More bro-to-zeek renaming in scripts and other files

CMakeLists.txt

@@ -1,7 +1,7 @@
 project(Bro C CXX)
 
 # When changing the minimum version here, also adapt
-# aux/bro-aux/plugin-support/skeleton/CMakeLists.txt
+# aux/zeek-aux/plugin-support/skeleton/CMakeLists.txt
 cmake_minimum_required(VERSION 2.8.12 FATAL_ERROR)
 
 include(cmake/CommonCMakeConfig.cmake)
@@ -23,16 +23,16 @@ endif ()
 
 set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
 if (NOT BRO_SCRIPT_INSTALL_PATH)
-    # set the default Bro script installation path (user did not specify one)
+    # set the default Zeek script installation path (user did not specify one)
     set(BRO_SCRIPT_INSTALL_PATH ${BRO_ROOT_DIR}/share/bro)
 endif ()
 
 if (NOT BRO_MAN_INSTALL_PATH)
-    # set the default Bro man page installation path (user did not specify one)
+    # set the default Zeek man page installation path (user did not specify one)
     set(BRO_MAN_INSTALL_PATH ${BRO_ROOT_DIR}/share/man)
 endif ()
 
-# sanitize the Bro script install directory into an absolute path
+# sanitize the Zeek script install directory into an absolute path
 # (CMake is confused by ~ as a representation of home directory)
 get_filename_component(BRO_SCRIPT_INSTALL_PATH ${BRO_SCRIPT_INSTALL_PATH}
     ABSOLUTE)
@@ -358,12 +358,12 @@ if (CMAKE_BUILD_TYPE)
 endif ()
 
 message(
-    "\n====================|  Bro Build Summary  |====================="
+    "\n====================|  Zeek Build Summary  |===================="
     "\n"
     "\nBuild type:        ${CMAKE_BUILD_TYPE}"
     "\nBuild dir:         ${CMAKE_BINARY_DIR}"
     "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
-    "\nBro Script Path:   ${BRO_SCRIPT_INSTALL_PATH}"
+    "\nZeek Script Path:  ${BRO_SCRIPT_INSTALL_PATH}"
     "\nDebug mode:        ${ENABLE_DEBUG}"
     "\n"
     "\nCC:                ${CMAKE_C_COMPILER}"

Makefile

@@ -55,9 +55,9 @@ test:
 	-@( cd testing && make )
 
 test-aux:
-	-test -d aux/broctl && ( cd aux/broctl && make test-all )
+	-test -d aux/zeekctl && ( cd aux/zeekctl && make test-all )
 	-test -d aux/btest  && ( cd aux/btest && make test )
-	-test -d aux/bro-aux && ( cd aux/bro-aux && make test )
+	-test -d aux/zeek-aux && ( cd aux/zeek-aux && make test )
 	-test -d aux/plugins && ( cd aux/plugins && make test-all )
 
 test-all: test test-aux

NEWS

@@ -1,5 +1,5 @@
 
-This document summarizes the most important changes in the current Bro
+This document summarizes the most important changes in the current Zeek
 release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as Broker, come with their own ``CHANGES``.)
 
@@ -18,7 +18,7 @@ New Functionality
   - dns_NSEC
   - dns_NSEC3
 
-- Bro's Plugin framework now allows a patch version.  If a patch version is not
+- Zeek's Plugin framework now allows a patch version.  If a patch version is not
   provided, it will default to 0.  To specify this, modify the plugin
   Configuration class in your ``src/Plugin.cc`` and set
   ``config.version.patch``.  Note that the default plugin skeleton

configure

@@ -32,7 +32,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Installation Directories:
     --prefix=PREFIX        installation directory [/usr/local/bro]
-    --scriptdir=PATH       root installation directory for Bro scripts
+    --scriptdir=PATH       root installation directory for Zeek scripts
                            [PREFIX/share/bro]
     --localstatedir=PATH   when using ZeekControl, path to store log files
                            and run-time data (within log/ and spool/ subdirs)
@@ -51,12 +51,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            (automatically on when perftools is present on Linux)
     --enable-perftools-debug use Google's perftools for debugging
     --enable-jemalloc      link against jemalloc
-    --enable-static-broker build broker statically (ignored if --with-broker is specified)
+    --enable-static-broker build Broker statically (ignored if --with-broker is specified)
     --enable-static-binpac build binpac statically (ignored if --with-binpac is specified)
     --disable-zeekctl      don't install ZeekControl
     --disable-auxtools     don't build or install auxiliary tools
     --disable-perftools    don't try to build with Google Perftools
-    --disable-python       don't try to build python bindings for broker
+    --disable-python       don't try to build python bindings for Broker
     --disable-broker-tests don't try to build Broker unit tests
 
   Required Packages in Non-Standard Locations:
@@ -65,13 +65,13 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-pcap=PATH       path to libpcap install root
     --with-binpac=PATH     path to BinPAC executable
                            (useful for cross-compiling)
-    --with-bifcl=PATH      path to Bro BIF compiler executable
+    --with-bifcl=PATH      path to Zeek BIF compiler executable
                            (useful for cross-compiling)
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-python=PATH     path to Python executable
     --with-broker=PATH     path to Broker install root
-                           (Bro uses an embedded version by default)
+                           (Zeek uses an embedded version by default)
     --with-caf=PATH        path to C++ Actor Framework install root
                            (a Broker dependency that is embedded by default)
 

man/zeek.8

@@ -5,13 +5,13 @@ bro \- passive network traffic analyzer
 .B bro
 \/\fP [\fIoptions\fR] [\fIfile\fR ...]
 .SH DESCRIPTION
-Bro is primarily a security monitor that inspects all traffic on a link in
+Zeek is primarily a security monitor that inspects all traffic on a link in
-depth for signs of suspicious activity. More generally, however, Bro
+depth for signs of suspicious activity. More generally, however, Zeek
 supports a wide range of traffic analysis tasks even outside of the
 security domain, including performance measurements and helping with
 trouble-shooting.
 
-Bro comes with built-in functionality for a range of analysis and detection
+Zeek comes with built-in functionality for a range of analysis and detection
 tasks, including detecting malware by interfacing to external registries,
 reporting vulnerable versions of software seen on the network, identifying
 popular web applications, detecting SSH brute-forcing, validating SSL
@@ -108,12 +108,12 @@ load seeds from given file
 \fB\-\-save\-seeds\fR <file>
 save seeds to given file
 .TP
-The following option is available only when Bro is built with the \-\-enable\-debug configure option:
+The following option is available only when Zeek is built with the \-\-enable\-debug configure option:
 .TP
 \fB\-B\fR,\ \-\-debug <dbgstreams>
 Enable debugging output for selected streams ('-B help' for help)
 .TP
-The following options are available only when Bro is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options):
+The following options are available only when Zeek is built with gperftools support (use the \-\-enable\-perftools and \-\-enable\-perftools\-debug configure options):
 .TP
 \fB\-m\fR,\ \-\-mem-leaks
 show leaks
@@ -150,4 +150,4 @@ Output file for script execution statistics
 Disable Zeekygen (Broxygen) documentation support
 .SH AUTHOR
 .B bro
-was written by The Bro Project <info@bro.org>.
+was written by The Zeek Project <info@zeek.org>.

scripts/CMakeLists.txt

@@ -11,7 +11,7 @@ install(DIRECTORY ./ DESTINATION ${BRO_SCRIPT_INSTALL_PATH} FILES_MATCHING
 if ( NOT BINARY_PACKAGING_MODE )
   # If the user has a local.bro file from a previous installation, prefer to
   # symlink local.zeek to it to avoid breaking their custom configuration --
-  # because BroControl will now prefer to load local.zeek rather than local.bro
+  # because ZeekControl will now prefer to load local.zeek rather than local.bro
   # and we're about to install a default version of local.zeek.
 
   set(_local_bro_dst ${BRO_SCRIPT_INSTALL_PATH}/site/local.bro)

scripts/base/frameworks/analyzer/README

@@ -1,3 +1,3 @@
-The analyzer framework allows to dynamically enable or disable Bro's
+The analyzer framework allows to dynamically enable or disable Zeek's
 protocol analyzers, as well as to manage the well-known ports which
 automatically activate a particular analyzer for new connections.

scripts/base/frameworks/analyzer/main.zeek

@@ -1,4 +1,4 @@
-##! Framework for managing Bro's protocol analyzers.
+##! Framework for managing Zeek's protocol analyzers.
 ##!
 ##! The analyzer framework allows to dynamically enable or disable analyzers, as
 ##! well as to manage the well-known ports which automatically activate a
@@ -21,7 +21,7 @@ export {
 	global disable_all = F &redef;
 
 	## Enables an analyzer. Once enabled, the analyzer may be used for analysis
-	## of future connections as decided by Bro's dynamic protocol detection.
+	## of future connections as decided by Zeek's dynamic protocol detection.
 	##
 	## tag: The tag of the analyzer to enable.
 	##

scripts/base/frameworks/broker/README

@@ -1,2 +1,2 @@
-The Broker communication framework facilitates connecting to remote Bro
+The Broker communication framework facilitates connecting to remote Zeek
 instances to share state and transfer events.

scripts/base/frameworks/broker/main.zeek

@@ -32,27 +32,27 @@ export {
 	const disable_ssl = F &redef;
 
 	## Path to a file containing concatenated trusted certificates 
-	## in PEM format. If set, Bro will require valid certificates for
+	## in PEM format. If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_cafile = "" &redef;
 
 	## Path to an OpenSSL-style directory of trusted certificates.
-	## If set, Bro will require valid certificates for
+	## If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_capath = "" &redef;
 
 	## Path to a file containing a X.509 certificate for this
-	## node in PEM format. If set, Bro will require valid certificates for
+	## node in PEM format. If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_certificate = "" &redef;
 
 	## Passphrase to decrypt the private key specified by
-	## :zeek:see:`Broker::ssl_keyfile`. If set, Bro will require valid
+	## :zeek:see:`Broker::ssl_keyfile`. If set, Zeek will require valid
 	## certificates for all peers.
 	const ssl_passphrase = "" &redef;
 
 	## Path to the file containing the private key for this node's
-	## certificate. If set, Bro will require valid certificates for
+	## certificate. If set, Zeek will require valid certificates for
 	## all peers.
 	const ssl_keyfile = "" &redef;
 
@@ -347,7 +347,7 @@ export {
 	##        Peers advertise interest by registering a subscription to some
 	##        prefix of this topic name.
 	##
-	## ev: a Bro event value.
+	## ev: a Zeek event value.
 	##
 	## Returns: true if automatic event sending is now enabled.
 	global auto_publish: function(topic: string, ev: any): bool;

scripts/base/frameworks/broker/store.zeek

@@ -365,15 +365,15 @@ export {
 	# Data API               #
 	##########################
 
-	## Convert any Bro value to communication data.
+	## Convert any Zeek value to communication data.
 	##
 	## .. note:: Normally you won't need to use this function as data
-	##    conversion happens implicitly when passing Bro values into Broker
+	##    conversion happens implicitly when passing Zeek values into Broker
 	##    functions.
 	##
-	## d: any Bro value to attempt to convert (not all types are supported).
+	## d: any Zeek value to attempt to convert (not all types are supported).
 	##
-	## Returns: the converted communication data.  If the supplied Bro data
+	## Returns: the converted communication data.  If the supplied Zeek data
 	##          type does not support conversion to communication data, the
 	##          returned record's optional field will not be set.
 	global data: function(d: any): Broker::Data;

scripts/base/frameworks/cluster/README

@@ -1,2 +1,2 @@
 The cluster framework provides for establishing and controlling a cluster
-of Bro instances.
+of Zeek instances.

scripts/base/frameworks/cluster/main.zeek

@@ -1,6 +1,6 @@
-##! A framework for establishing and controlling a cluster of Bro instances.
+##! A framework for establishing and controlling a cluster of Zeek instances.
 ##! In order to use the cluster framework, a script named
-##! ``cluster-layout.zeek`` must exist somewhere in Bro's script search path
+##! ``cluster-layout.zeek`` must exist somewhere in Zeek's script search path
 ##! which has a cluster definition of the :zeek:id:`Cluster::nodes` variable.
 ##! The ``CLUSTER_NODE`` environment variable or :zeek:id:`Cluster::node`
 ##! must also be sent and the cluster framework loaded as a package like
@@ -178,7 +178,7 @@ export {
 	global is_enabled: function(): bool;
 
 	## This function can be called at any time to determine what type of
-	## cluster node the current Bro instance is going to be acting as.
+	## cluster node the current Zeek instance is going to be acting as.
 	## If :zeek:id:`Cluster::is_enabled` returns false, then
 	## :zeek:enum:`Cluster::NONE` is returned.
 	##
@@ -194,7 +194,7 @@ export {
 	## The cluster layout definition.  This should be placed into a filter
 	## named cluster-layout.zeek somewhere in the BROPATH.  It will be
 	## automatically loaded if the CLUSTER_NODE environment variable is set.
-	## Note that BroControl handles all of this automatically.
+	## Note that ZeekControl handles all of this automatically.
 	## The table is typically indexed by node names/labels (e.g. "manager"
 	## or "worker-1").
 	const nodes: table[string] of Node = {} &redef;
@@ -202,7 +202,7 @@ export {
 	## Indicates whether or not the manager will act as the logger and receive
 	## logs.  This value should be set in the cluster-layout.zeek script (the
 	## value should be true only if no logger is specified in Cluster::nodes).
-	## Note that BroControl handles this automatically.
+	## Note that ZeekControl handles this automatically.
 	const manager_is_logger = T &redef;
 
 	## This is usually supplied on the command line for each instance

scripts/base/frameworks/cluster/nodes/logger.zeek

@@ -1,7 +1,7 @@
-##! This is the core Bro script to support the notion of a cluster logger.
+##! This is the core Zeek script to support the notion of a cluster logger.
 ##!
-##! The logger is passive (other Bro instances connect to us), and once
+##! The logger is passive (other Zeek instances connect to us), and once
-##! connected the logger receives logs from other Bro instances.
+##! connected the logger receives logs from other Zeek instances.
 ##! This script will be automatically loaded if necessary based on the
 ##! type of node being started.
 

scripts/base/frameworks/cluster/nodes/manager.zeek

@@ -1,4 +1,4 @@
-##! This is the core Bro script to support the notion of a cluster manager.
+##! This is the core Zeek script to support the notion of a cluster manager.
 ##!
 ##! The manager is passive (the workers connect to us), and once connected
 ##! the manager registers for the events on the workers that are needed

scripts/base/frameworks/cluster/nodes/proxy.zeek

@@ -1,4 +1,4 @@
-##! Redefines the options common to all proxy nodes within a Bro cluster.
+##! Redefines the options common to all proxy nodes within a Zeek cluster.
 ##! In particular, proxies are not meant to produce logs locally and they
 ##! do not forward events anywhere, they mainly synchronize state between
 ##! worker nodes.

scripts/base/frameworks/cluster/nodes/worker.zeek

@@ -1,4 +1,4 @@
-##! Redefines some options common to all worker nodes within a Bro cluster.
+##! Redefines some options common to all worker nodes within a Zeek cluster.
 ##! In particular, worker nodes do not produce logs locally, instead they
 ##! send them off to a logger node for processing.
 

scripts/base/frameworks/cluster/pools.zeek

@@ -351,7 +351,7 @@ event zeek_init() &priority=-5
 		return;
 
 	# Sorting now ensures the node distribution process is stable even if
-	# there's a change in the order of time-of-registration between Bro runs.
+	# there's a change in the order of time-of-registration between Zeek runs.
 	sort(registered_pools, pool_sorter);
 
 	pool_eligibility[Cluster::WORKER] =

scripts/base/frameworks/config/README

@@ -1,2 +1,2 @@
-The configuration framework provides a way to change the Bro configuration
+The configuration framework provides a way to change the Zeek configuration
 in "option" values at run-time.

scripts/base/frameworks/config/main.zeek

@@ -1,4 +1,4 @@
-##! The configuration framework provides a way to change Bro options
+##! The configuration framework provides a way to change Zeek options
 ##! (as specified by the "option" keyword) at runtime. It also logs runtime
 ##! changes to options to config.log.
 

scripts/base/frameworks/control/README

@@ -1,3 +1,3 @@
 The control framework provides the foundation for providing "commands"
-that can be taken remotely at runtime to modify a running Bro instance
+that can be taken remotely at runtime to modify a running Zeek instance
 or collect information from the running instance.

scripts/base/frameworks/control/main.zeek

@@ -1,5 +1,5 @@
 ##! The control framework provides the foundation for providing "commands"
-##! that can be taken remotely at runtime to modify a running Bro instance
+##! that can be taken remotely at runtime to modify a running Zeek instance
 ##! or collect information from the running instance.
 
 module Control;
@@ -58,7 +58,7 @@ export {
 	## Returns the current net_stats.
 	global net_stats_response: event(s: string);
 
-	## Inform the remote Bro instance that it's configuration may have been
+	## Inform the remote Zeek instance that it's configuration may have been
 	## updated.
 	global configuration_update_request: event();
 	## This event is a wrapper and alias for the
@@ -68,7 +68,7 @@ export {
 	## Message in response to a configuration update request.
 	global configuration_update_response: event();
 
-	## Requests that the Bro instance begins shutting down.
+	## Requests that the Zeek instance begins shutting down.
 	global shutdown_request: event();
 	## Message in response to a shutdown request.
 	global shutdown_response: event();

scripts/base/frameworks/input/README

@@ -1,2 +1,2 @@
 The input framework provides a way to read previously stored data either as
-an event stream or into a Bro table.
+an event stream or into a Zeek table.

scripts/base/frameworks/input/main.zeek

@@ -1,5 +1,5 @@
 ##! The input framework provides a way to read previously stored data either
-##! as an event stream or into a Bro table.
+##! as an event stream or into a Zeek table.
 
 module Input;
 
@@ -55,7 +55,7 @@ export {
 	## abort. Defaults to false (abort).
 	const accept_unsupported_types = F &redef;
 
-	## A table input stream type used to send data to a Bro table.
+	## A table input stream type used to send data to a Zeek table.
 	type TableDescription: record {
 		# Common definitions for tables and events
 
@@ -112,7 +112,7 @@ export {
 		##
 		## The event is raised like if it had been declared as follows:
 		## error_ev: function(desc: TableDescription, message: string, level: Reporter::Level) &optional;
-		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
+		## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
 		error_ev: any &optional;
 
 		## A key/value table that will be passed to the reader.
@@ -121,7 +121,7 @@ export {
 		config: table[string] of string &default=table();
 	};
 
-	## An event input stream type used to send input data to a Bro event.
+	## An event input stream type used to send input data to a Zeek event.
 	type EventDescription: record {
 		# Common definitions for tables and events
 
@@ -166,7 +166,7 @@ export {
 		##
 		## The event is raised like it had been declared as follows:
 		## error_ev: function(desc: EventDescription, message: string, level: Reporter::Level) &optional;
-		## The actual declaration uses the ``any`` type because of deficiencies of the Bro type system.
+		## The actual declaration uses the ``any`` type because of deficiencies of the Zeek type system.
 		error_ev: any &optional;
 
 		## A key/value table that will be passed to the reader.

scripts/base/frameworks/input/readers/ascii.zeek

@@ -1,6 +1,6 @@
 ##! Interface for the ascii input reader.
 ##!
-##! The defaults are set to match Bro's ASCII output.
+##! The defaults are set to match Zeek's ASCII output.
 
 module InputAscii;
 

scripts/base/frameworks/logging/main.zeek

@@ -1,6 +1,6 @@
-##! The Bro logging interface.
+##! The Zeek logging interface.
 ##!
-##! See :doc:`/frameworks/logging` for an introduction to Bro's
+##! See :doc:`/frameworks/logging` for an introduction to Zeek's
 ##! logging framework.
 
 module Log;
@@ -84,13 +84,13 @@ export {
 		path: string;		##< Original path value.
 		open: time;		##< Time when opened.
 		close: time;		##< Time when closed.
-		terminating: bool;	##< True if rotation occured due to Bro shutting down.
+		terminating: bool;	##< True if rotation occured due to Zeek shutting down.
 	};
 
 	## Default rotation interval to use for filters that do not specify
 	## an interval. Zero disables rotation.
 	##
-	## Note that this is overridden by the BroControl LogRotationInterval
+	## Note that this is overridden by the ZeekControl LogRotationInterval
 	## option.
 	const default_rotation_interval = 0secs &redef;
 
@@ -108,7 +108,7 @@ export {
 	## Default alarm summary mail interval. Zero disables alarm summary
 	## mails.
 	##
-	## Note that this is overridden by the BroControl MailAlarmsInterval
+	## Note that this is overridden by the ZeekControl MailAlarmsInterval
 	## option.
 	const default_mail_alarms_interval = 0secs &redef;
 
@@ -219,7 +219,7 @@ export {
 		scope_sep: string &default=default_scope_sep;
 
 		## Default prefix for all extension fields. It's typically
-		## prudent to set this to something that Bro's logging
+		## prudent to set this to something that Zeek's logging
 		## framework can't normally write out in a field name.
 		ext_prefix: string &default=default_ext_prefix;
 

scripts/base/frameworks/netcontrol/README

@@ -1,3 +1,3 @@
-The NetControl framework provides a way for Bro to interact with networking
+The NetControl framework provides a way for Zeek to interact with networking
 hard- and software, e.g. for dropping and shunting IP addresses/connections,
 etc.

scripts/base/frameworks/netcontrol/drop.zeek

@@ -32,7 +32,7 @@ export {
 	type DropInfo: record {
 		## Time at which the recorded activity occurred.
 		ts: time		&log;
-		## ID of the rule; unique during each Bro run.
+		## ID of the rule; unique during each Zeek run.
 		rule_id: string  &log;
 		orig_h: addr 	&log;	##< The originator's IP address.
 		orig_p: port 	&log &optional;	##< The originator's port number.

scripts/base/frameworks/netcontrol/main.zeek

@@ -1,8 +1,8 @@
-##! Bro's NetControl framework.
+##! Zeek's NetControl framework.
 ##!
-##! This plugin-based framework allows to control the traffic that Bro monitors
+##! This plugin-based framework allows to control the traffic that Zeek monitors
 ##! as well as, if having access to the forwarding path, the traffic the network
-##! forwards. By default, the framework lets everything through, to both Bro
+##! forwards. By default, the framework lets everything through, to both Zeek
 ##! itself as well as on the network. Scripts can then add rules to impose
 ##! restrictions on entities, such as specific connections or IP addresses.
 ##!
@@ -291,7 +291,7 @@ export {
 	type Info: record {
 		## Time at which the recorded activity occurred.
 		ts: time		&log;
-		## ID of the rule; unique during each Bro run.
+		## ID of the rule; unique during each Zeek run.
 		rule_id: string  &log &optional;
 		## Type of the log entry.
 		category: InfoCategory	&log &optional;
@@ -632,7 +632,7 @@ event NetControl::init() &priority=-20
 		log_msg_no_plugin("waiting for plugins to initialize");
 	}
 
-# Low-level functions that only runs on the manager (or standalone) Bro node.
+# Low-level functions that only runs on the manager (or standalone) Zeek node.
 
 function activate_impl(p: PluginState, priority: int)
 	{

scripts/base/frameworks/netcontrol/plugin.zeek

@@ -74,7 +74,7 @@ export {
 	## Table for a plugin to store instance-specific configuration information.
 	##
 	## Note, it would be nicer to pass the Plugin instance to all the below, instead
-	## of this state table. However Bro's type resolver has trouble with refering to a
+	## of this state table. However Zeek's type resolver has trouble with refering to a
 	## record type from inside itself.
 	redef record PluginState += {
 		## The plugin that the state belongs to. (Defined separately

scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek

@@ -1,5 +1,5 @@
 ##! NetControl plugin for the process-level PacketFilter that comes with
-##! Bro. Since the PacketFilter in Bro is quite limited in scope
+##! Zeek. Since the PacketFilter in Zeek is quite limited in scope
 ##! and can only add/remove filters for addresses, this is quite
 ##! limited in scope at the moment. 
 
@@ -13,7 +13,7 @@ export {
 }
 
 # Check if we can handle this rule. If it specifies ports or
-# anything Bro cannot handle, simply ignore it for now.
+# anything Zeek cannot handle, simply ignore it for now.
 function packetfilter_check_rule(r: Rule) : bool
 	{
 	if ( r$ty != DROP )

scripts/base/frameworks/netcontrol/shunt.zeek

@@ -7,7 +7,7 @@ module NetControl;
 export {
 	redef enum Log::ID += { SHUNT };
 
-	## Stops forwarding a uni-directional flow's packets to Bro.
+	## Stops forwarding a uni-directional flow's packets to Zeek.
 	##
 	## f: The flow to shunt.
 	##
@@ -21,7 +21,7 @@ export {
 	type ShuntInfo: record {
 		## Time at which the recorded activity occurred.
 		ts: time &log;
-		## ID of the rule; unique during each Bro run.
+		## ID of the rule; unique during each Zeek run.
 		rule_id: string  &log;
 		## Flow ID of the shunted flow.
 		f: flow_id &log;

scripts/base/frameworks/netcontrol/types.zeek

@@ -50,12 +50,12 @@ export {
 	## Type defining the target of a rule.
 	##
 	## Rules can either be applied to the forward path, affecting all network traffic, or
-	## on the monitor path, only affecting the traffic that is sent to Bro. The second
+	## on the monitor path, only affecting the traffic that is sent to Zeek. The second
-	## is mostly used for shunting, which allows Bro to tell the networking hardware that
+	## is mostly used for shunting, which allows Zeek to tell the networking hardware that
 	## it wants to no longer see traffic that it identified as benign.
 	type TargetType: enum {
 		FORWARD,	#< Apply rule actively to traffic on forwarding path.
-		MONITOR,	#< Apply rule passively to traffic sent to Bro for monitoring.
+		MONITOR,	#< Apply rule passively to traffic sent to Zeek for monitoring.
 	};
 
 	## Type of rules that the framework supports. Each type lists the extra

scripts/base/frameworks/notice/README

@@ -1,4 +1,4 @@
-The notice framework enables Bro to "notice" things which are odd or
+The notice framework enables Zeek to "notice" things which are odd or
 potentially bad, leaving it to the local configuration to define which
 of them are actionable.  This decoupling of detection and reporting allows
-Bro to be customized to the different needs that sites have.
+Zeek to be customized to the different needs that sites have.

scripts/base/frameworks/notice/actions/pp-alarms.zeek

@@ -14,7 +14,7 @@ export {
 	## Address to send the pretty-printed reports to. Default if not set is
 	## :zeek:id:`Notice::mail_dest`.
 	##
-	## Note that this is overridden by the BroControl MailAlarmsTo option.
+	## Note that this is overridden by the ZeekControl MailAlarmsTo option.
 	const mail_dest_pretty_printed = "" &redef;
 	## If an address from one of these networks is reported, we mark
 	## the entry with an additional quote symbol (i.e., ">"). Many MUAs

scripts/base/frameworks/notice/main.zeek

@@ -1,6 +1,6 @@
-##! This is the notice framework which enables Bro to "notice" things which
+##! This is the notice framework which enables Zeek to "notice" things which
 ##! are odd or potentially bad.  Decisions of the meaning of various notices
-##! need to be done per site because Bro does not ship with assumptions about
+##! need to be done per site because Zeek does not ship with assumptions about
 ##! what is bad activity for sites.  More extensive documentation about using
 ##! the notice framework can be found in :doc:`/frameworks/notice`.
 
@@ -189,26 +189,26 @@ export {
 
 	## Local system sendmail program.
 	##
-	## Note that this is overridden by the BroControl SendMail option.
+	## Note that this is overridden by the ZeekControl SendMail option.
 	option sendmail            = "/usr/sbin/sendmail";
 	## Email address to send notices with the
 	## :zeek:enum:`Notice::ACTION_EMAIL` action or to send bulk alarm logs
 	## on rotation with :zeek:enum:`Notice::ACTION_ALARM`.
 	##
-	## Note that this is overridden by the BroControl MailTo option.
+	## Note that this is overridden by the ZeekControl MailTo option.
 	const mail_dest           = ""                   &redef;
 
 	## Address that emails will be from.
 	##
-	## Note that this is overridden by the BroControl MailFrom option.
+	## Note that this is overridden by the ZeekControl MailFrom option.
-	option mail_from           = "Big Brother <bro@localhost>";
+	option mail_from           = "Zeek <zeek@localhost>";
 	## Reply-to address used in outbound email.
 	option reply_to            = "";
 	## Text string prefixed to the subject of all emails sent out.
 	##
-	## Note that this is overridden by the BroControl MailSubjectPrefix
+	## Note that this is overridden by the ZeekControl MailSubjectPrefix
 	## option.
-	option mail_subject_prefix = "[Bro]";
+	option mail_subject_prefix = "[Zeek]";
 	## The maximum amount of time a plugin can delay email from being sent.
 	const max_email_delay     = 15secs &redef;
 
@@ -390,7 +390,7 @@ event zeek_init() &priority=5
 	Log::create_stream(Notice::LOG, [$columns=Info, $ev=log_notice, $path="notice"]);
 
 	Log::create_stream(Notice::ALARM_LOG, [$columns=Notice::Info, $path="notice_alarm"]);
-	# If Bro is configured for mailing notices, set up mailing for alarms.
+	# If Zeek is configured for mailing notices, set up mailing for alarms.
 	# Make sure that this alarm log is also output as text so that it can
 	# be packaged up and emailed later.
 	if ( ! reading_traces() && mail_dest != "" )

scripts/base/frameworks/notice/weird.zeek

@@ -1,5 +1,5 @@
 ##! This script provides a default set of actions to take for "weird activity"
-##! events generated from Bro's event engine.  Weird activity is defined as
+##! events generated from Zeek's event engine.  Weird activity is defined as
 ##! unusual or exceptional activity that can indicate malformed connections,
 ##! traffic that doesn't conform to a particular protocol, malfunctioning
 ##! or misconfigured hardware, or even an attacker attempting to avoid/confuse

scripts/base/frameworks/openflow/consts.zeek

@@ -1,7 +1,7 @@
 ##! Constants used by the OpenFlow framework.
 
 # All types/constants not specific to OpenFlow will be defined here
-# until they somehow get into Bro.
+# until they somehow get into Zeek.
 
 module OpenFlow;
 
@@ -10,7 +10,7 @@ module OpenFlow;
 const COOKIE_BID_SIZE = 16777216;
 # start at bit 40 (1 << 40)
 const COOKIE_BID_START = 1099511627776;
-# bro specific cookie ID shall have the 42 bit set (1 << 42)
+# Zeek specific cookie ID shall have the 42 bit set (1 << 42)
 const BRO_COOKIE_ID = 4;
 # 8 bits group identifier
 const COOKIE_GID_SIZE = 256;
@@ -122,7 +122,7 @@ export {
 
 	## Return value for a cookie from a flow
 	## which is not added, modified or deleted
-	## from the bro openflow framework.
+	## from the Zeek openflow framework.
 	const INVALID_COOKIE = 0xffffffffffffffff;
 	# Openflow physical port definitions
 	## Send the packet out the input port. This

scripts/base/frameworks/openflow/main.zeek

@@ -1,4 +1,4 @@
-##! Bro's OpenFlow control framework.
+##! Zeek's OpenFlow control framework.
 ##!
 ##! This plugin-based framework allows to control OpenFlow capable
 ##! switches by implementing communication to an OpenFlow controller

scripts/base/frameworks/openflow/plugins/log.zeek

@@ -1,5 +1,5 @@
 ##! OpenFlow plugin that outputs flow-modification commands
-##! to a Bro log file.
+##! to a Zeek log file.
 
 @load base/frameworks/openflow
 @load base/frameworks/logging

scripts/base/frameworks/packet-filter/README

@@ -1 +1 @@
-The packet filter framework supports how Bro sets its BPF capture filter.
+The packet filter framework supports how Zeek sets its BPF capture filter.

scripts/base/frameworks/packet-filter/main.zeek

@@ -1,7 +1,7 @@
-##! This script supports how Bro sets its BPF capture filter.  By default
+##! This script supports how Zeek sets its BPF capture filter.  By default
-##! Bro sets a capture filter that allows all traffic.  If a filter
+##! Zeek sets a capture filter that allows all traffic.  If a filter
 ##! is set on the command line, that filter takes precedence over the default
-##! open filter and all filters defined in Bro scripts with the
+##! open filter and all filters defined in Zeek scripts with the
 ##! :zeek:id:`capture_filters` and :zeek:id:`restrict_filters` variables.
 
 @load base/frameworks/notice

scripts/base/frameworks/packet-filter/netstats.zeek

@@ -1,5 +1,5 @@
 ##! This script reports on packet loss from the various packet sources.
-##! When Bro is reading input from trace files, this script will not
+##! When Zeek is reading input from trace files, this script will not
 ##! report any packet loss statistics.
 
 @load base/frameworks/notice

scripts/base/frameworks/reporter/main.zeek

@@ -27,9 +27,9 @@ export {
 		## terminate program execution.
 		level:    Level  &log;
 		## An info/warning/error message that could have either been
-		## generated from the internal Bro core or at the scripting-layer.
+		## generated from the internal Zeek core or at the scripting-layer.
 		message:  string &log;
-		## This is the location in a Bro script where the message originated.
+		## This is the location in a Zeek script where the message originated.
 		## Not all reporter messages will have locations in them though.
 		location: string &log &optional;
 	};

scripts/base/frameworks/signatures/README

@@ -1,4 +1,4 @@
 The signature framework provides for doing low-level pattern matching.  While
-signatures are not Bro's preferred detection tool, they sometimes come in
+signatures are not Zeek's preferred detection tool, they sometimes come in
 handy and are closer to what many people are familiar with from using
 other NIDS.

scripts/base/frameworks/signatures/main.zeek

@@ -1,6 +1,6 @@
 ##! Script level signature support.  See the
 ##! :doc:`signature documentation </frameworks/signatures>` for more
-##! information about Bro's signature engine.
+##! information about Zeek's signature engine.
 
 @load base/frameworks/notice
 

scripts/base/init-bare.zeek

@@ -113,7 +113,7 @@ type mime_match: record {
 ## :zeek:see:`file_magic`
 type mime_matches: vector of mime_match;
 
-## A connection's transport-layer protocol. Note that Bro uses the term
+## A connection's transport-layer protocol. Note that Zeek uses the term
 ## "connection" broadly, using flow semantics for ICMP and UDP.
 type transport_proto: enum {
     unknown_transport,	##< An unknown transport-layer protocol.
@@ -235,7 +235,7 @@ type icmp6_nd_option: record {
 ## A type alias for a vector of ICMPv6 neighbor discovery message options.
 type icmp6_nd_options: vector of icmp6_nd_option;
 
-# A DNS mapping between IP address and hostname resolved by Bro's internal
+# A DNS mapping between IP address and hostname resolved by Zeek's internal
 # resolver.
 #
 # .. zeek:see:: dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
@@ -340,8 +340,8 @@ type endpoint: record {
 	l2_addr: string &optional;
 };
 
-## A connection. This is Bro's basic connection type describing IP- and
+## A connection. This is Zeek's basic connection type describing IP- and
-## transport-layer information about the conversation. Note that Bro uses a
+## transport-layer information about the conversation. Note that Zeek uses a
 ## liberal interpretation of "connection" and associates instances of this type
 ## also with UDP and ICMP flows.
 type connection: record {
@@ -353,7 +353,7 @@ type connection: record {
 	## interval between first and last data packet (low-level TCP details
 	## may adjust it somewhat in ambiguous cases).
 	duration: interval;
-	## The set of services the connection is using as determined by Bro's
+	## The set of services the connection is using as determined by Zeek's
 	## dynamic protocol detection. Each entry is the label of an analyzer
 	## that confirmed that it could parse the connection payload.  While
 	## typically, there will be at most one entry for each connection, in
@@ -362,8 +362,8 @@ type connection: record {
 	## the recorded services are independent of any transport-level protocols.
 	service: set[string];
 	history: string;	##< State history of connections. See *history* in :zeek:see:`Conn::Info`.
-	## A globally unique connection identifier. For each connection, Bro
+	## A globally unique connection identifier. For each connection, Zeek
-	## creates an ID that is very likely unique across independent Bro runs.
+	## creates an ID that is very likely unique across independent Zeek runs.
 	## These IDs can thus be used to tag and locate information associated
 	## with that connection.
 	uid: string;
@@ -390,7 +390,7 @@ option default_file_timeout_interval: interval = 2 mins;
 ## matching or later, will receive a copy of this buffer.
 option default_file_bof_buffer_size: count = 4096;
 
-## A file that Bro is analyzing.  This is Bro's type for describing the basic
+## A file that Zeek is analyzing.  This is Zeek's type for describing the basic
 ## internal metadata collected about a "file", which is essentially just a
 ## byte stream that is e.g. pulled from a network connection or possibly
 ## some other input source.
@@ -476,7 +476,7 @@ type SYN_packet: record {
 ##
 ## .. zeek:see:: get_net_stats
 type NetStats: record {
-	pkts_recvd:   count &default=0;	##< Packets received by Bro.
+	pkts_recvd:   count &default=0;	##< Packets received by Zeek.
 	pkts_dropped: count &default=0;	##< Packets reported dropped by the system.
 	## Packets seen on the link. Note that this may differ
 	## from *pkts_recvd* because of a potential capture_filter. See
@@ -484,7 +484,7 @@ type NetStats: record {
 	## packet capture system, this value may not be available and will then
 	## be always set to zero.
 	pkts_link:    count &default=0;
-	bytes_recvd:  count &default=0;	##< Bytes received by Bro.
+	bytes_recvd:  count &default=0;	##< Bytes received by Zeek.
 };
 
 type ConnStats: record {
@@ -512,16 +512,16 @@ type ConnStats: record {
 	killed_by_inactivity: count;
 };
 
-## Statistics about Bro's process.
+## Statistics about Zeek's process.
 ##
 ## .. zeek:see:: get_proc_stats
 ##
-## .. note:: All process-level values refer to Bro's main process only, not to
+## .. note:: All process-level values refer to Zeek's main process only, not to
 ##    the child process it spawns for doing communication.
 type ProcStats: record {
 	debug: bool;                  ##< True if compiled with --enable-debug.
 	start_time: time;             ##< Start time of process.
-	real_time: interval;          ##< Elapsed real time since Bro started running.
+	real_time: interval;          ##< Elapsed real time since Zeek started running.
 	user_time: interval;          ##< User CPU seconds.
 	system_time: interval;        ##< System CPU seconds.
 	mem: count;                   ##< Maximum memory consumed, in KB.
@@ -579,8 +579,8 @@ type FileAnalysisStats: record {
 	cumulative: count; ##< Cumulative number of files analyzed.
 };
 
-## Statistics related to Bro's active use of DNS.  These numbers are
+## Statistics related to Zeek's active use of DNS.  These numbers are
-## about Bro performing DNS queries on it's own, not traffic
+## about Zeek performing DNS queries on it's own, not traffic
 ## being seen.
 ##
 ## .. zeek:see:: get_dns_stats
@@ -735,7 +735,7 @@ type call_argument_vector: vector of call_argument;
 # dependent on the names remaining as they are now.
 
 ## Set of BPF capture filters to use for capturing, indexed by a user-definable
-## ID (which must be unique). If Bro is *not* configured with
+## ID (which must be unique). If Zeek is *not* configured with
 ## :zeek:id:`PacketFilter::enable_auto_protocol_capture_filters`,
 ## all packets matching at least one of the filters in this table (and all in
 ## :zeek:id:`restrict_filters`) will be analyzed.
@@ -866,7 +866,7 @@ const mmdb_dir: string = "" &redef;
 
 ## Computed entropy values. The record captures a number of measures that are
 ## computed in parallel. See `A Pseudorandom Number Sequence Test Program
-## <http://www.fourmilab.ch/random>`_ for more information, Bro uses the same
+## <http://www.fourmilab.ch/random>`_ for more information, Zeek uses the same
 ## code.
 ##
 ## .. zeek:see:: entropy_test_add entropy_test_finish entropy_test_init find_entropy
@@ -993,7 +993,7 @@ const tcp_max_above_hole_without_any_acks = 16384 &redef;
 
 ## If we've seen this much data without any of it being acked, we give up
 ## on that connection to avoid memory exhaustion due to buffering all that
-## stuff.  If set to zero, then we don't ever give up.  Ideally, Bro would
+## stuff.  If set to zero, then we don't ever give up.  Ideally, Zeek would
 ## track the current window on a connection and use it to infer that data
 ## has in fact gone too far, but for now we just make this quite beefy.
 ##
@@ -1788,7 +1788,7 @@ type gtp_delete_pdp_ctx_response_elements: record {
 	ext:   gtp_private_extension &optional;
 };
 
-# Prototypes of Bro built-in functions.
+# Prototypes of Zeek built-in functions.
 @load base/bif/bro.bif
 @load base/bif/stats.bif
 @load base/bif/reporter.bif
@@ -1801,13 +1801,13 @@ global log_file_name: function(tag: string): string &redef;
 ## Deprecated. This is superseded by the new logging framework.
 global open_log_file: function(tag: string): file &redef;
 
-## Specifies a directory for Bro to store its persistent state. All globals can
+## Specifies a directory for Zeek to store its persistent state. All globals can
 ## be declared persistent via the :zeek:attr:`&persistent` attribute.
 const state_dir = ".state" &redef;
 
 ## Length of the delays inserted when storing state incrementally. To avoid
 ## dropping packets when serializing larger volumes of persistent state to
-## disk, Bro interleaves the operation with continued packet processing.
+## disk, Zeek interleaves the operation with continued packet processing.
 const state_write_delay = 0.01 secs &redef;
 
 global done_with_network = F;
@@ -1868,7 +1868,7 @@ global secondary_filters: table[string] of event(filter: string, pkt: pkt_hdr)
 global discarder_maxlen = 128 &redef;
 
 ## Function for skipping packets based on their IP header. If defined, this
-## function will be called for all IP packets before Bro performs any further
+## function will be called for all IP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1884,7 +1884,7 @@ global discarder_maxlen = 128 &redef;
 global discarder_check_ip: function(p: pkt_hdr): bool;
 
 ## Function for skipping packets based on their TCP header. If defined, this
-## function will be called for all TCP packets before Bro performs any further
+## function will be called for all TCP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1902,7 +1902,7 @@ global discarder_check_ip: function(p: pkt_hdr): bool;
 global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
 
 ## Function for skipping packets based on their UDP header. If defined, this
-## function will be called for all UDP packets before Bro performs any further
+## function will be called for all UDP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1920,7 +1920,7 @@ global discarder_check_tcp: function(p: pkt_hdr, d: string): bool;
 global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
 
 ## Function for skipping packets based on their ICMP header. If defined, this
-## function will be called for all ICMP packets before Bro performs any further
+## function will be called for all ICMP packets before Zeek performs any further
 ## analysis. If the function signals to discard a packet, no further processing
 ## will be performed on it.
 ##
@@ -1935,7 +1935,7 @@ global discarder_check_udp: function(p: pkt_hdr, d: string): bool;
 ##    Avoid using it.
 global discarder_check_icmp: function(p: pkt_hdr): bool;
 
-## Bro's watchdog interval.
+## Zeek's watchdog interval.
 const watchdog_interval = 10 sec &redef;
 
 ## The maximum number of timers to expire after processing each new
@@ -2711,7 +2711,7 @@ export {
 
 	## A set of file names used as named pipes over SMB. This
 	## only comes into play as a heuristic to identify named
-	## pipes when the drive mapping wasn't seen by Bro.
+	## pipes when the drive mapping wasn't seen by Zeek.
 	##
 	## .. zeek:see:: smb_pipe_connect_heuristic
 	const SMB::pipe_filenames: set[string] &redef;
@@ -4670,16 +4670,16 @@ const detect_filtered_trace = F &redef;
 ## .. zeek:see:: content_gap partial_connection
 const report_gaps_for_partial = F &redef;
 
-## Flag to prevent Bro from exiting automatically when input is exhausted.
+## Flag to prevent Zeek from exiting automatically when input is exhausted.
-## Normally Bro terminates when all packet sources have gone dry
+## Normally Zeek terminates when all packet sources have gone dry
-## and communication isn't enabled. If this flag is set, Bro's main loop will
+## and communication isn't enabled. If this flag is set, Zeek's main loop will
 ## instead keep idling until :zeek:see:`terminate` is explicitly called.
 ##
 ## This is mainly for testing purposes when termination behaviour needs to be
 ## controlled for reproducing results.
 const exit_only_after_terminate = F &redef;
 
-## The CA certificate file to authorize remote Bros/Broccolis.
+## The CA certificate file to authorize remote Zeeks/Broccolis.
 ##
 ## .. zeek:see:: ssl_private_key ssl_passphrase
 const ssl_ca_certificate = "<undefined>" &redef;
@@ -4690,17 +4690,17 @@ const ssl_ca_certificate = "<undefined>" &redef;
 const ssl_private_key = "<undefined>" &redef;
 
 ## The passphrase for our private key. Keeping this undefined
-## causes Bro to prompt for the passphrase.
+## causes Zeek to prompt for the passphrase.
 ##
 ## .. zeek:see:: ssl_private_key ssl_ca_certificate
 const ssl_passphrase = "<undefined>" &redef;
 
-## Default mode for Bro's user-space dynamic packet filter. If true, packets
+## Default mode for Zeek's user-space dynamic packet filter. If true, packets
 ## that aren't explicitly allowed through, are dropped from any further
 ## processing.
 ##
 ## .. note:: This is not the BPF packet filter but an additional dynamic filter
-##    that Bro optionally applies just before normal processing starts.
+##    that Zeek optionally applies just before normal processing starts.
 ##
 ## .. zeek:see:: install_dst_addr_filter install_dst_net_filter
 ##    install_src_addr_filter install_src_net_filter  uninstall_dst_addr_filter
@@ -4714,7 +4714,7 @@ const sig_max_group_size = 50 &redef;
 const peer_description = "bro" &redef;
 
 ## The number of IO chunks allowed to be buffered between the child
-## and parent process of remote communication before Bro starts dropping
+## and parent process of remote communication before Zeek starts dropping
 ## connections to remote peers in an attempt to catch up.
 const chunked_io_buffer_soft_cap = 800000 &redef;
 
@@ -4730,7 +4730,7 @@ const chunked_io_buffer_soft_cap = 800000 &redef;
 const dpd_reassemble_first_packets = T &redef;
 
 ## Size of per-connection buffer used for dynamic protocol detection. For each
-## connection, Bro buffers this initial amount of payload in memory so that
+## connection, Zeek buffers this initial amount of payload in memory so that
 ## complete protocol analysis can start even after the initial packets have
 ## already passed through (i.e., when a DPD signature matches only later).
 ## However, once the buffer is full, data is deleted and lost to analyzers that
@@ -4784,8 +4784,8 @@ const suppress_local_output = F &redef;
 ## .. zeek:see:: record_all_packets
 const trace_output_file = "";
 
-## If a trace file is given with ``-w``, dump *all* packets seen by Bro into it.
+## If a trace file is given with ``-w``, dump *all* packets seen by Zeek into it.
-## By default, Bro applies (very few) heuristics to reduce the volume. A side
+## By default, Zeek applies (very few) heuristics to reduce the volume. A side
 ## effect of setting this to true is that we can write the packets out before we
 ## actually process them, which can be helpful for debugging in case the
 ## analysis triggers a crash.
@@ -4806,7 +4806,7 @@ module JSON;
 export {
 	type TimestampFormat: enum {
 		## Timestamps will be formatted as UNIX epoch doubles.  This is
-		## the format that Bro typically writes out timestamps.
+		## the format that Zeek typically writes out timestamps.
 		TS_EPOCH,
 		## Timestamps will be formatted as unsigned integers that
 		## represent the number of milliseconds since the UNIX
@@ -4877,17 +4877,17 @@ export {
 module Reporter;
 export {
 	## Tunable for sending reporter info messages to STDERR.  The option to
-	## turn it off is presented here in case Bro is being run by some
+	## turn it off is presented here in case Zeek is being run by some
 	## external harness and shouldn't output anything to the console.
 	const info_to_stderr = T &redef;
 
 	## Tunable for sending reporter warning messages to STDERR.  The option
-	## to turn it off is presented here in case Bro is being run by some
+	## to turn it off is presented here in case Zeek is being run by some
 	## external harness and shouldn't output anything to the console.
 	const warnings_to_stderr = T &redef;
 
 	## Tunable for sending reporter error messages to STDERR.  The option to
-	## turn it off is presented here in case Bro is being run by some
+	## turn it off is presented here in case Zeek is being run by some
 	## external harness and shouldn't output anything to the console.
 	const errors_to_stderr = T &redef;
 }
@@ -4979,8 +4979,8 @@ export {
 module GLOBAL;
 
 ## Seed for hashes computed internally for probabilistic data structures. Using
-## the same value here will make the hashes compatible between independent Bro
+## the same value here will make the hashes compatible between independent Zeek
-## instances. If left unset, Bro will use a temporary local seed.
+## instances. If left unset, Zeek will use a temporary local seed.
 const global_hash_seed: string = "" &redef;
 
 ## Number of bits in UIDs that are generated to identify connections and
@@ -4989,7 +4989,7 @@ const global_hash_seed: string = "" &redef;
 const bits_per_uid: count = 96 &redef;
 
 ## Whether usage of the old communication system is considered an error or
-## not.  The default Bro configuration no longer works with the non-Broker
+## not.  The default Zeek configuration no longer works with the non-Broker
 ## communication system unless you have manually taken action to initialize
 ## and set up the old comm. system.  Deprecation warnings are still emitted
 ## when setting this flag, but they will not result in a fatal error.

scripts/base/init-default.zeek

@@ -1,5 +1,5 @@
 ##! This script loads everything in the base/ script directory.  If you want
-##! to run Bro without all of these scripts loaded by default, you can use
+##! to run Zeek without all of these scripts loaded by default, you can use
 ##! the ``-b`` (``--bare-mode``) command line argument.  You can also copy the
 ##! "@load" lines from this script to your own script to load only the scripts
 ##! that you actually want.

scripts/base/misc/find-checksum-offloading.zeek

@@ -50,7 +50,7 @@ event ChecksumOffloading::check()
 			bad_checksum_msg += "UDP";
 			}
 
-		local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.  By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable.  Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg);
+		local message = fmt("Your %s invalid %s checksums, most likely from NIC checksum offloading.  By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable.  Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted.", packet_src, bad_checksum_msg);
 		Reporter::warning(message);
 		done = T;
 		}

scripts/base/misc/find-filtered-trace.zeek

@@ -2,7 +2,7 @@
 ##! control packets (e.g. it's been filtered to contain only SYN/FIN/RST
 ##! packets and no content).  On finding such a trace, a warning is
 ##! emitted that suggests toggling the :zeek:see:`detect_filtered_trace`
-##! option may be desired if the user does not want Bro to report
+##! option may be desired if the user does not want Zeek to report
 ##! missing TCP segments.
 
 module FilteredTraceDetection;
@@ -45,5 +45,5 @@ event zeek_done()
 		return;
 
 	if ( ! saw_tcp_conn_with_data )
-		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
+		Reporter::warning("The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Zeek reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.");
 	}

scripts/base/misc/version.zeek

@@ -1,4 +1,4 @@
-##! Provide information about the currently running Bro version.
+##! Provide information about the currently running Zeek version.
 ##! The most convenient way to access this are the Version::number
 ##! and Version::info constants.
 
@@ -8,12 +8,12 @@
 module Version;
 
 export {
-	## A type exactly describing a Bro version
+	## A type exactly describing a Zeek version
 	type VersionDescription: record {
 		## Number representing the version which can be used for easy comparison.
 		## The format of the number is ABBCC with A being the major version,
 		## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
-		## As an example, Bro 2.4.1 results in the number 20401.
+		## As an example, Zeek 2.4.1 results in the number 20401.
 		version_number: count;
 		## Major version number (e.g. 2 for 2.5)
 		major: count;
@@ -23,7 +23,7 @@ export {
 		patch: count;
 		## Commit number for development versions, e.g. 12 for 2.4-12. 0 for non-development versions
 		commit: count;
-		## If set to true, the version is a beta build of Bro
+		## If set to true, the version is a beta build of Zeek
 		beta: bool;
 		## If set to true, the version is a debug build
 		debug: bool;
@@ -33,12 +33,12 @@ export {
 
 	## Parse a given version string.
 	##
-	## version_string: Bro version string.
+	## version_string: Zeek version string.
 	##
 	## Returns: `VersionDescription` record.
 	global parse: function(version_string: string): VersionDescription;
 
-	## Test if the current running version of Bro is greater or equal to the given version
+	## Test if the current running version of Zeek is greater or equal to the given version
 	## string.
 	##
 	## version_string: Version to check against the current running version.
@@ -74,13 +74,13 @@ function parse(version_string: string): VersionDescription
 	}
 
 export {
-	## version number of the currently running version of Bro as a numeric representation.
+	## version number of the currently running version of Zeek as a numeric representation.
 	## The format of the number is ABBCC with A being the major version,
 	## bb being the minor version (2 digits) and CC being the patchlevel (2 digits).
-	## As an example, Bro 2.4.1 results in the number 20401
+	## As an example, Zeek 2.4.1 results in the number 20401
 	const number = Version::parse(bro_version())$version_number;
 
-	## `VersionDescription` record pertaining to the currently running version of Bro.
+	## `VersionDescription` record pertaining to the currently running version of Zeek.
 	const info = Version::parse(bro_version());
 }
 

scripts/base/protocols/conn/main.zeek

@@ -112,7 +112,7 @@ export {
 		## w       packet with a zero window advertisement
 		## i       inconsistent packet (e.g. FIN+RST bits set)
 		## q       multi-flag packet (SYN+FIN or SYN+RST bits set)
-		## ^       connection direction was flipped by Bro's heuristic
+		## ^       connection direction was flipped by Zeek's heuristic
 		## ======  ====================================================
 		##
 		## If the event comes from the originator, the letter is in

scripts/base/protocols/dhcp/main.zeek

@@ -138,7 +138,7 @@ function join_data_expiration(t: table[count] of Info, idx: count): interval
 	# If a message hasn't been seen in the past 5 seconds or the
 	# total time watching has been more than the maximum time
 	# allowed by the configuration then log this data and expire it.
-	# Also, if Bro is shutting down.
+	# Also, if Zeek is shutting down.
 	if ( (now - info$last_message_ts) > 5sec ||
 	     (now - info$ts) > max_txid_watch_time ||
 	     bro_is_terminating() )

scripts/base/protocols/dns/main.zeek

@@ -116,7 +116,7 @@ export {
 	## Give up trying to match pending DNS queries or replies for a given
 	## query/transaction ID once this number of unmatched queries or replies
 	## is reached (this shouldn't happen unless either the DNS server/resolver
-	## is broken, Bro is not seeing all the DNS traffic, or an AXFR query
+	## is broken, Zeek is not seeing all the DNS traffic, or an AXFR query
 	## response is ongoing).
 	option max_pending_msgs = 50;
 
@@ -561,7 +561,7 @@ event connection_state_remove(c: connection) &priority=-5
 	if ( ! c?$dns_state )
 		return;
 
-	# If Bro is expiring state, we should go ahead and log all unmatched
+	# If Zeek is expiring state, we should go ahead and log all unmatched
 	# queries and replies now.
 	if( c$dns_state?$pending_query )
 		Log::write(DNS::LOG, c$dns_state$pending_query);

scripts/base/utils/active-http.zeek

@@ -78,7 +78,7 @@ function request2curl(r: Request, bodyfile: string, headersfile: string): string
 
 function request(req: Request): ActiveHTTP::Response
 	{
-	local tmpfile     = "/tmp/bro-activehttp-" + unique_id("");
+	local tmpfile     = "/tmp/zeek-activehttp-" + unique_id("");
 	local bodyfile    = fmt("%s_body", tmpfile);
 	local headersfile = fmt("%s_headers", tmpfile);
 

scripts/base/utils/geoip-distance.zeek

@@ -1,7 +1,7 @@
 ##! Functions to calculate distance between two locations, based on GeoIP data.
 
 ## Returns the distance between two IP addresses using the haversine formula,
-## based on GeoIP database locations.  Requires Bro to be built with GeoIP.
+## based on GeoIP database locations.  Requires Zeek to be built with GeoIP.
 ##
 ## a1: First IP address.
 ##

scripts/base/utils/json.zeek

@@ -1,9 +1,9 @@
-##! Functions to assist with generating JSON data from Bro data scructures.
+##! Functions to assist with generating JSON data from Zeek data scructures.
 # We might want to implement this in core somtime, this looks... hacky at best.
 
 @load base/utils/strings
 
-## A function to convert arbitrary Bro data into a JSON string.
+## A function to convert arbitrary Zeek data into a JSON string.
 ##
 ## v: The value to convert to JSON.  Typically a record.
 ##

scripts/base/utils/patterns.zeek

@@ -9,7 +9,7 @@ module GLOBAL;
 ## ss: a set of strings to OR together.
 ##
 ## pat: the pattern containing a "~~"  in it.  If a literal backslash is
-##      included, it needs to be escaped with another backslash due to Bro's
+##      included, it needs to be escaped with another backslash due to Zeek's
 ##      string parsing reducing it to a single backslash upon rendering.
 ##
 ## Returns: the input pattern with "~~" replaced by OR'd elements of input set.

scripts/base/utils/site.zeek

@@ -17,7 +17,7 @@ export {
 		[::1]/128,
 	};
 
-	## Networks that are considered "local".  Note that BroControl sets
+	## Networks that are considered "local".  Note that ZeekControl sets
 	## this automatically.
 	option local_nets: set[subnet] = {};
 

scripts/base/utils/strings.zeek

@@ -1,5 +1,5 @@
 ##! Functions to assist with small string analysis and manipulation that can
-##! be implemented as Bro functions and don't need to be implemented as built-in
+##! be implemented as Zeek functions and don't need to be implemented as built-in
 ##! functions.
 
 ## Returns true if the given string is at least 25% composed of 8-bit

scripts/policy/frameworks/control/controllee.zeek

@@ -1,5 +1,5 @@
 ##! The controllee portion of the control framework.  Load this script if remote
-##! runtime control of the Bro process is desired.
+##! runtime control of the Zeek process is desired.
 ##!
 ##! A controllee only needs to load the controllee script in addition
 ##! to the specific analysis scripts desired.  It may also need a node

scripts/policy/frameworks/control/controller.zeek

@@ -1,5 +1,5 @@
 ##! This is a utility script that implements the controller interface for the
-##! control framework.  It's intended to be run to control a remote Bro
+##! control framework.  It's intended to be run to control a remote Zeek
 ##! and then shutdown.
 ##!
 ##! It's intended to be used from the command line like this::

scripts/policy/frameworks/packet-filter/shunt.zeek

@@ -4,18 +4,18 @@
 module PacketFilter;
 
 export {
-	## The maximum number of BPF based shunts that Bro is allowed to perform.
+	## The maximum number of BPF based shunts that Zeek is allowed to perform.
 	const max_bpf_shunts = 100 &redef;
 
 	## Call this function to use BPF to shunt a connection (to prevent the
-	## data packets from reaching Bro).  For TCP connections, control
+	## data packets from reaching Zeek).  For TCP connections, control
-	## packets are still allowed through so that Bro can continue logging
+	## packets are still allowed through so that Zeek can continue logging
 	## the connection and it can stop shunting once the connection ends.
 	global shunt_conn: function(id: conn_id): bool;
 
 	## This function will use a BPF expression to shunt traffic between
 	## the two hosts given in the `conn_id` so that the traffic is never
-	## exposed to Bro's traffic processing.
+	## exposed to Zeek's traffic processing.
 	global shunt_host_pair: function(id: conn_id): bool;
 
 	## Remove shunting for a host pair given as a `conn_id`.  The filter

scripts/policy/integration/barnyard2/main.zeek

@@ -1,4 +1,4 @@
-##! This script lets Barnyard2 integrate with Bro.  It receives alerts from
+##! This script lets Barnyard2 integrate with Zeek.  It receives alerts from
 ##! Barnyard2 and logs them.  In the future it will do more correlation
 ##! and derive new notices from the alerts.
 
@@ -20,7 +20,7 @@ export {
 	
 	## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to
 	## a :zeek:type:`conn_id` value in the case that you might need to index 
-	## into an existing data structure elsewhere within Bro.
+	## into an existing data structure elsewhere within Zeek.
 	global pid2cid: function(p: PacketID): conn_id;
 }
 

scripts/policy/integration/collective-intel/README

@@ -1,4 +1,4 @@
 The scripts in this module are for deeper integration with the
-Collective Intelligence Framework (CIF) since Bro's Intel framework
+Collective Intelligence Framework (CIF) since Zeek's Intel framework
 doesn't natively behave the same as CIF nor does it store and maintain
 the same data in all cases.

scripts/policy/integration/collective-intel/main.zeek

@@ -3,7 +3,7 @@
 
 module Intel;
 
-## These are some fields to add extended compatibility between Bro and the
+## These are some fields to add extended compatibility between Zeek and the
 ## Collective Intelligence Framework.
 redef record Intel::MetaData += {
 	## Maps to the Impact field in the Collective Intelligence Framework.

scripts/policy/misc/capture-loss.zeek

@@ -25,7 +25,7 @@ export {
 		ts:           time     &log;
 		## The time delay between this measurement and the last.
 		ts_delta:     interval &log;
-		## In the event that there are multiple Bro instances logging
+		## In the event that there are multiple Zeek instances logging
 		## to the same host, this distinguishes each peer with its
 		## individual name.
 		peer:         string   &log;

scripts/policy/misc/dump-events.zeek

@@ -1,6 +1,6 @@
-##! This script dumps the events that Bro raises out to standard output in a
+##! This script dumps the events that Zeek raises out to standard output in a
 ##! readable form. This is for debugging only and allows to understand events and
-##! their parameters as Bro processes input. Note that it will show only events
+##! their parameters as Zeek processes input. Note that it will show only events
 ##! for which a handler is defined.
 
 module DumpEvents;

scripts/policy/misc/load-balancing.zeek

@@ -1,5 +1,5 @@
-##! This script implements the "Bro side" of several load balancing
+##! This script implements the "Zeek side" of several load balancing
-##! approaches for Bro clusters.
+##! approaches for Zeek clusters.
 
 @load base/frameworks/cluster
 @load base/frameworks/packet-filter

scripts/policy/misc/profiling.zeek

@@ -1,4 +1,4 @@
-##! Turns on profiling of Bro resource consumption.
+##! Turns on profiling of Zeek resource consumption.
 
 module Profiling;
 

scripts/policy/misc/stats.zeek

@@ -100,7 +100,7 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
 	local ds = get_dns_stats();
 
 	if ( bro_is_terminating() )
-		# No more stats will be written or scheduled when Bro is
+		# No more stats will be written or scheduled when Zeek is
 		# shutting down.
 		return;
 

scripts/policy/protocols/conn/known-hosts.zeek

@@ -1,4 +1,4 @@
-##! This script logs hosts that Bro determines have performed complete TCP 
+##! This script logs hosts that Zeek determines have performed complete TCP
 ##! handshakes and logs the address once per day (by default).  The log that 
 ##! is output provides an easy way to determine a count of the IP addresses in
 ##! use on a network per day.
@@ -22,7 +22,7 @@ export {
 	};
 
 	## Toggles between different implementations of this script.
-	## When true, use a Broker data store, else use a regular Bro set
+	## When true, use a Broker data store, else use a regular Zeek set
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_host_store = T &redef;

scripts/policy/protocols/conn/known-services.zeek

@@ -28,7 +28,7 @@ export {
 	};
 
 	## Toggles between different implementations of this script.
-	## When true, use a Broker data store, else use a regular Bro set
+	## When true, use a Broker data store, else use a regular Zeek set
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_service_store = T &redef;

scripts/policy/protocols/smtp/detect-suspicious-orig.zeek

@@ -10,7 +10,7 @@ export {
 
 	## Places where it's suspicious for mail to originate from represented
 	## as all-capital, two character country codes (e.g., US).  It requires
-	## Bro to be built with GeoIP support.
+	## Zeek to be built with GeoIP support.
 	option suspicious_origination_countries: set[string] = {};
 	option suspicious_origination_networks: set[subnet] = {};
 

scripts/policy/protocols/smtp/software.zeek

@@ -26,7 +26,7 @@ export {
 	};
 	
 	## Assuming that local mail servers are more trustworthy with the
-	## headers they insert into message envelopes, this default makes Bro
+	## headers they insert into message envelopes, this default makes Zeek
 	## not attempt to detect software in inbound message bodies.  If mail
 	## coming in from external addresses gives incorrect data in
 	## the Received headers, it could populate your SOFTWARE logging stream

scripts/policy/protocols/ssl/known-certs.zeek

@@ -32,7 +32,7 @@ export {
 	option cert_tracking = LOCAL_HOSTS;
 
 	## Toggles between different implementations of this script.
-	## When true, use a Broker data store, else use a regular Bro set
+	## When true, use a Broker data store, else use a regular Zeek set
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_cert_store = T &redef;

scripts/policy/protocols/ssl/validate-certs.zeek

@@ -34,7 +34,7 @@ export {
 		&read_expire=5mins &redef;
 
 	## Use intermediate CA certificate caching when trying to validate
-	## certificates. When this is enabled, Bro keeps track of all valid
+	## certificates. When this is enabled, Zeek keeps track of all valid
 	## intermediate CA certificates that it has seen in the past. When
 	## encountering a host certificate that cannot be validated because
 	## of missing intermediate CA certificate, the cached list is used

scripts/policy/protocols/ssl/validate-sct.zeek

@@ -34,7 +34,7 @@ export {
 		logid: string;
 		## The timestamp at which this SCT was issued measured since the
 		## epoch (January 1, 1970, 00:00), ignoring leap seconds, in
-		## milliseconds. Not converted to a Bro timestamp because we need
+		## milliseconds. Not converted to a Zeek timestamp because we need
 		## the exact value for validation.
 		timestamp: count;
 		## The signature algorithm used for this sct.

scripts/test-all-policy.zeek

@@ -1,4 +1,4 @@
-# This file loads ALL policy scripts that are part of the Bro distribution.
+# This file loads ALL policy scripts that are part of the Zeek distribution.
 # 
 # This is rarely makes sense, and is for testing only.
 # 

zeek-config.h.in

@@ -222,12 +222,12 @@
 /* String with extension of dynamic libraries (e.g., ".so") */
 #define DYNAMIC_PLUGIN_SUFFIX "@CMAKE_SHARED_MODULE_SUFFIX@"
 
-/* True if we're building outside of the main Bro source code tree. */
+/* True if we're building outside of the main Zeek source code tree. */
 #ifndef BRO_PLUGIN_INTERNAL_BUILD
 #define BRO_PLUGIN_INTERNAL_BUILD @BRO_PLUGIN_INTERNAL_BUILD@
 #endif
 
-/* A C function that has the Bro version encoded into its name. */
+/* A C function that has the Zeek version encoded into its name. */
 #define BRO_VERSION_FUNCTION bro_version_@VERSION_C_IDENT@
 #ifdef __cplusplus
 extern "C" {

zeek-path-dev.in

@@ -1,13 +1,13 @@
 #!/bin/sh
-# After configured by CMake, this file prints the absolute path to Bro scripts
+# After configured by CMake, this file prints the absolute path to Zeek scripts
-# that come with the source distributions of Bro as well as scripts that are
+# that come with the source distributions of Zeek as well as scripts that are
 # generated by the BIF compiler at compile time.
 #
-# The intended use of this script is to make it easier to run Bro from
+# The intended use of this script is to make it easier to run Zeek from
 # the build directory, avoiding the need to install it.  This could be
 # done like:
 #
-#     BROPATH=`./bro-path-dev` ./src/bro
+#     BROPATH=`./zeek-path-dev` ./src/zeek
 #
 
 echo .:${CMAKE_SOURCE_DIR}/scripts:${CMAKE_SOURCE_DIR}/scripts/policy:${CMAKE_SOURCE_DIR}/scripts/site:${CMAKE_BINARY_DIR}/scripts