro_version_@VERSION_C_IDENT@ #ifdef __cplusplus extern "C" { diff --git a/zeek-path-dev.in b/zeek-path-dev.in index de8b0274b9..ab3ac81f1d 100755 --- a/zeek-path-dev.in +++ b/zeek-path-dev.in @@ -1,13 +1,13 @@ #!/bin/sh -# After configured by CMake, this file prints the absolute path to Bro scripts -# that come with the source distributions of Bro as well as scripts that are +# After configured by CMake, this file prints the absolute path to Zeek scripts +# that come with the source distributions of Zeek as well as scripts that are # generated by the BIF compiler at compile time. # -# The intended use of this script is to make it easier to run Bro from +# The intended use of this script is to make it easier to run Zeek from # the build directory, avoiding the need to install it. This could be # done like: # -# BROPATH=`./bro-path-dev` ./src/bro +# BROPATH=`./zeek-path-dev` ./src/zeek # echo .:${CMAKE_SOURCE_DIR}/scripts:${CMAKE_SOURCE_DIR}/scripts/policy:${CMAKE_SOURCE_DIR}/scripts/site:${CMAKE_BINARY_DIR}/scripts