Merge remote-tracking branch 'origin/topic/timw/open-dict'

* origin/topic/timw/open-dict: (40 commits)
  Move Dict constants to detail namespace
  Add a few missing deprecation fixes
  Adjust Dict whitespace/style
  Adjust more btest timings
  Improve termination reliability/speed for brokerstore btests
  General btest cleanup
  Update NEWS about change in Dictionary implementation
  Improve Intel expire-item btest to be less time-sensitive
  Improve btests with unstable table/set output ordering
  Update doc submodule
  Adjust a few btests that were unstable due to time-sensitivity
  Fix DNS script deleting a table element while iterating
  Improve a brokerstore btest to filter out Broker connection messages
  Sort output of a few SumStats cluster tests
  Fix extract_first_email_addr() to really return the first email
  Add find_all_ordered() BIF
  Extend external test suite canonifier with set-sorting logic
  Update btests/baselines for OpenDict compat
  Fix new/malloc/delete/free mismatches in Dictionary code
  Add explanation for a Dict TODO item
  ...

testing/btest/scripts/base/protocols/http/content-range-gap-skip.zeek

@@ -1,9 +1,11 @@
-# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap-skip.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/content-range-gap-skip.trace %INPUT
 
 # In this trace, we should be able to determine that a gap lies
 # entirely within the body of an entity that specifies Content-Range,
 # and so further deliveries after the gap can still be made.
 
+@load base/protocols/http
+
 global got_gap = F;
 global got_data_after_gap = F;
 

testing/btest/scripts/base/protocols/http/content-range-gap.zeek

@@ -1,6 +1,9 @@
-# @TEST-EXEC: zeek -r $TRACES/http/content-range-gap.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/content-range-gap.trace %INPUT
 # @TEST-EXEC: btest-diff extract_files/thefile
 
+@load base/protocols/http
+@load base/files/extract
+
 event file_new(f: fa_file)
 	{
 	Files::add_analyzer(f, Files::ANALYZER_EXTRACT,

testing/btest/scripts/base/protocols/http/content-range-less-than-len.zeek

@@ -1,3 +1,6 @@
-# @TEST-EXEC: zeek -r $TRACES/http/content-range-less-than-len.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/http/content-range-less-than-len.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
+
+@load base/protocols/http
+@load base/frameworks/notice/weird

testing/btest/scripts/base/protocols/http/entity-gap.zeek

@@ -1,7 +1,10 @@
-# @TEST-EXEC: zeek -r $TRACES/http/entity_gap.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/entity_gap.trace %INPUT
 # @TEST-EXEC: btest-diff entity_data
 # @TEST-EXEC: btest-diff extract_files/file0
 
+@load base/protocols/http
+@load base/files/extract
+
 global f = open("entity_data");
 global fn = 0;
 

testing/btest/scripts/base/protocols/http/entity-gap2.zeek

@@ -1,7 +1,10 @@
-# @TEST-EXEC: zeek -r $TRACES/http/entity_gap2.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/entity_gap2.trace %INPUT
 # @TEST-EXEC: btest-diff entity_data
 # @TEST-EXEC: btest-diff extract_files/file0
 
+@load base/protocols/http
+@load base/files/extract
+
 global f = open("entity_data");
 global fn = 0;
 

testing/btest/scripts/base/protocols/http/fake-content-length.zeek

@@ -1,2 +1,2 @@
-# @TEST-EXEC: zeek -r $TRACES/http/fake-content-length.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/http/fake-content-length.pcap base/protocols/http
 # @TEST-EXEC: btest-diff http.log

testing/btest/scripts/base/protocols/http/http-bad-request-with-version.zeek

@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/http-bad-request-with-version.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
 
+@load base/protocols/http
+@load base/frameworks/notice/weird

testing/btest/scripts/base/protocols/http/http-connect-with-header.zeek

@@ -1,12 +1,13 @@
 # This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly
 # when the server include a header line into its response.
 #
-# @TEST-EXEC: zeek -C -r $TRACES/http/connect-with-header.trace %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/connect-with-header.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff tunnel.log
 
 @load base/protocols/conn
 @load base/protocols/http
+@load base/protocols/ssl
 @load base/protocols/tunnels
 @load base/frameworks/dpd

testing/btest/scripts/base/protocols/http/http-connect.zeek

@@ -1,6 +1,6 @@
 # This tests that the HTTP analyzer handles HTTP CONNECT proxying correctly.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/connect-with-smtp.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/connect-with-smtp.trace %INPUT
 # @TEST-EXEC: btest-diff conn.log
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff smtp.log

testing/btest/scripts/base/protocols/http/http-filename.zeek

@@ -1,8 +1,6 @@
 # This tests that the HTTP analyzer handles filenames over HTTP correctly.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/http-filename.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/http-filename.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 
-# The base analysis scripts are loaded by default.
-#@load base/protocols/http
-
+@load base/protocols/http

testing/btest/scripts/base/protocols/http/http-header-crlf.zeek

@@ -2,9 +2,8 @@
 # it gets confused whether it's in a header or not; it shouldn't report
 # the http_no_crlf_in_header_list wierd.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/byteranges.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/byteranges.trace %INPUT
 # @TEST-EXEC: test ! -f weird.log
 
-# The base analysis scripts are loaded by default.
-#@load base/protocols/http
-
+@load base/protocols/http
+@load base/frameworks/notice/weird

testing/btest/scripts/base/protocols/http/http-methods.zeek

@@ -1,9 +1,8 @@
 # This tests that the HTTP analyzer handles strange HTTP methods properly.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/methods.trace %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/methods.trace %INPUT
 # @TEST-EXEC: btest-diff weird.log
 # @TEST-EXEC: btest-diff http.log
 
-# The base analysis scripts are loaded by default.
-#@load base/protocols/http
-
+@load base/protocols/http
+@load base/frameworks/notice/weird

testing/btest/scripts/base/protocols/http/http-pipelining.zeek

@@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -r $TRACES/http/pipelined-requests.trace %INPUT > output
+# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace %INPUT > output
 # @TEST-EXEC: btest-diff http.log
 
+@load base/protocols/http
+
 # mime type is irrelevant to this test, so filter it out
 event zeek_init()
 	{

testing/btest/scripts/base/protocols/http/missing-zlib-header.zeek

@@ -2,5 +2,7 @@
 # include an appropriate ZLIB header on deflated 
 # content.
 #
-# @TEST-EXEC: zeek -r $TRACES/http/missing-zlib-header.pcap %INPUT
+# @TEST-EXEC: zeek -b -r $TRACES/http/missing-zlib-header.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
+
+@load base/protocols/http

testing/btest/scripts/base/protocols/http/multipart-extract.zeek

@@ -1,7 +1,10 @@
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: cat extract_files/http-item-* | sort > extractions
 
+@load base/protocols/http
+@load base/files/extract
+
 event file_new(f: fa_file)
 	{
 	local fname = fmt("http-item-%s", f$id);

testing/btest/scripts/base/protocols/http/multipart-file-limit.zeek

@@ -1,10 +1,10 @@
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace base/protocols/http
 # @TEST-EXEC: btest-diff http.log
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT >out-limited
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace base/protocols/http %INPUT >out-limited
 # @TEST-EXEC: mv http.log http-limited.log
 # @TEST-EXEC: btest-diff http-limited.log
 # @TEST-EXEC: btest-diff out-limited
-# @TEST-EXEC: zeek -C -r $TRACES/http/multipart.trace %INPUT ignore_http_file_limit=T >out-limit-ignored
+# @TEST-EXEC: zeek -b -C -r $TRACES/http/multipart.trace base/protocols/http %INPUT ignore_http_file_limit=T >out-limit-ignored
 # @TEST-EXEC: mv http.log http-limit-ignored.log
 # @TEST-EXEC: btest-diff http-limit-ignored.log
 # @TEST-EXEC: btest-diff out-limit-ignored

testing/btest/scripts/base/protocols/http/no-uri.zeek

@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/no-uri.pcap %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/no-uri.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
 
+@load base/protocols/http
+@load base/frameworks/notice/weird

testing/btest/scripts/base/protocols/http/no-version.zeek

@@ -1,3 +1,4 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/no-version.pcap %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/no-version.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 
+@load base/protocols/http

testing/btest/scripts/base/protocols/http/percent-end-of-line.zeek

@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: zeek -b -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
 # @TEST-EXEC: btest-diff http.log
 # @TEST-EXEC: btest-diff weird.log
 
+@load base/protocols/http
+@load base/frameworks/notice/weird

testing/btest/scripts/base/protocols/http/x-gzip.zeek

@@ -1,2 +1,2 @@
-# @TEST-EXEC: zeek -r $TRACES/http/x-gzip.pcap
+# @TEST-EXEC: zeek -b -r $TRACES/http/x-gzip.pcap base/protocols/http
 # @TEST-EXEC: btest-diff http.log